[Discuss] KeePassX

[Kent Borg]

On 08/14/2013 09:38 AM, Edward Ned Harvey (blu) wrote:
>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Kent Borg
>>
>> Bruteforcing
>> 128-bits is impossible.  Bruteforcing 256-bits is 128-bits times as
>> impossible.
> Careful here.  Someday, there might exist a perfect block cipher, but at present, all known block ciphers (including AES) suffer from the even-vs-odd permutation problem, which means, that a cipher with 128 bit key is only as strong as an ideal cipher with 64 bits.  If you want 128 bit strength (BigO 2^128 operations to brute force attack), you have to use the 256 bit key.

But you don't mean AES-128 can be broken today with 2^64 operations, do 
you?  That sounds wrong--or theoretical.

According to the current Wikipedia: "The first key-recovery attacks on 
full AES [...] requires 2^126.1 operations to recover an AES-128 key."  
(It seems like this is the kind of Wikipedia article that tends to be 
accurate.)  Then they move on to side-channel attacks...

Likely the NSA has a better attack.  Maybe they have a *way* better 
attack and they can shave off another couple dozen bits.  Still, a 
100-bits plus of brute force is not something they can do on the cheap.  
They have to want it.  It has to be a priority.  And they can't get it 
tomorrow.  Or next week.  And I bet not a long time after that.

-kb