AES encryption is cracked

AES encryption is cracked

www.theinquirer.net

CRYPTOGRAPHY RESEARCHERS have identified a weakness in the Advanced Encryption Standard (AES) security algorithm that can crack secret keys faster than before.
The crack is the work of a trio of researchers at universities and Microsoft, and involved a lot of cryptanalysis - which is somewhat reassuring - and still does not present much of a real security threat.

(visit the link for the full news article)


Related News Links:
en.wikipedia.org

The Advanced Encryption Standard (AES) is a symmetric-key encryption standard.

More importantly, it is the method by which much of secure information is moved in cyberspace.

It is reassuring that it would take enormous computing power to resolve (break) the information encrypted using AES; it is also important to recall that almost every year, potential 'personal' computing power increases by an order of magnitude.

I think it will be a very costly and dire issue, when we come tot he conclusion that our standard of encryption must be completely overhauled.... and that day is approaching much faster than many would like.

A bit on the technical side, but this one has potential to be 'overlooked' until it's a crisis.

"The result is the first theoretical break of the Advanced Encryption Standard - the de facto worldwide encryption standard," he explained. "Cryptologists have been working hard on this challenge but with only limited progress so far: 7 out of 10 for AES-128 as well as 8 out of 12 for AES-192 and 8 out of 14 rounds for AES-256 were previously attacked. So our attack is the first result on the full AES algorithm."

Bogdanov added that the crack works on all versions of AES and dispelled some myths about the technology as well.

As with all things technological, you can be sure the supercomputers of the intelligence services around the world have and can crack this.... especially if it is true they have installed 'back-door' means of access (such rumors have surfaced from time to time.)

www.theinquirer.net
(visit the link for the full news article)

I always assume that once we are allowed an encryption algorithm, it is breakable, just not by the layman on the street though, Amazon EC2 platform and other computing power Utility services is a game changer nowdays though, and even then people can run a farm of FPGA's (can be 10x faster than a GPU).

Still you have to ask who you are protecting your data from, most of the time that is the average jane or joe on the street, and those theives like Anon and Lulzsec.

If you want to protect it from governments, well then you don't use AES lol, most likely you will chain up a few different algorithms and different keyfiles (for example ATM's used 3DES, triple DES, thats 3 chained up DESs)

and still does not present much of a real security threat.

I for one don't use single cipher encryption.. I always combine AES256 with something else .. I don't see that being an issue for anyone any time soon.. and as it says even the standard single AES issue isn't much of a threat .

The reason it's probably not a threat is because it took all that effort by major groups to break it .. unless the method is released it's not likely the average joe hacker is going to crack it.. but again.. use more than one method combined and you're pretty secure.

I'd like to see someone pop the wiki cables file now.. I wonder if this is why the effort to break AES came about? apparently that wikileaks file is only using AES256 .. a single encryption rather than a combination.

Trying to brute force an AES password even with the most powerful computers around today would take many life times.. assuming you have a strong enough key.. the weakness I'm sure allows them to skip brute forcing .. but if you're using multiple encryptions chained then you don't have much to worry about.

reply to post by JennaDarling


Truthfully, we are never going to be able to outsmart ourselves... it seems silly to keep trying. The best security is compartmentalization and one-time encryption transpositions. Eventually though, unless we start speaking a different language, anything can be deciphered, given enough time.

Truecrypt.org

use it, do all your HD's too.

Very good program, be grateful for it.

This is interesting however not surprising, Cisco actually acknowledge the fact they insert back doors into their software.

If you want an unbreakable encryption standard then be smart enough to design it yourself, or more realistically don't have any to hide on a computer.

Interesting news though, S+F

Originally posted by miniatus

and still does not present much of a real security threat.

.....

I'd like to see someone pop the wiki cables file now.. I wonder if this is why the effort to break AES came about? apparently that wikileaks file is only using AES256 .. a single encryption rather than a combination.

Nice!

Give that man a door-prize! But the real twist is that saying so would be an admission that they couldn't break it in the first place.... I think some could, some couldn't, and now some will.

reply to post by Death_Kron


I had hear as much as well. Actually that, and more. One day that thread will unravel; and it won't be easy to fix either!

Originally posted by JennaDarling
Truecrypt.org

use it, do all your HD's too.

Very good program, be grateful for it.

Truecrypt also supports encryption chaining so it's very secure.. you can also encrypt your system drive with it so the only thing un-encrypted is the bootloader which requires you to enter your password to mount the volume.. it's a beautiful thing..

I use it on my laptop incase my laptop is ever stolen, then I don't have to worry about my data being used for identity theft or anything like that.. it's just very important that you completely shut down the system when not in use or else that's pretty useless.

Originally posted by miniatus

Originally posted by JennaDarling
Truecrypt.org

use it, do all your HD's too.

Very good program, be grateful for it.

Truecrypt also supports encryption chaining so it's very secure.. you can also encrypt your system drive with it so the only thing un-encrypted is the bootloader which requires you to enter your password to mount the volume.. it's a beautiful thing..

I use it on my laptop incase my laptop is ever stolen, then I don't have to worry about my data being used for identity theft or anything like that.. it's just very important that you completely shut down the system when not in use or else that's pretty useless.

I have used it every since the day the police took my computer and I had to get TWO embassies involved lol.

I have mine set to show "NTLDR is missing" when I boot up
If asked I can say oh i was installing wiindows on it, then show them the box lol

I know it has hidden systems for plausable deniability, but I CBA with redoing it lol.



Truecrypt does have chained up algorithms, but only predefined once, it would be nicer if I could plug in algorithms and make my own custom chains.

Perhaps I should suggest that to em.

reply to post by JennaDarling


My laptop is set to just not show any prompt.. it shows the cd drive being checked and then just sits there.. no blinking cursor, no nothing.. so it looks like the system is just dead.. I figure if a thief got hold of it, they'd probably just either trash it at that point or format it and reinstall windows on it.. which is fine by me.. it's my personal information I'm trying to protect.. I see too many articles about laptops being stolen and dumb thieves getting there photos taken remotely because they don't know what they are doing.. I figure the encryption will protect me nicely against those kinds of people.

Originally posted by miniatus
reply to post by JennaDarling

 

My laptop is set to just not show any prompt.. it shows the cd drive being checked and then just sits there.. no blinking cursor, no nothing.. so it looks like the system is just dead.. I figure if a thief got hold of it, they'd probably just either trash it at that point or format it and reinstall windows on it.. which is fine by me.. it's my personal information I'm trying to protect.. I see too many articles about laptops being stolen and dumb thieves getting there photos taken remotely because they don't know what they are doing.. I figure the encryption will protect me nicely against those kinds of people.

When windows is trashed it shows "NTLDR is missing" usually on booting.

Makes that claim a little better.

Don't forget it is a game of psychology, so you want to STEER their thoughts to that possibility, thats why you show a message most people know when windows is trashed, and that is "NTLDR is missing"

Basically you are PLANTING a thought into their mind.

Most law enforcement pull the HD out and NEVER boot the computer (incase it self destructs the HD on booting without a key etc), or they can COLD recover by freezing it to slow the rate of the memory decay to get the password in memory.

They usually browse the HD offline in read only mode, to be safe.

They probably could check the preamble or fingerprint of the drive or the boot loader and see its TC being run.

Originally posted by Maxmars
reply to post by Death_Kron

 

I had hear as much as well. Actually that, and more. One day that thread will unravel; and it won't be easy to fix either!

It's actually pathetically easy to break into any Cisco device if you have physical access, lots of other ways though

Wasn't this how the wikileaks files were encrypted?

Originally posted by GogoVicMorrow
Wasn't this how the wikileaks files were encrypted?

I pointed that out above.. but yes, AES256 was the method for the BIG file they put out .. I'm willing to bet if an AES vulnerability is known to us now, the govt. already knows what is in that file.

I want to point out about this article though that it says this only speeds the cracking process up by 4 times... the key I use in my AES encryption ( using tools online to estimate ) would take so many years I don't even know what a word is for that measurement..(something something...illion) and that was an estimate based on the current fastest known super computer.. divide that by 4 and it's still not within anyone's life time, by far..

SO

If you have a strong encryption key ( as in a mixture of alpha numerics, upper and lower case, as well as symbols or non-ascii characters ) .. you're probably not at any risk from this weakness.. and given that, I doubt the wiki-cables are at any risk either..

Of course if you used your dog's name, your mom's name.. your birthday .. or your social security number, you deserve your data stolen.

"To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key," the Leuven University researcher added. "Because of these huge complexities, the attack has no practical implications on the security of user data." Andrey Bogdanov told The INQUIRER that a "practical" AES crack is still far off but added that the work uncovered more about the standard than was known before.

"Indeed, we are even not close to a practical break of AES at the moment. However, our results do shed some light into the internal structure of AES and indicate where some limits of the AES design are," he said.

reply to post by miniatus


My AES256 encryption password is a 63-character random ASCII. It was said that it would take billions of years to try to crack that kind of a password. Good luck.

Originally posted by _BoneZ_
reply to post by miniatus

 

My AES256 encryption password is a 63-character random ASCII. It was said that it would take billions of years to try to crack that kind of a password. Good luck.

You don't actually believe that do you? The only form of encryption that cannot be broken is hardware driven bulk encryption.

Originally posted by BIGPoJo

Originally posted by _BoneZ_
reply to post by miniatus

 

My AES256 encryption password is a 63-character random ASCII. It was said that it would take billions of years to try to crack that kind of a password. Good luck.

You don't actually believe that do you? The only form of encryption that cannot be broken is hardware driven bulk encryption.

You mean like Seagate HARDWARE AES encrypted 2.5" momentus drives?