Researchers identify first flaws in the Advanced Encryption Standard

Help Net Security ^ | 17 August 2011

[ShadowAce]

[Lazamataz]

I already cracked this standard.

I don't bother with computers; I used pencil, paper and a slide rule.

[ShadowAce]

Hmm—then I’ll have to find something stronger.....

[no-to-illegals]

A better idea, Laz. Could you share? The post is what tells me you have the better idea. What encryption are you using to post? I never could get my pencil, paper, and slide rule to work by causing a computer post.

[icanhasbailout]

If you found a serious flaw in AES (or any other encryption system commonly believed to be secure), the financial incentive to keep it secret would be enormous.

[no-to-illegals]

I think Laz is about to declare April Fools. Only this time Laz is early or late. One or the other.

[ShadowAce]

Or both

[cartan]

They just made the keyspace two bits smaller. That in itself is not such a big deal; however, once such a flaw has been found in a cipher, others, more serious ones usually follow in short order. So, we better get ready to find a decent replacement.

[no-to-illegals]

That both part is the part to watch out for ... (imho) though Laz did utilize three to create four. Not sure what that means exactly but perhaps Laz will explain.

[ThunderSleeps]

To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.

Note that large corporations are believed to have millions of machines, and current machines can only test 10 million keys per second.

So, all we need is a million times more computers than we already have, and they have to be 100 times faster than what we have now. Then all it will take is about 2 billion years to crack a single key? Dang, time to start working on a replacement for AES. I could probably get some porkus money to do that - it'd be about as useless as every other rat-hole our money has been poured down by that ...

[for-q-clinton]

Microsoft research has some smart people working for them.

[RayChuang88]

They’ll just bump everything up to 256-bit AES—which would be just about impossible to break.

[glorgau]

Even if the algorithm is good, there may still be flaws in the implementation. The bid example this year was crypt_blowfish - the popular open source library used in implementation for the last 13 years turns out to have been only using every 4th character of a given password when creating hashes of said password. The fix turned out to be changing a simple cast of a char (which is default a signed integer) to an unsigned integer.

The flaw was out there for 13 years and nobody noticed!

[ArrogantBustard]

I cracked the standard by waterboarding the poor bastard who knows the key ...

[ShadowAce]

They’ll just bump everything up to 256-bit AES—which would be just about impossible to break.

It depends on the flaw itself. For a brute-force break, you are correct. However, if the flaw involves an algorithm to break it, then just upping the bits may not be enough.

[no-to-illegals]

Has the attack location been pinpointed or is it multiple, which is usually the case. Witnessed an attack the other day on me, and I was surprised because I am a nobody. My being attacked was a dos. Multiple locations, multiple isps.

[dayglored]

> I cracked the standard by waterboarding the poor bastard who knows the key ...

And THAT is the weakness in ANY encryption.

1. If he's near you, beat the crap out of the guy with the password. OR

2. If he's at a distance, send him email phishing for it, with a sufficiently tempting hook.

Cracking AES is mathematically interesting, but the people who are actually interesting in GETTING YOUR DATA, foolish. Compared to the two simple methods above, it's silly.

[dayglored]

> Cracking AES is mathematically interesting, but for the people who are actually interesting in GETTING YOUR DATA, foolish. Compared to the two simple methods above, it's silly.

Fixed it.

[cartan]

The problem with that approach is that in many cases, you would like to listen in on conversations without them noticing.