[Cryptography] Dumb question -> 3AES?

[Benjamin Kreuter]

On Tue, 2014-08-12 at 09:50 -0700, John Gilmore wrote:
> > Given that the leading software break is still due to buffer overflows,
> > and nobody's ever cracked a big-name crypto algorithm in living memory ...
> 
> Are you losing your memory?  Enigma?  Purple?  DES?  MD4?  MD5?

If you are going to say that DES was cracked, as opposed to having too
short of a key length, then you should also be saying that AES was
cracked.  In both cases there are attacks that are theoretically faster
than brute force but which are basically irrelevant in practice.

> I have been advocating that in RSA key generation, we should randomize
> not only the key, but the number of bits in the key (within safe and
> computable limits).  This is because the current over-dependence on
> 1024-bit keys is a magnet for some large corrupt overfunded agency to
> build a brute force 1024-bit factoring machine.

A much simpler solution is to use larger keys.  Whatever upper bound on
key size that you would feel comfortable with in your scheme could just
be the only key size we use.  The overfunded agency will spend just as
much time trying to build a machine that can factor keys up to that
maximum size either way.

> So why doesn't our popular RSA-based software randomize its key
> lengths at key generation time?  It's a matter of where the designers
> and maintainers have focused.  Diversity of focus can be useful
> against wily adversaries.

Would you really want that added complexity in your crypto software?  I
think the lesson to be learned from TLS, IPSec, etc. is to keep things
simple.  The more complexity you add the more ways things can go wrong.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140812/6256c995/attachment.sig>