On Friday 31 July 2009 21:05:04 Matthew Toseland wrote:
> On Friday 31 July 2009 20:38:24 Evan Daniel wrote:
> > On Fri, Jul 31, 2009 at 2:07 PM, Matthew
> > Toseland<toad at amphibian.dyndns.org> wrote:
> > > http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
> > >
> > > Practical related-key/related-subkey attacks on AES with a 256-bit key
> > > with 9, 10 and 11 rounds. The official standard uses 14 rounds, so there
> > > is precious little safety margin - attacks always get better.
> > >
> > > We use AES/256 (technically we use Rijndael with 256 bit key and 256 bit
> > > block size mostly, which isn't strictly AES, although we use 128 bit
> > > block size, which is, for store encryption).
> > >
> > > Such attacks rely on related-key weaknesses in the protocol (as in WEP,
> > > where the IV was too small). In theory we shouldn't have any, although I
> > > am not entirely sure how to determine this. We shouldn't have known
> > > ciphertext, because we have an unforgeable authenticator on all packets,
> > > but I'm not sure exactly what the definition of a related-key weakness is.
> > >
> > > Nonetheless, it would seem prudent to increase the number of rounds as
> > > Schneier outlines (28 rounds for a 256-bit key). We have the
> > > infrastructure to do this without too much trouble, with key subtypes and
> > > negotiation types. Moving to AES/128 would be considerably more work.
> >
> > I think it would be worth trying to get someone who is a qualified
> > cryptographer to look in detail at how Freenet uses cryptography.
> > Freenet does a *lot* of crypto, mixed together in ways that aren't
> > necessarily common. It's also a very interesting project from a
> > cryptographic standpoint; it seems possible that someone could be
> > talked into doing it on a volunteer basis. Even if it wasn't
> > volunteer, it might be worth seeing how much a proper review would
> > cost. Cryptographic review seems appropriate for a program which
> > relies so strongly on the strength of its cryptography.
>
> We used to have Scott, but his email address doesn't work... Maybe I should
> ask Ian to locate him?
>
The link layer crypto was designed in collaboration with him... we should
document our usage of crypto, at least.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20090827/b0edbfc2/attachment.pgp>
