This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Has the advanced encryption standard been broken or weakened?

Share this article:
Dan Raywood, news editor, SC Magazine
Dan Raywood, news editor, SC Magazine

Research emerged last week that claimed that the Advanced Encryption Standard (AES) was ‘broken'.

The cryptanalysis project, carried out by Andrey Bogdanov (from the Katholieke Universiteit Leuven in Belgium, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research) and Christian Rechberger (ENS Paris, visiting Microsoft Research) found a ‘clever' new attack that can recover a secret key four times more easily than originally anticipated by experts.

According to the research, weaknesses were identified in 2009 when AES was used to encrypt data under four keys that are related in a way controlled by an attacker. It found that while this attack was more intriguing from a mathematical point of view, what was interesting was that the attack applies to all versions of AES even if it used with a single key.

The research also claimed that finding an AES key is four times easier than previously believed, yet the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an eight followed by 37 zeroes.

It said: “To put this into perspective: on a trillion machines that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”

Therefore, the research found that because of these huge complexities, ‘the attack has no practical implications on the security of user data'. However the researchers felt that the flaw was significant enough to publicise, as it was the most critical that has been found in the widely used AES algorithm, this was also confirmed by the designers.

The research created plenty of conversation online, as researcher Dan Kaminsky called it ‘excellent', but said that there is ‘a serious language gap between press and cryptographers that needs to be addressed'.

The story on this research by the IT news website The Register claimed that there was concern over the use of the word ‘broken', as this term in cryptography is the result of any attack that is faster than brute force and here, ‘AES may not be completely broken, but it's broken nonetheless'.

The AES algorithm is used worldwide to protect internet banking sessions, wireless communications and data on hard disks. AES has been standardised by the National Institute of Standards and Technology (NIST), the ISO and IEEE and has been approved by the US National Security Agency (NSA) for protecting top-secret information.

The claims that AES is broken are rather extreme, but the research shows that there is a distinct flaw in AES by way of a sophisticated attack vector and this can be latched upon by hackers.  

Share this article:

Newsletters

More in Security Cats Blog

The information security implications of change

The information security implications of change

Microsoft has recently warned businesses that they should be well on the way to upgrading their legacy desktop environments.

The beginning of the authentication ice age

The beginning of the authentication ice age

This week I was invited to sign the new online Petition Against Passwords which I was delighted to do and I urge you all to do the same.

The chilling effects of the Volkswagen injunction on British research

The chilling effects of the Volkswagen injunction on ...

At this week's Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek will present on on-board car computer insecurities to thousands.