[OTR-dev] AES Key and DH group sizes
Ian Goldberg
ian at cypherpunks.ca
Tue Aug 18 11:00:23 EDT 2009
On Tue, Aug 18, 2009 at 02:10:25AM -0700, chris-tuchs at hushmail.com wrote:
> On Mon, 17 Aug 2009 07:58:58 -0700 Ian Goldberg
> <ian at cypherpunks.ca> wrote:
> >I know of no reason to believe that either AES-128 or DH group
> >5 should be deprecated at this time. Do you have a pointer to
> >the recommendations you've been seeing?
> >
> > - Ian
>
> I repeat my claim: I am no cryptographer. This is the post
> that prompted me to ask the question. Seems like a
> semi-credible source to me.
>
> http://www.daemonology.net/blog/2009-06-11-cryptographic-right-
> answers.html
He's being way more conservative than needed, and it comes at a
nontrivial cost: the DH that's performed approx. every message in OTR
would be ~2x as expensive in group 14.
It also turns out (recent result, linked to upthread) that AES-256 has a
flaw which makes it weaker than AES-128 in certain circumstances. So
I'll be staying away from AES-256 for now, thankyouverymuch. ;-)
But in any event, there's no reason to use AES-256. (Pretty much(*)) ever.
(*) Mumble quantum mumble, but then you can't use DH to generate the key
in the first place.
I'm perfectly comfortable with a 128-bit security level for the
foreseeable future.
- Ian
More information about the OTR-dev
mailing list