On Tue, Jan 18, 2011 at 06:15:50PM +0100, Roland Smith wrote: > > What do you folks think of the relative merits of AES vs Blowfish for > > disk encryption? > > Neither have been broken with their complete number of rounds. Versions of > both can be broken with a reduced number of rounds. See > http://www.schneier.com/paper-blowfish-oneyear.html for some analysis of > blowfish, and e.g. http://www.schneier.com/paper-rijndael.html for several > attacks on Rijndael with reduced rounds.
It seems I have to correct myself here. According to a presentation by Colin Percival [1] (slides [2]), blowfish is not safe because it uses a relatively small block size (for compatibility with DES, IIRC), which makes it more likely that you can get two identical blocks of (cypher)text in one message, giving an attacker an avenue of attack. His recommendation is to use AES. This is wat geli(8) recommends as well. [1]: http://blip.tv/file/3627639 [2]: http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
pgplLh7SWen7j.pgp
Description: PGP signature
