Re: Rijndael/AES implementations
From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 03/18/04
- Next message: Sascha Pult: "Re: certmgr - certificate store"
- Previous message: DotNet1945: "ZERO_PADDING"
- In reply to: Pieter Philippaerts: "Re: Rijndael/AES implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Mar 2004 15:52:27 -0500
Pieter, thanks for the insightful response.
I think the reason WinZip did not include the asymmetric key protection
option was, well most people understand how to enter a password, but
not many know anything about a certificate or, horrors, that 3 letter work PKI :-(
Anyone else with comments?
- Mitch
"Pieter Philippaerts" <Pieter@nospam.mentalis.org> wrote in message
news:eOoHzBQDEHA.2424@TK2MSFTNGP09.phx.gbl...
> "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > (1) Are there significant performance/implementation differences in the
> native versus
> > the managed version that developers or security-conscious folks should
> know about?
>
> Yes, there are a few differences you should be aware of. First of all, the
> AES CSP is little-endian [like all the other CSPs] and the RijndaelManaged
> class is big-endian. So make sure you reverse your key bytes when passing
> keys between the two. Also keep in mind that the AES CSP only implements a
> block size of 128bit because the AES standard only specifies this block
> size. The RijndaelManaged class implements block sizes of 128, 192 and 256
> bit.
> As far as performance is concerned, I've seen 7x speed-ups when using the
> CSP over the managed implementation, so yes, there's definitely a
> performance difference between the two.
>
> > (2) Considering that Rijndael has not had the benefit of the longer "soak"
> time other symmetric
> > ciphers like 3DES have had, are most security analysts satisfied based on
> best current knowledge
> > of Rijndael to recommend going ahead with architecture using Rijndael for
> business purposes?
>
> Actually, Rijndael already has more credibility than 3DES. Not only because
> you can use a much larger key, but also [and perhaps mainly] because the NSA
> recently approved the use of the AES to encrypt confidential and secret
> messages. 3DES has only been approved to encrypt non-confidential messages.
> This clearly shows that the NSA has a lot of confidence in the algorithm.
>
> > (3) WinZip 9 supports AES encryption via using B. Gladman's open source
> implementation of
> > AES:
> > http://www.winzip.com/aes_info.htm
> > Any views of this implementation in WinZip?
>
> Apparently WinZip used the code of a security researcher, so this is already
> a good sign. They also have a FIPS certification for their implementation.
> The only major problem with it is that it uses password based key
> generation. It's too bad they didn't implement some mechanism where the user
> could choose between password-based key generation or asymmetric key
> encryption.
>
> Regards,
> Pieter Philippaerts
> Managed SSL/TLS: http://mentalis.org/go.php?sl
>
>
- Next message: Sascha Pult: "Re: certmgr - certificate store"
- Previous message: DotNet1945: "ZERO_PADDING"
- In reply to: Pieter Philippaerts: "Re: Rijndael/AES implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
