On Fri, Jul 31, 2009 at 2:07 PM, Matthew Toseland<[email protected]> wrote: > http://www.schneier.com/blog/archives/2009/07/another_new_aes.html > > Practical related-key/related-subkey attacks on AES with a 256-bit key with > 9, 10 and 11 rounds. The official standard uses 14 rounds, so there is > precious little safety margin - attacks always get better. > > We use AES/256 (technically we use Rijndael with 256 bit key and 256 bit > block size mostly, which isn't strictly AES, although we use 128 bit block > size, which is, for store encryption). > > Such attacks rely on related-key weaknesses in the protocol (as in WEP, where > the IV was too small). In theory we shouldn't have any, although I am not > entirely sure how to determine this. We shouldn't have known ciphertext, > because we have an unforgeable authenticator on all packets, but I'm not sure > exactly what the definition of a related-key weakness is. > > Nonetheless, it would seem prudent to increase the number of rounds as > Schneier outlines (28 rounds for a 256-bit key). We have the infrastructure > to do this without too much trouble, with key subtypes and negotiation types. > Moving to AES/128 would be considerably more work.
I think it would be worth trying to get someone who is a qualified cryptographer to look in detail at how Freenet uses cryptography. Freenet does a *lot* of crypto, mixed together in ways that aren't necessarily common. It's also a very interesting project from a cryptographic standpoint; it seems possible that someone could be talked into doing it on a volunteer basis. Even if it wasn't volunteer, it might be worth seeing how much a proper review would cost. Cryptographic review seems appropriate for a program which relies so strongly on the strength of its cryptography. Evan Daniel _______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
