On Mon, 6 Nov 2006, Derek Atkins wrote:

>Quoting "Leichter, Jerry" <[EMAIL PROTECTED]>:

>> Just wondering about this little piece.  How did we get to 256-bit
>> AES as a requirement?  Just what threat out there justifies it?

> It's a management requirement.  The manager sees "AES128" and "AES256"
> and thinks "256 must be better than 128" and therefore the edict comes
> down that AES256 must be used.  It's not a technical decision.  It's
> not a decision made by analyzing the threats.  It's made purely
> by assertion, but it's a decision that can't easily be refuted.

Yep.  When costs are equal (and in this case computing power is so
cheap as to make that approximately true) any competent manager will
always pick the method which is "superior" to the other in any way.

The facts are that with AES128 or AES256, the cipher itself will *NOT*
be the weakest link in security, so the theoretical superiority of
AES256 doesn't matter much.

Anybody who is making a serious attack will have to do pretty much
exactly the same thing -- social engineering, rubberhose attack,
subpoena, password guess, protocol flaw exploit, Van Eck monitor
exploit, keyboard monitor, software backdoor exploit, DLL substitution
attack,  mem device exploit by a trojan running at the same time as
the encryption software, audio interferometry to determine keystroke
sequences, audio-frequency carrier wave interference from some metal
thing in the same office as the transmitter vibrating to the voice
that's being encrypted, etc...  There's a million different links
all weaker than the cipher itself.

Conversely, it harms nothing to have them pick the stronger cipher,
given that both ciphers are sufficiently strong that their strength
has nothing to do with the mimimum effort required to attack their
application.

                                Bear

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to