On 15.09.15 12:17, mwnx wrote:
> Not sure what kinds of metrics you're talking about.
Thank you, the Wikipedia reference is enough to gain an idea of
blowfish's current security. In the first paragraph: "Blowfish provides
a good encryption rate in software and no effective cryptanalysis of it
has been found to date."
That said, with cm=blowfish, Vim does now (7.4.688) say:
Warning: Using a weak encryption method; see :help 'cm'
Enter encryption key:
Changing to cm=blowfish2 has fixed that, catching up with developments
sufficiently for my use case, I think. (I have one 5 kB encrypted file,
i.e. so much less than 4 GB, that there isn't enough text on which to do
much useful cryptanalysis.)
> Also, blowfish seems to no longer be a very recommended cipher. From
> wikipedia:
>
> Blowfish is known to be susceptible to attacks on reflectively weak
> keys.[8] [9] This means Blowfish users must carefully select keys as
> there is a class of keys known to be weak, or switch to more modern
> alternatives like the Advanced Encryption Standard, Salsa20, or
> Blowfish's more modern successors Twofish and Threefish. Bruce Schneier,
> Blowfish's creator, is quoted in 2007 as saying "At this point, though,
> I'm amazed it's still being used. If people ask, I recommend Twofish
> instead."[10] The FAQ for GnuPG (which features Blowfish as one of its
> algorithms) recommends that Blowfish should not be used to encrypt files
> that are larger than 4 Gb because of its small 64-bit block size.[11]
Skimming through reference [9], I figure that 5 kB of encrypted text is
far too little meat for even the improved attack to be of any use, so even the
older blowfish would still be a hard nut to crack.
> Not to mention the fact that –as far as I've surmised– vim decided to create
> its own implementation of blowfish instead of using one that has already had
> time to undergo public scrutiny, such as GPG's implementation.
The algorithm implementation published on Wikipedia shows it to be a
trivial coding exercise. I'm delighted to have that fully integrated in
Vim, so there's nothing outside, that I have to muck with.
> All in all, I just don't see why I should trust using the blowfish algorithm
> to encrypt sensitive information at this stage when there are much better
> alternatives out there which are readily available. And I especially can't
> trust any kind of in-house implementation of it.
For large files, it is theoretically weak, and superseded. But Twofish
covers that.
...
> For more information on vimcrypt's capabilities, all the documentation is in
> doc/vimcrypt.txt (https://github.com/mwnx/vimcrypt/blob/master/doc/vimcrypt.txt).
The long keys look good.
Thank you. You've improved my security, even without moving across ... yet.
Erik
--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment