http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
Practical related-key/related-subkey attacks on AES with a 256-bit key with 9, 10 and 11 rounds. The official standard uses 14 rounds, so there is precious little safety margin - attacks always get better. We use AES/256 (technically we use Rijndael with 256 bit key and 256 bit block size mostly, which isn't strictly AES, although we use 128 bit block size, which is, for store encryption). Such attacks rely on related-key weaknesses in the protocol (as in WEP, where the IV was too small). In theory we shouldn't have any, although I am not entirely sure how to determine this. We shouldn't have known ciphertext, because we have an unforgeable authenticator on all packets, but I'm not sure exactly what the definition of a related-key weakness is. Nonetheless, it would seem prudent to increase the number of rounds as Schneier outlines (28 rounds for a 256-bit key). We have the infrastructure to do this without too much trouble, with key subtypes and negotiation types. Moving to AES/128 would be considerably more work. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090731/18fedc1b/attachment.pgp>
