All the eggs in one basket

AES (like DES before it) was suppose to last 30 years. We're less than 10 years in with significant problems being found. Not a good sign for data with long term value. If it only takes another 3-5 years for these attacks to be practical, what's to stop an attacker from recording and sitting on the ciphertext till then?

The fix for those who are concerned is to simply change ciphers (I'm still big on Blowfish myself). IMHO this has bigger implications for solutions where AES is your only data privacy option. Good example is WPA. If AES falls you are in trouble because AES is the only supported privacy option. I've documented a work around if anyone is interested: http://www.chrisbrenton.org/2009/07/eliminating-the-need-for-wpa-in-the-enterprise-part1/

Triple DES

Seems to me they can still take the Triple DES route (use the key once + middle manipulation + use key a second time).

Each key can't be broken separately because you end up with random junk after the first decrypt and can't know if that random junk is decrypted or not....

i.e. 2^70 * 2^70 ... not 2^70+2^70

Re: Um

2**20 processing units (industrial scale) each trying 2**20 keys per second (dedicated hardware) would need 2**30 seconds, which is about 30 years. You'd need to be a government agency to afford a million units and I have no idea whether even dedicated hardware can actually run as fast as I've assumed. However, I can see why Mr Schneier calls it /almost/ practical.

needs more rounds

Yeah, this is significant, but the DoD spec (or some other government standard, forget which) for using AES-256 requires a 14 round pass. So, basically they're cracking the encryption in such a way for which it wasn't recommended to be used as they already knew it would be weaker. Bruce even points this out in his talk saying this really isn't that big of a deal. It's cool and all, but not that big of a deal.

@Ken

Dedicated hardware? how about your video card. http://www.elcomsoft.com/edpr.html I don't even know if you can tackle these kinds of keys with GPU well, but the point is watch out, hardware can sneak up on you quick. 30 years with current hardware could be 15 within next year, 7 years a pair of years later, 3 a year after that. If someone keeps up on their hardware, 30 years could actually be 5, less if you're a little lucky, much less if you're very lucky.

Re: Dedicated hardware

I was thinking more along the lines of a bloody great FPGA, but I certainly didn't mean to suggest that dedicated hardware puts it out of reach of the common criminal -- simply that one can do a lot better than an Intel CPU if the problem is constrained like this one is.

Now that you mention it though, the aforesaid FPGA might well manage to squeeze multiple units onto a single die, and run them as barrel processors, so the "million units" might be much less of a limitation that I imagined.

Also, if cloud computing takes off, or even if people start taking laptop security seriously, we are all going to be encrypting vast amounts of data on a regular basis, so the "dedicated hardware" may eventually be bought off the shelf.