If I am torrenting, I use the same settings that you listed as it is the best for my speed.
If I am casually surfing, I use Blowfish with the same handshake and auth. I believe Blowfish is more secure than AES-128, but I do personally get slower speeds.
If I am revealing sensitive data or surfing questionable content that might be "flagged" (I am in the InfoSec field so it is quite often), I use AES-256 with SHA256 and RSA-4096.
I didn't know that Blowfish was better than AES-128. I've recently switched to the maximum protection preset (AES-256 with SHA256 and RSA-4096) because I still reach speeds of up to 100 mbps on speed test sites.
With no decrease in speeds, I figure the maximum protection preset is worth using.
@PoLyGLoT No problem. AES-128 is faster while still offering great protection, while Blowfish is a bit slower while offering better protection. They are both very secure and have never been cracked. AES-256 is obviously more secure and if your speeds aren't taking a hit then I would use AES-256.
It's funny, I'm new to all of this stuff, but the opinion on Blowfish vs. AES-128 varies depending on who you ask. Of course, if neither have been cracked, it obviously doesn't matter too much. But I find it all interesting nonetheless.
For instance, I was reading how long it would take to brute force crack AES-128 and AES-256, and my memory is that it was something like millions of years (or something ridiculous). Just insane what we can create and do with technology.
And just think - something will come along that's even more secure when the time is right.
It's funny, I'm new to all of this stuff, but the opinion on Blowfish vs. AES-128 varies depending on who you ask. Of course, if neither have been cracked, it obviously doesn't matter too much. But I find it all interesting nonetheless.
For instance, I was reading how long it would take to brute force crack AES-128 and AES-256, and my memory is that it was something like millions of years (or something ridiculous). Just insane what we can create and do with technology.
And just think - something will come along that's even more secure when the time is right.
It's really just speculation that Blowfish is more secure.
Blowfish was made before AES and was not made with speed and low memory and CPU intensity as goals. So the idea that it is more secure does have more credence than Rjindael has. But you are right. It is still speculation.
It's really just speculation that Blowfish is more secure.
Blowfish was made before AES and was not made with speed and low memory and CPU intensity as goals. So the idea that it is more secure does have more credence than Rjindael has. But you are right. It is still speculation.
Yes except Blowfish has the smaller 64 bit block size as compared to AES 128 bit.
I am not so sure that the block size is even important. Depending on how exactly a cipher is implemented, the block size can be entirely useless to any efforts to break it. Key size on the other hand is certainly a different matter. And on that note, Blowfish supports up to 448 bit key sizes, whereas AES maxes out at 256 bits. And if you have any desire to stick with Blowfish and similar ciphers made by the same Author, Twofish and Threefish support up to a maximum of 1024 bits for block and key size.
For a simplified way of deciding what encryption cipher is best, I take the number of bits of the keysize, and multiply it by the number of rounds. (Higher is better, obviously.)
Then for finding the fastest, I take the number of cycles per byte directly. There are plenty of benchmarks available for most of them. (Smaller is better, again, obviously.)
But we really only have AES and Blowfish to choose from here. And both are more than good enough for me.
For anyone who reads this and starts wondering how to use 448 bit Blowfish, just forget I mentioned it. You cannot actually use it with OpenVPN anyway. Likewise Twofish and Threefish are not yet part of OpenVPN or even OpenSSL.
Even so, AES has been the encryption standard for over a decade and been adopted by the NIST, deemed fit for government agencies up to the top secret level. It has thus been far more researched and audited by cryptanalysts for flaws, which should be taken into account.
As I mentioned in my initial post, "I BELIEVE Blowfish is more secure than AES-128". So, yes this is just a matter of opinion. There are plenty of people on both sides of the argument. AES does have a better cryptanalysis record which should be taken into consideration. But as Omni said, they are both good enough for me.
That is unimportant. Schneier made Blowfish, and the successor Twofish and Threefish as well. He could recommend magic fairy dust too, since none of this except Blowfish exists in OpenVPN.
Comments
If I am casually surfing, I use Blowfish with the same handshake and auth. I believe Blowfish is more secure than AES-128, but I do personally get slower speeds.
If I am revealing sensitive data or surfing questionable content that might be "flagged" (I am in the InfoSec field so it is quite often), I use AES-256 with SHA256 and RSA-4096.
It's funny, I'm new to all of this stuff, but the opinion on Blowfish vs. AES-128 varies depending on who you ask. Of course, if neither have been cracked, it obviously doesn't matter too much. But I find it all interesting nonetheless.
For instance, I was reading how long it would take to brute force crack AES-128 and AES-256, and my memory is that it was something like millions of years (or something ridiculous). Just insane what we can create and do with technology.
And just think - something will come along that's even more secure when the time is right.
http://www.eetimes.com/document.asp?doc_id=1279619
and CPU intensity as goals. So the idea that it is more secure does have
more credence than Rjindael has. But you are right. It is still
speculation.
Blowfish
Twofish
Threefish
AES
For a simplified way of deciding what encryption cipher is best, I take the number of bits of the keysize, and multiply it by the number of rounds. (Higher is better, obviously.)
Then for finding the fastest, I take the number of cycles per byte directly. There are plenty of benchmarks available for most of them. (Smaller is better, again, obviously.)
But we really only have AES and Blowfish to choose from here. And both are more than good enough for me.
For anyone who reads this and starts wondering how to use 448 bit Blowfish, just forget I mentioned it. You cannot actually use it with OpenVPN anyway. Likewise Twofish and Threefish are not yet part of OpenVPN or even OpenSSL.
and Threefish as well. He could recommend magic fairy dust too, since
none of this except Blowfish exists in OpenVPN.
Data Authentication: SHA-256
Handshake: RSA-4096
I like to use the most secure options for increased privacy.