Linked by David Adams on Wed 17th Aug 2011 17:53 UTC, submitted by HAL2001
Privacy, Security, Encryption Researchers have found a weakness in the AES algorithm. They managed to come up with a clever new attack that can recover the secret key four times easier than anticipated by experts. In the last decade, many researchers have tested the security of the AES algorithm, but no flaws were found so far. The new attack applies to all versions of AES even if it used with a single key. The attack shows that finding the key of AES is four times easier than previously believed; in other words, AES-128 is more like AES-126.
Order by: Score:
AES-254
by project_2501 on Wed 17th Aug 2011 18:20 UTC
project_2501
Member since:
2006-03-20

So AES-256 is more like AES-254. I'm sure most users of AES-256 can live with that?

Reply Score: 4

RE: AES-254
by Laurence on Wed 17th Aug 2011 20:25 UTC in reply to "AES-254"
Laurence Member since:
2007-03-26

So AES-256 is more like AES-254. I'm sure most users of AES-256 can live with that?

Actually some experts believe that AES-256 is easier to crack than AES-128:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html

Reply Score: 3

RE[2]: AES-254
by galvanash on Wed 17th Aug 2011 22:14 UTC in reply to "RE: AES-254"
galvanash Member since:
2006-01-25

Actually some experts believe that AES-256 is easier to crack than AES-128:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html


That is simply a related key attack. It does identify a weakness in the key scheduling of AES, but it in no way makes it "easier" to crack AES-256. It does, however, make AES-128 "better" in some respects, since no one has managed this type of attack on it.

Besides, it is really all academic anyway. AES-128 is so hard to brute-force that doubling the key size is practically pointless. Unless a weakness is found, AES-128 is good enough - more than good enough. With today's computer speeds it is simply impossible to brute force it - you could throw every computer on earth at the problem 24/7 and you'd still have the problem of the oceans drying up first...

Reply Score: 4

RE[3]: AES-254
by Laurence on Wed 17th Aug 2011 22:35 UTC in reply to "RE[2]: AES-254"
Laurence Member since:
2007-03-26


That is simply a related key attack. It does identify a weakness in the key scheduling of AES, but it in no way makes it "easier" to crack AES-256. It does, however, make AES-128 "better" in some respects, since no one has managed this type of attack on it.

I know what the attack is relating to and all you're doing is arguing the semantics of "easier".

Perhaps that term does over simplify the situation, however the point of my post was to be a brief explanation of the included link as Schneier explains the attack far better than I could.

Besides, it is really all academic anyway. AES-128 is so hard to brute-force that doubling the key size is practically pointless. Unless a weakness is found, AES-128 is good enough - more than good enough. With today's computer speeds it is simply impossible to brute force it - you could throw every computer on earth at the problem 24/7 and you'd still have the problem of the oceans drying up first...

Indeed, but the point of hacks like these is to find weaknesses in the encryption that negates the need for numerous heavy-duty brute-force attacks.

Edited 2011-08-17 22:35 UTC

Reply Score: 2

RE[4]: AES-254
by galvanash on Wed 17th Aug 2011 22:53 UTC in reply to "RE[3]: AES-254"
galvanash Member since:
2006-01-25

Perhaps that term does over simplify the situation, however the point of my post was to be a brief explanation of the included link as Schneier explains the attack far better than I could.


Sorry about that, my reply sounded a bit negative towards your post - it wasn't intended to be. Your post was appreciated as I had heard about the related key attack but did not read the paper and the link you gave was very good.

Reply Score: 2

RE[3]: AES-254
by Drumhellar on Wed 17th Aug 2011 22:51 UTC in reply to "RE[2]: AES-254"
Drumhellar Member since:
2005-07-12

With today's computer speeds it is simply impossible to brute force it


I'm a stickler for details, especially on anything relating to numbers. A brute force attack is not impossible, however, it is exceedingly unlikely.

Reply Score: 2

RE[4]: AES-254
by galvanash on Wed 17th Aug 2011 22:58 UTC in reply to "RE[3]: AES-254"
galvanash Member since:
2006-01-25

Ok, impossible might not be the right word. But "exceedingly unlikely" doesn't do it justice either...

This is a little tidbit from a paper I read a while back (its a pdf - don't know where I got it from so I can't link to it)...


If you assume:

Every person on the planet owns 10 computers.

There are 7 billion people on the planet.

Each of these computers can test 1 billion key
combinations per second.

On average, you can crack the key after testing
50 percent of the possibilities.

THEN

The earth’s population can crack one
encryption key in 77,000,000,
000,000,000,000,000,000 years.


That is a bit more than "exceedingly unlikely" ;)

Reply Score: 3

RE[5]: AES-254
by Drumhellar on Wed 17th Aug 2011 23:26 UTC in reply to "RE[4]: AES-254"
Drumhellar Member since:
2005-07-12

I don't think there are words that could convey the unlikelihood of such an event and still be accurate.

To my ears, nearly impossible has always sounded more likely than exceedingly unlikely.

Either way, impossible is demonstrably wrong.

Reply Score: 2

RE[6]: AES-254
by Morgan on Thu 18th Aug 2011 00:00 UTC in reply to "RE[5]: AES-254"
Morgan Member since:
2005-06-29

How about "impossible within the natural lifespan of all currently living humans and their great*10^18 offspring"? That's my take on it.

After all, I doubt any humans would be left alive 70 quadrillion years from now to care what the encrypted data was. Even if there were, the computer being used to crack it would likely disintegrate completely a few hundred million years into the process.

So, yeah, "impossible" is, for all intents and purposes, a practical description.


Edit: And yes, I know galvanash's white paper called for 77 septillion years, but I was attempting to stay within the lifespan of the universe, give or take an order of magnitude.

Edited 2011-08-18 00:04 UTC

Reply Score: 2

RE[7]: AES-254
by umccullough on Thu 18th Aug 2011 05:53 UTC in reply to "RE[6]: AES-254"
umccullough Member since:
2006-01-26

How about "impossible within the natural lifespan of all currently living humans and their great*10^18 offspring"? That's my take on it.


Actually, with a brute force attack, there's an (exceptionally) slim possibility that the first attempt will crack it.

That's the thing with a brute force attack, you don't necessarily have to go through the entire keyspace to break it, just until you actually find the answer ;)

That's what makes it extremely improbable vs. impossible.

Reply Score: 5

RE[7]: AES-254
by Lennie on Thu 18th Aug 2011 11:03 UTC in reply to "RE[6]: AES-254"
Lennie Member since:
2007-09-22

What you have to remember is that encryption isn't perfect. It is just statistics. They talk about how likely it is your data can be decrypted.

Your data is only as save as it's key.

For example if the random-data which is used to generate your key is somewhat predictable you have a big problem.

Because the range of keys that need to be tested gets reduced very quickly. It allows to test for whole lot less keys thus the kind of guesses that will be done will be a lot more likely to be right.

Obviously the problem with guessing is, you can guess right at the first time by accident (or in the first million or whatever a 'short' timeframe is).

So it is just statistics, it just says how large the key space is and thus how likely it is you can guess it.

Maybe a lottery is just a small keyspace, but people do win it. And pretty sure almost every day someone on this planet gets struck by lightning.

Certain hardware is also a lot more suitable than others.

From a paper on GPGPU and AES in 2010 mentions: "A peak throughput rate of 8.28 Gbit/s is achieved"..."the GPU is 19.60 times faster than the CPU."...

And that was in 2010.

It is also possible to build hardware specifically for guessing keys and testing decryption.

People always say: well, my data isn't that important, no-one will take the time to create the hardware to break it.

But the people creating the hardware are not making the hardware to just break your key, they make it to break the most valuable key.

And if it works, they will start on the next key and improve on the design I'm sure.

Is there a government or company in the world that is already working on this ? We don't know.

I'll shut up again.

Reply Score: 2

RE[6]: AES-254
by rirmak on Fri 19th Aug 2011 18:02 UTC in reply to "RE[5]: AES-254"
rirmak Member since:
2009-06-23

Either way, impossible is demonstrably wrong.


This must be the most autistic sample of pedantry I've encountered since early April.

Oh, and for your arguing style you also have a raspberry from me in ;) semantics, as "demonstrably" may be the lamest excuse for a technicality this month (infantile hypercorrection).

Reply Score: 1

RE[5]: AES-254
by reez on Wed 17th Aug 2011 23:57 UTC in reply to "RE[4]: AES-254"
reez Member since:
2006-06-28

You know there are those Bitcoin folks with buildings brimmed with graphics cards. ;)

Think about quantum physics. It is also possible to just walk through a wall or slip through the earth, which in fact mots of us are "trying" 24/7. I know, it is a lot more likely to find a key, but the problem is people's (meaning at least mine) usually have a problem comprehending how (un)likely an event is. Just think about lotteries. People play because there is a chance, even though most of them know it is very unlikely. Walking through a wall is even free, still you be called insane if you tried, while nobody does when you take part in a lottery.

Reply Score: 2

RE[6]: AES-254
by galvanash on Thu 18th Aug 2011 01:23 UTC in reply to "RE[5]: AES-254"
galvanash Member since:
2006-01-25

Walking through a wall is even free, still you be called insane if you tried, while nobody does when you take part in a lottery.


I call anyone who plays the lottery insane. The lottery is a tax on people who failed high school math. Unless you are someone who does something like this:

http://www.gazettenet.com/2011/08/02/lottery-scheme-appears-to-caus...

The media makes it sounds like this is criminal or something... It should be applauded imo - finding such a flaw in what is essentially a rigged system should earn the finder a hefty payday, not accusations of criminality. The state needs to hire better mathematicians if they want to keep their system effectively rigged...

Reply Score: 2

RE[5]: AES-254
by Slambert666 on Thu 18th Aug 2011 10:35 UTC in reply to "RE[4]: AES-254"
Slambert666 Member since:
2008-10-30

The assumption is that the computing power stays constant.
If computer speed doubles every 18 months then the problem can be solved in 0.01 seconds 300 years from now, given the same amount of processing power, relatively. This is not taking into account algorithmic improvements.

Just like today we find historic ciphers like the Caesar cipher laughably easy to crack, the future will find AES256 easy to crack.

Reply Score: 1

RE[6]: AES-254
by Kebabbert on Thu 18th Aug 2011 10:45 UTC in reply to "RE[5]: AES-254"
Kebabbert Member since:
2007-07-27

The assumption is that the computing power stays constant.
If computer speed doubles every 18 months then the problem can be solved in 0.01 seconds 300 years from now, given the same amount of processing power, relatively. This is not taking into account algorithmic improvements.

Just like today we find historic ciphers like the Caesar cipher laughably easy to crack, the future will find AES256 easy to crack.

Not necessarily. Say that you need to try more combinations than there are atoms on earth to find a solution - do you really think that future will find it easy?

If you have 2^64 coins, then the pile would reach from the nearest star (alpha centauri), and back again. How far is it to the nearest star? If you could travel with light speed (300.000km/sec) it would take you 4.3 years before you arrived.

We talk about 2^128 or 2^256 which is much much much much much much much more than 2^64.

I dont think the future will find this easy.

Unless there is a mathematical breakthrough that finds the solution in a few seconds. But these problems seem to have no easy solution - the only solution is to try all combinations. But you can not be sure, maybe there is an easy solution, but we are not clever enough to spot it. But mathematicians are trying to prove that the only solution is to try every combination - which seems to be the case. However, if you find an easy solution, then you Clay institute will give you 1 million USD, and you will be world famous as one of the greatest mathematicians ever.

Google "NP-complete" for more information on this. For instance, Mine sweeper is NP-complete. Basically you need to try every possible combination - in other words, there exist no Mine Sweeper strategy that solves the game, you just need to randomly try every square. If you find a strategy that always solves the game, then you will win 1 million USD and be world famous. Google "mine sweeper np-complete" for more information.

Reply Score: 2

Really new?
by zima on Wed 17th Aug 2011 18:25 UTC
zima
Member since:
2005-07-06

I seem to remember claims of similar attacks. Maybe with the label "possible" attached, so perhaps that's one of them, analysed better; or maybe not.

Anyway, "four times easier than anticipated by experts" is really "four times easier (faster) than via brute force" - which is still not nearly fast enough to be practical, still leaves AES rather strong.

Reply Score: 1

RE: Really new?
by vaette on Thu 18th Aug 2011 11:09 UTC in reply to "Really new?"
vaette Member since:
2008-08-09

It is always very relevant when any kind of new progress is made though, since any new technique often turns out to be a stepping stone (in thought if not in practice) towards more fundamental cracks.

Notably the early Slashdot reactions when MD5 was slightly weakened in a theoretical setting were rather dismissive, but the first small steps forward quickly snowballed and left MD5 severely compromised.

Reply Score: 1

4 times?
by FunkyELF on Wed 17th Aug 2011 20:09 UTC
FunkyELF
Member since:
2006-07-26

Remind me again what extremely difficult divided by 4 is.

This small of an achievement would have happened in 2 years because of hardware anyway.

Reply Score: 2

RE: 4 times?
by Morgan on Thu 18th Aug 2011 00:09 UTC in reply to "4 times?"
Morgan Member since:
2005-06-29

At this point, it's not so much about the encryption itself being secure; we've had more or less "impossible to crack" encryption for many years now. It's all about how secure you keep the key. After all, the most secure door lock in the world is utterly useless if you leave your keychain on the front porch. The same applies to any method of securing data, be it cryptography, obfuscation or physical security.

Reply Score: 2

Twofish anyone?
by subsider34 on Thu 18th Aug 2011 04:20 UTC
subsider34
Member since:
2010-11-08

Twofish is looking more and more attractive as an alternative to AES these days.

Reply Score: 1

theoretical vs practical encryption
by unclefester on Thu 18th Aug 2011 13:56 UTC
unclefester
Member since:
2007-01-13

There is theoretical encryption and practical encryption. In reality good enough is more than adequate.

a) No one will even attempt to crack even basic encryption unless there is a relatively big incentive for doing so eg solve a major crime or obtain important military secrets.

b) Most encrypted data is only useful for a short period. This may be a few days for a terrorist bomb plot or a few years for top secret aircraft design. Virtually no secret is likely to be worth anything in 100 years.

If the effort to crack the encryption exceeds the potential value of the data then it is automatically secure. This is regardless of the actual strength of the algorithm. The CIA isn't going to spend 20 years and billions of dollars to see if there is some porn hidden on John Does's laptop.

Reply Score: 2

Alfman Member since:
2011-01-28

unclefester,

Late reply, sorry but I've been away.

A lot of posts seem to assume that a brute force approach can only attack a single key at a time. But as far as we know there may be ways of combining the effort to simultaneously brute force many AES keys with no/little extra cost.

As a simple example: finding prime numbers individually is (relatively) slow, but there are practical sieve algorithms which can test many thousands of candidates in one swoop.

Therefor the underlying assumption in the following quote (for example) may be false.


"If the effort to crack the encryption exceeds the potential value of the data then it is automatically secure. This is regardless of the actual strength of the algorithm. The CIA isn't going to spend 20 years and billions of dollars to see if there is some porn hidden on John Does's laptop."

Continuing with the fictitious numbers above, and assuming that all AES keys can be broken in parallel, then the CIA may very well find it worthwhile to spend billions of dollars (just a dent in military spending anyways) to reverse all keys of interest.


I'm not trying to make any assertions here that AES cracking is feasible, but we shouldn't assume that cracking K keys takes K times more resources than cracking a single key.

Reply Score: 2