On Friday 31 July 2009 21:05:04 Matthew Toseland wrote: > On Friday 31 July 2009 20:38:24 Evan Daniel wrote: > > On Fri, Jul 31, 2009 at 2:07 PM, Matthew > > Toseland<[email protected]> wrote: > > > http://www.schneier.com/blog/archives/2009/07/another_new_aes.html > > > > > > Practical related-key/related-subkey attacks on AES with a 256-bit key > > > with 9, 10 and 11 rounds. The official standard uses 14 rounds, so there > > > is precious little safety margin - attacks always get better. > > > > > > We use AES/256 (technically we use Rijndael with 256 bit key and 256 bit > > > block size mostly, which isn't strictly AES, although we use 128 bit > > > block size, which is, for store encryption). > > > > > > Such attacks rely on related-key weaknesses in the protocol (as in WEP, > > > where the IV was too small). In theory we shouldn't have any, although I > > > am not entirely sure how to determine this. We shouldn't have known > > > ciphertext, because we have an unforgeable authenticator on all packets, > > > but I'm not sure exactly what the definition of a related-key weakness is. > > > > > > Nonetheless, it would seem prudent to increase the number of rounds as > > > Schneier outlines (28 rounds for a 256-bit key). We have the > > > infrastructure to do this without too much trouble, with key subtypes and > > > negotiation types. Moving to AES/128 would be considerably more work. > > > > I think it would be worth trying to get someone who is a qualified > > cryptographer to look in detail at how Freenet uses cryptography. > > Freenet does a *lot* of crypto, mixed together in ways that aren't > > necessarily common. It's also a very interesting project from a > > cryptographic standpoint; it seems possible that someone could be > > talked into doing it on a volunteer basis. Even if it wasn't > > volunteer, it might be worth seeing how much a proper review would > > cost. Cryptographic review seems appropriate for a program which > > relies so strongly on the strength of its cryptography. > > We used to have Scott, but his email address doesn't work... Maybe I should > ask Ian to locate him? > The link layer crypto was designed in collaboration with him... we should document our usage of crypto, at least.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
