Has the advanced encryption standard been broken or weakened?
Dan Raywood, news editor, SC Magazine
Research emerged last week that claimed that the Advanced Encryption Standard (AES) was ‘broken'.
The cryptanalysis project, carried out by Andrey Bogdanov (from the Katholieke Universiteit Leuven in Belgium, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research) and Christian Rechberger (ENS Paris, visiting Microsoft Research) found a ‘clever' new attack that can recover a secret key four times more easily than originally anticipated by experts.
According to the research, weaknesses were identified in 2009 when AES was used to encrypt data under four keys that are related in a way controlled by an attacker. It found that while this attack was more intriguing from a mathematical point of view, what was interesting was that the attack applies to all versions of AES even if it used with a single key.
The research also claimed that finding an AES key is four times easier than previously believed, yet the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an eight followed by 37 zeroes.
It said: “To put this into perspective: on a trillion machines that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”
Therefore, the research found that because of these huge complexities, ‘the attack has no practical implications on the security of user data'. However the researchers felt that the flaw was significant enough to publicise, as it was the most critical that has been found in the widely used AES algorithm, this was also confirmed by the designers.
The research created plenty of conversation online, as researcher Dan Kaminsky called it ‘excellent', but said that there is ‘a serious language gap between press and cryptographers that needs to be addressed'.
The story on this research by the IT news website The Register claimed that there was concern over the use of the word ‘broken', as this term in cryptography is the result of any attack that is faster than brute force and here, ‘AES may not be completely broken, but it's broken nonetheless'.
The AES algorithm is used worldwide to protect internet banking sessions, wireless communications and data on hard disks. AES has been standardised by the National Institute of Standards and Technology (NIST), the ISO and IEEE and has been approved by the US National Security Agency (NSA) for protecting top-secret information.
The claims that AES is broken are rather extreme, but the research shows that there is a distinct flaw in AES by way of a sophisticated attack vector and this can be latched upon by hackers.