Gentoo Archives: gentoo-security

From: Danny <dannydaemonic@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Encryption Ciphers
Date: Fri, 07 Mar 2008 18:03:33
In Reply to: Re: [gentoo-security] Encryption Ciphers by Peter Meier
1 The idea of avoiding something less popular, is that if someone gets your
2 encrypted data, they could look through the algorithm and find a hole and
3 break it without you knowing. However, choosing Serpent is not a choice of
4 security through obscurity. Serpent is as open as AES, and in this day and
5 age we have fairly reliable ways of deciding what makes a strong encryption
6 cipher. Serpent came in 2nd in the AES contest, only beaten by Rijndael
7 (which directly became AES). It is a 32-round substitution-permutation
8 network where 16 rounds were deemed sufficient. Which, by the way, helped
9 against the XSL attack (which can weaken AES), when applied to Serpent it is
10 more expensive than a brute force attack (not true for AES).
12 There is probably more to gain by announcing you broke Serpent than by using
13 it for personal gain, where I would argue the opposite is true of AES. That
14 said, this conversation was initially about personal laptops and personal
15 computers, and I only ever suggest it for personal use. Of course if you
16 have government secrets or corporate data that needs to be secured, you
17 should use something under heavy scrutiny. There is a lesser chance of a
18 determined group of mathematicians getting at your data since many in the
19 academic world are actively trying to break it.
21 To say either AES or Serpent will never be broken is simply ignorant, but
22 when it happens there will likely be programs to decrypt such data. Lets
23 say which ever cipher you chose is broken tomorrow. I'm guessing the AES
24 tools will be easier to get, and use than the Serpent ones. So if some
25 random thief steals your laptop, they are more likely to decrypt it if you
26 use AES. This scenario is more likely if they make an image of the hard
27 drive to save for later. Again, all this changes if your data is very
28 valuable for some reason, but I don't consider it a bad choice for personal
29 use.
31 On Thu, Mar 6, 2008 at 8:30 AM, Peter Meier <peter.meier@×××××××.ch> wrote:
33 > Hi
34 >
35 > > I just wanted to jump in and say that I'm personally a fan of Serpent.
36 > I
37 > > like to use something that's a little less popular, but still open. It
38 > is
39 > > similar in strength (IMHO), but there will be more people trying to
40 > break
41 > > AES than Serpent. For example, I've read the XSL attack that can weaken
42 > AES
43 > > is too complex when used on Serpent -- it would be more expensive than a
44 > > brute force attack.
45 >
46 > in my opinion quite a bad assumption. the more a crypto algorithm is
47 > open, the more people it test, the more it can be assumed that it is
48 > safe against current known attacks.
49 >
50 > greets pete
51 > --
52 > gentoo-security@l.g.o mailing list
53 >
54 >