From: geremy condra on
On Tue, Jan 26, 2010 at 4:00 PM, M.-A. Lemburg <mal(a)egenix.com> wrote:
>
>
> geremy condra wrote:
>> On Tue, Jan 26, 2010 at 12:37 PM, M.-A. Lemburg <mal(a)egenix.com> wrote:
>>
>> <snip>
>>
>>> You are also using CBC mode, even though you are really after
>>> ECB mode (your code doesn't use chaining). With ECB mode, you
>>> don't need the IV string.
>>
>> However, ECB mode is not as secure- the IV is the right way to go
>> here.
>
> Right - I forgot that PyCrypto applies the chaining internally
> when being passed data of more than 32 bytes.
>
>> I'd also note that you aren't supposed to use RandomPool anymore,
>> and that AES-192 is frequently recommended over AES-256 for
>> new applications due to a number of recent developments in
>> the cryptanalysis of its key schedule.
>
> Do you have pointers for this ?
>
> I could only find
> http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
> and
> https://cryptolux.org/Block
>

Sure. The best source is the papers themselves:

http://eprint.iacr.org/2009/374.pdf
http://eprint.iacr.org/2009/317.pdf
http://eprint.iacr.org/2009/242.pdf

If you're interested I can provide more. The other thing
to keep in mind is that several of the new attacks abuse
algebraic properties of the key schedule, and that older
attacks like XSL (eXtended Sparse Linearisation) and
models (like the BES) are useful tools. There's also
been some recent research into using bent functions
for cryptanalysis, including cryptanalysis over
GF(p), which falls into the lap of older models like
the BES, which views AES in terms of GF(2^8),
although I don't seem to be able to find free links
to those papers.

> My reading of their FAQ (https://cryptolux.org/FAQ_on_the_attacks)
> is that using AES-128 is the way to go (and it's faster too) - at
> least for the time being.

In applications where speed is not of the essence, there doesn't
appear to be a good reason to prefer AES-128 to AES-192,
and while the margin is small, recent attacks have consistently
led to results that are 2^10 or 2^12 larger for 192 than for 128.
I also doubt highly that the wells opened by these newer results
are the end of this question- so my advice would be to use 192
where possible, and keep an eye out just in case.

Geremy Condra