Matthew Toseland wrote: > The problem is that 128 bits isn't really enough; you'll get collisions > naturally from time to time.
Not really - according to the birthday paradox you'd expect an accidental collision every 2^64 (17 billion billion) keys. As for deliberate collisions, it might be feasible to find two keys that collide with each other (2^64 attempts), but that's harmless - it wouldn't be feasible to find a second key that collides with a given key (2^128 attempts), which is the attack we need to worry about. A dictionary attack on a KSK would be orders of magnitude easier. > And it wouldn't be encrypted. CHKs are > simply CHK@<256 bit hash of content>,<256 bit encryption key>. Damn, good point. So it would have to be 256 bits - 128 for the hash and 128 for an encryption key. That certainly decreases the advantage compared to a CHK. Cheers, Michael
