Strong Encryption

[Dan Kaminsky]

>The best possible attack is exhaustive key search. Differential and linear
>cryptanalysis have a lower complexity (than a brute force attack) only in
>case of a reduced round version of AES. Yes, there is/was a lot of hype
>regarding algebraic attacks, but finally it has been proven that they
>don't work :-)
>
>  
>
Were the algebraic attacks formally disproven?  (This would be a nice 
thing.)

>>or even 3des (because there are known attacks on it becauseit E(E(E(M))),
>>M being the plaintext and E being the encryption function) but they are
>>slower
>>    
>>
>
>3DES is EDE (encrypt-decrypt-encrypt) with 3 keys. This encryption
>algorithm should not be used as it is much slower than AES and provides no
>extra security over AES-192 and AES-256.
>
>  
>
3DES is probably the most analyzed cipher on the planet; that should 
count for something.  FWIW, there's 168 bits of key material, with 112 
bits of effective keyspace due to the best possible attack.  It's 
considered a 128-bit class cipher because, well, it's the gold standard 
of ciphers, and if it wasn't dog slow AES would never have seen the 
light of day

>>...Fastest blowfish
>>    
>>
>
>Ben already said RC4 is the fastest encryption algorithm supported by SSH,
>but it has some cryptographic weaknesses.
>  
>
Some?  :-)

Heh, since when was SHA-1 slower than ciphering?

>The preferred encryption method is the counter mode CTR. CBC has some
>small weaknesses; I personally don't consider them that severe.
>  
>
Given that SSH operates over TCP and thus has perfect record ordering 
and reconstruction, the advantages of CTR aren't nearly as great.  I'm 
open to being corrected on this assertion, though :-)

--Dan