> And now consider the 10**50 messages djb assumes.
Time for me to put out a big "I screwed up" message. I screwed up: my
math is, in fact, wrong. I was in a boring meeting today and was
mentally reviewing my math and realized, "wait, there's no way a 2**-78
chance of picking a weak key by accid
On Wed, 3 Jun 2015 14:58, r...@sixdemonbag.org said:
> No, I'm not kidding. Do the math yourself.
Right. I's also suggest that everyone doing this math should also look
up examples of large numbers. Applied Cryptography prints a list right
after the introduction (page 18 in my edition) for a
On Tue 2015-06-02 18:15:21 -0400, NdK wrote:
> IIRC, I read (some years ago...) that AES-256 could be *weaker* than
> AES-128 because some mathematical structures express some properties
> only with the longer keys. I don't have the paper handy ATM, but I
> vaguely remember that shocking conclusio
>> 1. A very large number of intercepted OpenPGP messages We don't
>> have #1
>
> We're Post-Snowden, right?
Not 10**50 messages worth, we're not.
> "Show me all PGP usage in Iran"
Maybe 10**9. *Maybe*. Multiply that by a factor of
100,000,000,000,000,000,000,000,000,000,000,000,000,000 and
I agree with dkg.
Robert J. Hansen:
I think this is a pretty unrealistic thought experiment. It requires
two conditions to be met:
1. A very large number of intercepted OpenPGP messages
We don't have #1
We're Post-Snowden, right?
"Show me all PGP usage in Iran"
"Can perform this ki
Il 02/06/2015 20:37, Daniel Kahn Gillmor ha scritto:
> But if we move to AES-256, we remove this attack, which means
> that none of our users get thrown under this particular bus.
What if by changing to AES-256 you end up saving one from the bus by
throwing all users under the train?
IIRC, I read
On Tue 2015-06-02 17:51:50 -0400, ved...@nym.hush.com wrote:
> The s2k default is also the default for symmetrically encrypted messages
> (which is fine, as long as people know about it).
I mentioned the possible interoperability concern in my first post on
this thread.
> If a person wants to sym
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 2 June 2015 at 8:46:18 PM, in
, Robert J. Hansen wrote:
> [Note for UK/European readers: 'million' here denotes
> an American million: 1,000,000.]
10^6 is a million both sides of the pond, n'est-ce pas? The long and
short scales o
On 6/2/2015 at 3:49 PM, "Robert J. Hansen" wrote:
>Given this, I would feel much better if Werner were to spend his
>time reviewing the code for exploitable bugs than spending even five
>minutes changing the s2k default from AES-128 to AES-256.
=
Agreed,
but here's a consequence you might
> To be clear, it's not "one of my keys" in the asymmetric key sense,
> where you, rjh, have only a handful over your lifetime. Every time
> you send an encrypted message, GnuPG generates a new AES key to
> encrypt that message with. So "one of my messages' keys" is more
> accurate.
Yes, I u
On Tue 2015-06-02 14:26:39 -0400, Robert J. Hansen wrote:
>> Even worse, there are standard attacks that find _at least one_ of
>> the keys using just 2^78 easy computations, a feasible computation
>> today.
>
> So there's a 10**-88 chance that one of my keys can be broken in 10**53
> computation
> Let's consider an adversary that can store as many OpenPGP-encrypted
> messages as it has access to. Maybe it sniffs SMTP traffic as well?
> If the attacker is interested in breaking the crypto of any *one* of
> these messages, it can reduce the amount of work it has to do
> significantly.
I t
On Tue 2015-06-02 12:41:40 -0400, Robert J. Hansen wrote:
> Right now pretty much everyone is content with RSA-3072, which has an
> estimated work factor comparable to AES-128. So if 128-bit crypto is
> enough, I don't understand the motivation behind jumping to AES-256.
> There needs to be someth
> Peers that do not support AES256 are either extremely rare or
> hopelessly out of date. Reducing the strength of the ciphers in use
> for the sake of preserving interop with these peers seems like a bad
> tradeoff.
>
> What do folks think about making this change to the defaults?
At present I'
14 matches
Mail list logo
