On 19/03/12 12:31 PM, ianG wrote:
... So after a lot of colour, it is not clear if they can break AES.
Yet. OK. But that is their plan. And they think they can do it, within
their foreseeable future.
So, step into NSA's shoes. If there is a timeline here we (NSA) worked
out we can break AES "soon" ... what would we do?
Would we impress everyone in the world as to how strong it was and push
NIST to standardise it as much as possible? Plausible given that
everyone follows NIST's lead without question. The Suite B sweetener is
aptly named, nobody seems to have missed the sour taste of Suite A ;-)
Would we propose or advance some modes or protocols above others?
Where I'm getting at here is things like CTR mode. It seems that this
mode reduces the obfuscations of CBC to make AES the sole and only
fulcrum of strength. Nice, clear and simple. But, assuming a
predictable counter, we have lots of ciphertext with a clear
relationship. So CTR is easier to crack assuming a big machine that
makes the local county brown-out every time someone wants to read a
conversation.
Or, is the advantage that CBC and other modes have - obfuscation of the
ciphertext with variation stolen from the plaintext - of such low value
in the scheme of things that these things make no difference? Is the
choice of mode irrelevant if AES has a weakness?
iang
(context here is that I am examining an older protocol of mine with
thought of replacing it, and wonder which mode to prefer...)
(thinking about it more, my normal rule of "ignore the NSA always"
should answer this :) )
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
