Am 21.07.2015 um 09:44 schrieb David Banes <da...@banes.org>: > If you're serious about stopping someone with greater computational power > than you getting at your data then you should take every bit you can. But I > agree, most people won't bother because you'd need the computing power > available to NIST to compute that.
*sigh* The NIST doesn't have any significant computing power. The adversary you are worried about is the NSA. But even the NSA is not able to break 128 bit or even 112 bit symmetric crypto. Even if you only have 112 bits to begin with and then assume you can break another 12 bits of AES (which currently is not the case, AES is still standing strong), then you still have 2^100 tries. That's an insanely huge number. I guess you'll be arguing now that 2^100 tries is within reach for the NSA, but it is definitely not - the NSA would need more power for that than the earth has, which can easily proven by physics. There's a lot on the net that explains in detail why only increasing key sizes is only giving you a fake sense of security - I'm too tired right to explain all this, so I suggest you give your preferred search engine a try, as it can be easily found. Explanations why 112 bit for symmetric crypto is still more than enough is often found in connection to security evaluations of 3DES (which usually come to the conclusion that 3DES is still secure, but slow since it's a hack and thus AES preferable). In this specific case though, using 4096 does not hurt, but using 2048 does not significantly reduce security. Thus ridiculing someone who wants to use 2048 only proves misunderstandings about the underlying crypto. For 1024, however, it would be totally understandable, as this is actually within reach to be broken. -- Jonathan
