On Tue, 19 Feb 2013 15:06:52 -0800 Gregory Maxwell <[email protected]> wrote:
> On Tue, Feb 19, 2013 at 2:42 PM, Ileana > <[email protected]> wrote: > > #define CIPHER_IV_LEN 16 > > To be fair— AES 256 has certificational weaknesses with a lower work > factor then the best attacks on 128 bit AES. They don't appear to > matter in practice, but I'm not aware of a threat model where 256 bit > AES would make a material improvement, except perhaps the > attacker-has-arbitrarily-good-quantum-computers model... and under > that model all the key derivation (curve25519 and DHKE) fails > completely in any case. OK...as I was saying... I guess I don't have issue with the AES128 vs AES256. However realize that otr should theoretically be stronger then tor...simply because tor is about thousands of anonymous connections, whereas OTR is a small amount of traffic that someone could capture easily and is know to likely be mostly plain text (therefore easier for cyrptanalysis) and possibly exactly whos text it was. In this case, it is clear they would attack your dh params for primes, as the discreet logarithm problem for 1536 bit length is orders of magnitude simpler then attacking AES-128. OTR should be considered needing the same cryptographic strength as PGP email. Beyond that, the SHA-1 function is no longer recommended for cryptographic entropy/key gen/records etc...and it appears to still being used in OTR beyond just fingerprinting. Forget about quantum computers...the issues is an attacker in this case knows there is sensitive text, it is easy to capture, and can conceivably hold unto it for 15 years to run on the next get whatever machine with perhaps some reduced attack vector due to advancements in the discreet log problem, problems discovered with the common prng's...whatever. 15 years is a long time so those extra bits may end up becoming relevant for as yet unforeseen reasons. Ileana _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
