Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Research Cracks AES Keys 3-5x Faster

Posted by Unknown on from the before-the-heat-death-of-the-universe dept.

Landing his first accepted submission, qpgmr writes "AES, generally thought to be the gold standard for encryption, is showing weaknesses. From Computerworld: 'Researchers from Microsoft and the [Belgian] Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard, the encryption algorithm used to secure most all online transactions and wireless communications.'" The full paper has lots of details. Note that it would still take a few billion years with current computers to actually break anything, but there may be further vunerabilities yet to be discovered.

25 of 176 comments (clear)

  1. Correction by CharlyFoxtrot · · Score: 5, Informative

    The Katholieke Universiteit Leuven (KUL) is a Belgian, specifically Flemish, university not Dutch.

    --
    If all else fails, immortality can always be assured by spectacular error.
    1. Re:Correction by CharlyFoxtrot · · Score: 3, Funny

      Cool, the mods changed the summary. Since the error was in TFA this means we are in the historically nearly unprecedented situation of having a summary that's more correct than TFA ;-)
      (What I meant to say is, good job.)

      --
      If all else fails, immortality can always be assured by spectacular error.
  2. Re:"current computers" by SquirrelDeth · · Score: 3, Insightful

    Or it would only take a year with a few billion computers.

  3. Re:"current computers" by Nialin · · Score: 5, Funny

    No, they just use Keyloggers.

  4. That's some mighty fine print you got there... by geekmux · · Score: 4, Interesting

    "New Research Cracks AES Keys 3-5x Faster"

    (the fine print)

    "it would still take a few billion years with current computers to actually break anything.."

    1. Re:That's some mighty fine print you got there... by FuzzyDaddy · · Score: 4, Interesting

      Or "New attack reduces 256 bit key strength by two bits"

      --
      It's not wasting time, I'm educating myself.
    2. Re:That's some mighty fine print you got there... by doublebackslash · · Score: 2

      http://everything2.com/user/dogganos/writeups/Thermodynamics+limits+on+cryptanalysis

      Who cares about Moore's law. Read that.

      Now it STILL might get broken. Attacks better than brute force are always the largest threat. However nobody need worry about the brute force computer to break their codes. Not even quantum computers help here, by the way. See Grovers Algorithm. Preview: "Grover's algorithm is a quantum algorithm for searching an unsorted database with N entries in O(N1/2) time and using O(log N) storage space" Not so good.

      --
      md5sum /boot/vmlinuz
      d41d8cd98f00b204e9800998ecf8427e /boot/vmlinuz
    3. Re:That's some mighty fine print you got there... by Bengie · · Score: 2

      Yeah, my cousin took an advanced cryptography class for CS, and his teacher ran the math on brute forcing a 256bit key with the theoretical physical minimum amount of energy required with ultra-advanced technology, on average would consume more usable energy than there is in the MilkyWay.

      Brute forcing is out of the question for sure, unless we start to consume galaxies for energy.

      Unfortunately, AES isn't perfect, and it's effective strength is much lower than 256bit. The 3-5x reduction might be enough to bring it near the realm of practical with enough money.

    4. Re:That's some mighty fine print you got there... by kelemvor4 · · Score: 2

      That's weak, you need at least 1Gigabit key strength to protect your emails. Man up.

    5. Re:That's some mighty fine print you got there... by Anonymous Coward · · Score: 4, Informative

      E=MC^2 you fucking retard

    6. Re:That's some mighty fine print you got there... by 0123456 · · Score: 3, Informative

      Lets say it takes 2 billion years to crack 1 key.

      Two billion years? At a billion keys per second I make it around 10^60 years to brute-force a 256-bit key. Use a billion gigakey crackers and you'd still take 10^50 years.

      That was the whole point of picking a 256-bit key. It's not crackable by brute force using conventional computers even in theory until you control most of the mass of the universe.

      Any AES-256 crack will be based on algorithmic flaws or quantum cryptography, not brute-force with conventional computers.

    7. Re:That's some mighty fine print you got there... by Baloroth · · Score: 2

      Reversible Computing

      It could theoretically overcome the limits of thermodynamics on computers. Basically, AFAICT it requires us to (nearly) perfectly observe the computer so that we could reverse any changes that take place in the system, so they would generate very, very little entropy (limited by how well we could build them.) Essentially, they can reuse any energy already used in computation with a very low degree of loss. Also, you might want to look at "Adiabatic quantum computation". Essentially this low-entropy system, but with quantum computers (so faster at brute-forcing).

      Regardless, the point of TFA is that AES isn't perfectly secure, so strict brute-forcing isn't necessary. And we have no real evidence that the construction of a perfect system is possible. Nor, for that matter, that P!=NP, which is a more or less essential assumption in public-key cryptography. If it isn't, then as the key size grows, time to brute-force increases linearly, not exponentially as we think it does. It might be entirely possible that a new mathematical system could calculate a 256-bit key in hours, instead of billions of years. Doubtful, but no one really knows.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    8. Re:That's some mighty fine print you got there... by Skarecrow77 · · Score: 2

      I use 1.21 jiga-bit flux encryption.

      As soon as I think up something that I need to encrypt, I bang my head into the sink until I forget it, confident that I'll come back in time from the future (or send a suitable representative in a life vest) to remind myself what it is I wanted encrypted when I need the information.

    9. Re:That's some mighty fine print you got there... by zebslash · · Score: 2

      I learned from *MY* CS teachers back in the 90s that all cryptography is crackable given enough time.

      Well, they forgot to teach you about the one-time pad.

    10. Re:That's some mighty fine print you got there... by Twylite · · Score: 2

      There is an existing key schedule attack against AES-256 (attack complexity 2^119) and AES-192 (complexity 2^176). The existing attack is a related-key attack, and some modes of operation (e.g. XTS as used by TrueCrypt) are not vulnerable to it.

      The big deal about this paper is that it (a) operates in a single-key model, rather than requiring a related-key; and (b) is the first attack against full round AES-128.

      The reason that AES remains a better choice than serpent or twofish is precisely because this sort of cryptanalysis is going on - we gain more knowledge about the weak points of AES and higher confidence in exactly what security strength it offers. Ciphers with less rigorous study may just be offering the appearance of security because we know less about their weaknesses.

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
  5. Bruce Schneier's take by condition-label-red · · Score: 4, Informative

    linky...

    --
    Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
    1. Re:Bruce Schneier's take by Yaur · · Score: 2

      one time pad

  6. The AES-128 "crack" requires 2^88 bytes of storage by yeremein · · Score: 2

    To put that number in perspective, it would take a stack of 4GB hard drives extending past the orbit of Saturn...

  7. Re:"current computers" by DragonTHC · · Score: 4, Funny

    you mean our equipment?

    it's widely known that the NSA uses all known operating systems for distributing computing tasks.

    So every windows computer connected to the Internet will accept NSA task packets and compute them and send them back. It does this seamlessly though so the user never sees anything. They built it into the TCP/IP stack. It just becomes easier with windows and even Linux. (SELinux anyone?)

    --
    They're using their grammar skills there.
  8. Re:512 bit or more? by Entrope · · Score: 2

    It is usually not practical to pick "a simpler, more elegant math algorithm" because those are easy -- or at least easier -- to break. As someone mentioned up-thread, and as Bruce Schneier likes to remind us, attacks tend to get better over time -- they never get worse.

    Modern cryptosystems are carefully tuned to resist a lot of clever attacks. Probably every stage in every (credibly) proposed encryption scheme has been closely examined by very smart people to understand its behavior and look for weaknesses. Existing systems have very elegant structures that are simple in most respects, but they are complicated in certain ways because consistently simple designs are much easier to exploit.

    (As a further complicating factor, using a longer key generally requires using more internal state and more rounds. You might -- or might not -- be able to double the block size, but to move from 128-bit to 256-bit keys, you are very likely to need to increase your cipher from [say] 8 rounds to 12. This means at least a 50% increase in execution time for the same amount of data, and possibly more. If the increased size bumps your S-boxes, state and code out of L1 cache, it will be much worse. If you cannot double the block size, but need to double your internal state size for the larger key, that will add another doubling of execution time.)

  9. Re:"current computers" by shaitand · · Score: 3, Informative

    An interesting observation. Though it is dampened by the fact that brute forcing encryption is pretty much the poster child of an application that lends itself well to parallel processing.

  10. Re:The AES-128 "crack" requires 2^88 bytes of stor by flonker · · Score: 4, Funny

    The NSA called. They deny that any such data center exists.

  11. Re:"current computers" by dido · · Score: 4, Informative

    No. To crack AES-128 the attack still requires work of the order of 2^126.1. A machine capable of cracking a 56-bit DES key in a second might be built for about US$5B, going by the price of the COPACABANA FPGA-based DES cracker (US$10,000 for a machine that can crack 56-bit keys in 6 days). Such a machine would take 140 trillion years to crack AES-128 by brute force, or 38 trillion years to crack AES-128 using the algorithm. If you had 38 trillion of these machines you could conceivably crack an AES-128 password in a year. But to give you some idea of how big 38 trillion is, if each of these 38 trillion machines could be made to fit in a 1U server box, the rack would be just over 1.672e8 km high, just a bit over one astronomical unit. You could build a bridge from the earth to the sun with that. If you spread that many machines out, they'd cover 8,892,000 square kilometers, which is more than the total area of the lower 48 states of the US, and you'd have enough machines left over to pave over just about half of Alaska. If they ran at 100 W each, the project would require 3.3288e16 kWh of energy, or 1.2e23 joules, about a thousand times more than the world's annual energy consumption.

    For 256-bit keys the problem is even worse. The algorithm has a complexity of 2^254.4. The energy requirement of that staggering number, assuming a computer able to operate at the von Neumann-Landauer limit of ln(2)kT energy per bit flip, running at a temperature of 2.7 K, would require a staggering 1.24e54 J of energy, about the equivalent of 10 billion supernovas, or about a thousandth of the total mass-energy of the Milky Way Galaxy.

    --
    Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
  12. Broken by Microsoft?? by AftanGustur · · Score: 3, Informative

    If you choose to believe some of the articles, it was Microsoft who "broke" this encryption algorithm.

    However, if you read the actual research paper the first page explicitly explains the relation between Microsoft and the researchers as "The authors were visiting Microsoft Research Redmond while working on these results."

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  13. Re:"current computers" by gmueckl · · Score: 2

    What do you mean by "known to be secure"? Do you mean that nobody knows how to break it or that there is a formal proof that no shortcuts for brute force attacks exist?

    --
    http://www.moonlight3d.eu/