On 2/1/17 12:41 PM, Sergey Smitienko
wrote:
А AES-256 не нужен. AES-256 на самом деле слабее, чем
AES-128.
"Assuming you're talking about AES 128 versus AES 256, there is a
known weakness in the key expansion function that affects AES256.
Fundamentally, the weakness reduces the complexity of AES256 to
that lower than AES128."
http://eprint.iacr.org/2009/374
http://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions
"Related-key attacks are not a problem when the encryption algorithm
is used for encryption, because they work only when the victim uses
several distinct keys, such that the differences (bitwise XOR)
between the keys are known to the attacker and follow a very
definite pattern. This is not the kind of thing which often occurs
in protocols where AES is used; correspondingly, resistance to
related-key attacks was not a design criterion for the AES
competition."
"No. AES-256 is not weaker than AES-128. Absolutely not. And I
disagree with the the advice that you should avoid AES-256. The
attack against AES-256 is a related-key attack, which is irrelevant
to most real-world uses of AES-256. Related-key attacks only become
relevant if you use the block cipher improperly, which is not
something that you ought to be doing. [ ... ]
So, basically, pay no attention to those claimed attacks on AES-256.
They are a theoretical curiousity with little or no relevance to
practice at the moment."
"
Note, that related-key scenarios are very academical. Here,
cryptographers assume that an adversary can 'partially control' some
relations among keys used in the computation."
Как-то так. Атака возможна, если атакующий либо обладает доступом к
вычислительной системе, либо "жертва" генерирует related keys по
определенному алгоритму и цепочка некоторых из них доступна
атакующей стороне. Иными словами - это то, с чем в реальной
жизни столкнуться практически невероятно.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison