[Cryptech Tech] Use case for AES-192?

[Bernd Paysan]

Am Montag, 21. Juli 2014, 16:38:38 schrieb Russ Housley:
> I do not know anyone that is making use of AES-192, but AES-128 and AES-256
> are in heavy use.

SSL has AES-192 as option, but you don't have to implement all the gazillion 
options SSL suggests.  People use either AES-128 (me, Google), or AES-256 
(others).  There's a reason for preferring AES-128 over AES-256.

From a cryptanalytic point of view, this 2009 blog posting from Bruce Schneier 
is worth to read:

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

Effectively, AES has not the security margin it would neet to meet its 
promises (especially with AES-256).  The bottom line is that AES-128 has a 
sufficiently good key schedule, while AES-256 has a bad key schedule, and 
breaking it is possible with the order of 2^100 (this is too big to allow a 
practicable attack).  That means: If you decide today, use AES-128 instead of 
AES-256.  AES-192 is indeed rarely used, people either think "let's take the 
biggest number" or "let's take the fastest operation".

So I would say that if you have to implement AES support, AES-128 is a must, 
and the other two are optional with AES-256 perceived as more important, and 
AES-192 actually being the more secure one (at least as far as we know today).

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140721/4156421f/attachment.sig>