[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-developers] Proposal: change to rijndael encryption
|
From: |
Del |
|
Subject: |
[Phpgroupware-developers] Proposal: change to rijndael encryption |
|
Date: |
Thu, 13 Dec 2001 14:21:54 +1100 |
Just a proposal:
In phpgwapi/inc/class.crypto.inc, 3DES encryption is selected. I suggest
this be changed to 128 bit Rijndael, for the following reasons:
- Rijndael has been selected as the advanced encryption standard (AES)
for use by the US government.
- Rijndael is about 25x faster than 3DES on the same (general purpose)
hardware.
- Rijndael is more secure. It has been extensively cryptanalysed an no
known weaknesses have been found. Due to weaknesses in DES, 3DES
which uses 3 x 56 bit ciphers only has an encryption strength equal
to 112 bits (2DES is the same encryption strength as DES). Rijndael
in is basic form is 128 bit.
- Rijndael is scalable, as there exist 256 and 512 bit versions. Due
to weaknesses in the DES algorithm, neither 4DES, 5DES nor 6DES are
any stronger than 3DES (but slower), and 7DES has only an equivalent
cypher strength of 168 bits (and is very very slow).
- DES hardware cracking devices exist that can break DES in a short
period of time. It is only a matter of years before dedicated 3DES
cracking hardware becomes available.
The downside is that this would break all currently (3DES) encrypted
passwords out there. I guess that since mcrypt doesn't work in any of
the releases of phpgroupware that I've tried, there wouldn't be a large
number of users with 3DES encrypted passwords.
--
Del