Cryptographers have found a new chink in the widely used AES encryption standard that suggests the safety margin of its most powerful cipher is not as high as previously thought. In a soon-to-be-published paper, researchers Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir show that the 256-bit …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 4th August 2009 04:56 GMT disfit

Not so shocking

A lot sooner than expected, but as with all practical encryption techniques (quantum isn't (yet)), AES was not built or advertised as being the 'eternal solution'.

The worst thing about this, is the predictable knee-jerk reaction of dimwits (managers, politicians and journalist/bloggers alike) of either:

- Oh dear, the end of the world is yet again coming at the end of the week;

- See! I told you, you cannot trust these IT and crypto boffins, they lied to us again!

Then again, there are still people using ultra-encryption techniques with pass-phrases that are barely better than '1234'.

Personally I think it is pretty cool that a technique has been found that endangers the 256, leaving the 192 and 128 alone. Such wonderful humor ;-)

0 0
This post has been deleted by its author
Tuesday 4th August 2009 10:48 GMT cbrenton

All the eggs in one basket

AES (like DES before it) was suppose to last 30 years. We're less than 10 years in with significant problems being found. Not a good sign for data with long term value. If it only takes another 3-5 years for these attacks to be practical, what's to stop an attacker from recording and sitting on the ciphertext till then?

The fix for those who are concerned is to simply change ciphers (I'm still big on Blowfish myself). IMHO this has bigger implications for solutions where AES is your only data privacy option. Good example is WPA. If AES falls you are in trouble because AES is the only supported privacy option. I've documented a work around if anyone is interested: http://www.chrisbrenton.org/2009/07/eliminating-the-need-for-wpa-in-the-enterprise-part1/

0 0
Tuesday 4th August 2009 10:48 GMT Anonymous Coward

Triple DES

Seems to me they can still take the Triple DES route (use the key once + middle manipulation + use key a second time).

Each key can't be broken separately because you end up with random junk after the first decrypt and can't know if that random junk is decrypted or not....

i.e. 2^70 * 2^70 ... not 2^70+2^70

0 0
Tuesday 4th August 2009 10:48 GMT Dr. Mouse

All encryption is breakable

All you need is a powerful enough computer and/or enough time.

We all know that the NSA can break 'em all anyway with TRANSLTR... *

...Whats that noise? ARGH! Help! They're coming to take me away!

* See Digital Fortress by Dan Brown

0 0
Tuesday 4th August 2009 10:48 GMT Peter2

Um.

Two to the seventieth power. I had to actually look that number up.

As in, only 1,180,591,620,717,411,303,424 calculations required to crack it? That's 1.8 Sextillion! (as in, three orders of magnitude more than "trillion", which is the highest number 99% of the population recognise)

Is anybody actually up for calculating how long it would take to force a single key?

0 0
Tuesday 4th August 2009 11:30 GMT Ken Hagan

Re: Um

2**20 processing units (industrial scale) each trying 2**20 keys per second (dedicated hardware) would need 2**30 seconds, which is about 30 years. You'd need to be a government agency to afford a million units and I have no idea whether even dedicated hardware can actually run as fast as I've assumed. However, I can see why Mr Schneier calls it /almost/ practical.

0 0
Tuesday 4th August 2009 14:00 GMT Anonymous Coward

@Dr. Mouse

Joke alert I hope as Dan Brown is an author with very limited knowledge as his books atest- crap.

0 0
Tuesday 4th August 2009 22:46 GMT Anonymous Coward

needs more rounds

Yeah, this is significant, but the DoD spec (or some other government standard, forget which) for using AES-256 requires a 14 round pass. So, basically they're cracking the encryption in such a way for which it wasn't recommended to be used as they already knew it would be weaker. Bruce even points this out in his talk saying this really isn't that big of a deal. It's cool and all, but not that big of a deal.

0 0
Wednesday 5th August 2009 02:06 GMT Bounty

@Ken

Dedicated hardware? how about your video card. http://www.elcomsoft.com/edpr.html I don't even know if you can tackle these kinds of keys with GPU well, but the point is watch out, hardware can sneak up on you quick. 30 years with current hardware could be 15 within next year, 7 years a pair of years later, 3 a year after that. If someone keeps up on their hardware, 30 years could actually be 5, less if you're a little lucky, much less if you're very lucky.

0 0
Wednesday 5th August 2009 09:04 GMT Ken Hagan

Re: Dedicated hardware

I was thinking more along the lines of a bloody great FPGA, but I certainly didn't mean to suggest that dedicated hardware puts it out of reach of the common criminal -- simply that one can do a lot better than an Intel CPU if the problem is constrained like this one is.

Now that you mention it though, the aforesaid FPGA might well manage to squeeze multiple units onto a single die, and run them as barrel processors, so the "million units" might be much less of a limitation that I imagined.

Also, if cloud computing takes off, or even if people start taking laptop security seriously, we are all going to be encrypting vast amounts of data on a regular basis, so the "dedicated hardware" may eventually be bought off the shelf.

0 0