I did a search to see if Schneier changed his mind. He still prefers AES128.
Ditto on the bettercrypto link. Back to lurking... Original Message From: Alice Wonder Sent: Friday, November 11, 2016 12:44 PM To: [email protected] Subject: Re: bits of encryption On 11/11/2016 11:00 AM, Alice Wonder wrote: > On 11/11/2016 03:21 AM, [email protected] wrote: >> So is this level of encryption something openssl sets up? That is >> where do I set the parameter? >> >> Original Message >> From: Sven Schwedas >> Sent: Friday, November 11, 2016 3:15 AM >> To: [email protected]; [email protected] >> Subject: Re: bits of encryption >> >> On 2016-11-11 12:08, [email protected] wrote: >>> That does explain a lot, but why when I "talk to myself" (send myself >>> email) >>> do I get a lower grade (less bits) of encryption than when another >>> server is >>> sending mail? Is there some parameter I need to set in postfix? >> >> Which particular algorithm gets chosen is usually up to the TLS client >> (which can be another server connecting to yours): At the start of the >> connection, client and server tell each other what ciphers they support, >> and the client picks one. >> >> There's pros and cons to 128 bit and 256 bit ciphers (128 bit is good >> enough and faster; 256 bit has more safety margin against *some* attacks >> – but not all), some programs prefer one or the other. You'll have to >> look up whether you can tell your particular client software to prefer >> 256 bit ciphers, if you want to. > > Mozilla products often prefer 128-bit AES rather than 256-bit because of > concerns that 256-bit may make certain types of timing attacks easier. > The same may be true of other cipher suites. *snip* Correcting myself, I did a little reading. It's related key attacks where AES-128 is more secure than AES-256 but related key attacks require special conditions that often are not met (and I don't believe are met in a mail server) and even when they are met, related key attacks on AES-256 are not real-world realistic. http://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions and https://en.wikipedia.org/wiki/Related-key_attack are two of the sources I read. Point being AES-128 or AES-256 are both sufficient for security. The latter requires more CPU power than the former, but both are real world secure. Attackers would attack something other than the cipher.
