Bug#476441: Please revist this choice. AES128 vs AES256
Robert de Bath
robert$ at debath.co.uk
Fri Mar 21 10:15:41 UTC 2014
I notice that the distribution of RSA key sizes distributed with Debian
has changed.
The 2048 bit keys are still the most common but 20% of the keys are now
4096 bit with only 12% still being 1024 bit. (The 4k and 1k keys have
basically changed places)
Based on the (now rather dated IMO) papers you cite the 4k keysize exceeds
the strength of AES-128 by a large margin. As the RSA key is usually the
"headline" strength indicator for the algorithms other keysizes IMO should
equal or exceed this value; AES-128 appears not to for 4k RSA keys.
In addition a quick "Google" around appears to imply that at current rates
AES-128 will be considered unsafe by around 2030. This is well before the
2070 estimate of the 2004 paper; perhaps because of the now widespread and
cheap use of 'GPU cracker' hardware from the bitcoins events and the now
common inclusion of AES hardware assists in modern CPUs.
Mostly because of the 4k RSA keys I believe the default should be changed
from AES-128 to AES-256 in the near future as would have (still resonably
light) doubts that AES-128 will be sufficient for the predicted lifetime
of the jessy release.
--
Rob. (Robert de Bath <robert$ @ debath.co.uk>)
<http://www.debath.co.uk/>
More information about the Pkg-gnutls-maint
mailing list