How secure is AES-256 nowadays?
This topic contains 1 reply, has 2 voices, and was last updated by Tompazi 1 month, 1 week ago.
- February 18, 2020 at 1:46 am #196236
- February 18, 2020 at 3:25 am #196237
The cipher itself is still unbreakable. However, it can be used insecurely or be implemented insecurely.
A big problem for AES are side channel attacks (the article you posted is about a side-channel attack). If you can somehow observe the encryption or decryption happening on a physical level or from another program on the same machine, AES isn’t great. You don’t even need to observe the full en/decryption process, a snapshot of a state in the process is enough. The reason for this is, while AES uses a different key for each round (there are 14 rounds in AES-256), knowing one round key is enough to calculate the other round keys and the original key.
I don’t know much about physics so I can’t tell you how realistic the attack from the article is. But I’ve seen some crazy side channel attacks already, for example by having a phone close to a laptop that is doing RSA encryption and recovering the key through acoustic cryptanalysis. (https://www.youtube.com/watch?v=DU-HruI7Q30)
Side channel attacks are getting more and more relevant, but the attack surface is mostly limited.
Much bigger problems with using AES incorrectly are mostly about using the incorrect mode of operation in the wrong context. For example the ECB mode should almost never be used (I have seen a single correct and secure use of it). When using CBC or CTR mode you need to be careful, the former may be vulnerable to padding oracle attacks and both are vulnerable to bit flipping attacks. Or reusing a nonce in GCM mode. There are many other modes with advantages and disadvantages, and all (maybe with the exception of ECB mode), have their legitimate uses. A big problem is that software developers often just throw encryption on their software without understanding it and think they are secure.
Or simply logical errors, for example an application that does transaction, and you “correctly” encrypt the transactions. Let’s say the transaction says “Alice sends $100 to Bob”. It’s encrypted, so we can’t edit it, but what if the developers forgot to deal with duplicates? Now Bob could copy the encrypted transaction and submit it again and again to steal all of Alice’s money. In this case the encryption did nothing to protect the transaction.
When dealing with AES you almost never break the cipher (ie guessing the key). If the key was chosen randomly, it’s impossible. You break the stuff around the cipher, thus making the cipher ineffective.
- February 18, 2020 at 10:23 am #196238
Presuming that AES-256 has been **properly implemented** then as far as I know, it’s virtually impossible to crack the ciphertext in any feasible time scale? Cryptographic breaks do exist, but I read somewhere that even using a cryptographic break, it would still take longer than the length of time that the universe has existed for, in order to crack it… so, pretty secure I guess? Although it certainly can’t hurt to use AES with a 512-bit key implemented instead!
I know side-channel attacks exist within AES.. but I think they only affect certain implementations, so, as I said, provided it’s been properly implemented, there should not be any issues regarding the safety of the cipher.
You must be logged in to reply to this topic.