|
What is AES?
AES is short for Advanced Encryption Standard and
is a United States encryption standard defined in
Federal Information Processing Standard (FIPS) 192,
published in November 2001. It was ratified as a federal
standard in May 2002. AES is the most recent of the
four current algorithms approved for federal us in
the United States. One should not compare AES with
RSA, another standard algorithm, as RSA is a different
category of algorithm. Bulk encryption of information
itself is seldom performed with RSA.RSA is used to
transfer other encryption keys for use by AES for
example, and for digital signatures.
AES is a symmetric encryption algorithm processing
data in block of 128 bits. A bit can take the values
zero and one, in effect a binary digit with two possible
values as opposed to decimal digits, which can take
one of 10 values. Under the influence of a key, a
128-bit block is encrypted by transforming it in a
unique way into a new block of the same size. AES
is symmetric since the same key is used for encryption
and the reverse transformation, decryption. The only
secret necessary to keep for security is the key.
AES may configured to use different key-lengths, the
standard defines 3 lengths and the resulting algorithms
are named AES-128, AES-192 and AES-256 respectively
to indicate the length in bits of the key. Each additional
bit in the key effectively doubles the strength of
the algorithm, when defined as the time necessary
for an attacker to stage a brute force attack, i.e.
an exhaustive search of all possible key combinations
in order to find the right one
Some background on AES
In 1997 the US National Institute of Standards and
Technology put out a call for candidates for a replacement
for the ageing Data Encryption Standard, DES. 15 candidates
were accepted for further consideration, and after
a fully public process and three open international
conferences, the number of candidates was reduced
to five. In February 2001, the final candidate was
announced and comments were solicited. 21 organizations
and individuals submitted comments. None had any reservations
about the suggested algorithm. About AES Axantum Software
AB Svante Seleborg 2(3)
AES is founded on solid and well-published mathematical
ground, and appears to resist all known attacks well.
There’s a strong indication that in fact no back-door
or known weakness exists since it has been published
for a long time, has been the subject of intense scrutiny
by researchers all over the world, and such enormous
amounts of economic value and information is already
successfully protected by AES. There are no unknown
factors in its design, and it was developed by Dutch
researchers in Holland therefore voiding the conspiracy
theories sometimes voiced concerning an encryption
standard developed by a United States government agency.
A strong encryption algorithm need only meet only
single main criteria:
- There must be no way to find the unencrypted clear
text if the key is unknown, except brute force,
i.e. to try all possible keys until the right one
is found.
A secondary criterion must also be met:
- The number of possible keys must be so large that
it is computationally infeasible to actually stage
a successful brute force attack in short enough
a time.
The older standard, DES or Data Encryption Standard,
meets the first criterion, but no longer the secondary
one – computer speeds have caught up with it,
or soon will. AES meets both criteria in all of its
variants: AES-128, AES-192 and AES-256.
Encryption must be done properly
AES may, as all algorithms, be used in different ways
to perform encryption. Different methods are suitable
for different situations. It is vital that the correct
method is applied in the correct manner for each and
every situation, or the result may well be insecure
even if AES as such is secure. It is very easy to
implement a system using AES as its encryption algorithm,
but much more skill and experience is required to
do it in the right way for a given situation. No more
than a hammer and a saw will make anyone a good carpenter,
will AES make a system secure by itself. To describe
exactly how to apply AES for varying purposes is very
much out of scope for this short introduction.
Strong keys
Encryption with AES is based on a secret key with
128, 192 or 256 bits. But if the key is easy to guess
it doesn’t matter if AES is secure, so it is
as critically vital to use good and strong keys as
it is to apply AES properly. Creating good and strong
keys is a surprisingly difficult problem and requires
careful design when done with a computer. The challenge
is that computers are notoriously deterministic, but
what is required of a good and strong key is the opposite
– unpredictability and randomness. Keys derived
into a fixed length suitable for the encryption algorithm
from passwords or pass phrases typed by a human will
seldom correspond to 128 bits much less 256. To even
approach 128-- bit equivalence in a pass phrase, at
least 10 typical passwords of the kind frequently
used in day-today work are needed. Weak keys can be
somewhat strengthened by special techniques by adding
computationally intensive steps which increase the
amount of computation necessary to break it. The risks
of incorrect usage, implementation and weak keys are
in no way unique for AES; these are shared by all
encryption algorithms. Provided that the implementation
is correct, the security provided reduces to a relatively
simple question about how many bits the chosen key,
password or pass phrase really corresponds to. Unfortunately
this estimate is somewhat difficult to calculate,
when the key is not generated by a true random generator.
About AES Axantum Software AB Svante Seleborg
Security is relative
Security is not an absolute; it’s a relation
between time and cost. Any question about the security
of encryption should be posed in terms of how long
time, and how high cost will it take an attacker to
find a key? Currently, there are speculations that
military intelligence services possibly have the technical
and economic means to attack keys equivalent to about
90 bits, although no civilian researcher has actually
seen or reported of such a capability. Actual and
demonstrated systems today, within the bounds of a
commercial budget of about 1 million dollars can handle
key lengths of about 70 bits. An aggressive estimate
on the rate of technological progress is to assume
that technology will double the speed of computing
devices every year at an unchanged cost. If correct,
128-bit keys would be in theory be in range of a military
budget within 30-40 years. An illustration of the
current status for AES is given by the following example,
where we assume an attacker with the capability to
build or purchase a system that tries keys at the
rate of one billion keys per second. This is at least
1,000 times faster than the fasted personal computer
in 2004. Under this assumption, the attacker will
need about 10,000,000,000,000,000,000,000 years to
try all possible keys for the weakest version, AES-128.
The key length should thus be chosen after deciding
for how long security is required, and what the cost
must be to brute force a secret key. In some military
circumstances a few hours or days security is sufficient
– after that the war or the mission is completed
and the information uninteresting and without value.
In other cases a lifetime may not be long enough.
Conclusion
There is currently no evidence that AES has any weaknesses
making any attack other than exhaustive search, i.e.
brute force, possible. Even AES-128 offers a sufficiently
large number of possible keys, making an exhaustive
search impractical for many decades, provided no technological
breakthrough causes the computational power available
to increase dramatically and that theoretical research
does not find a short cut to bypass the need for exhaustive
search. There are many pitfalls to avoid when encryption
is implemented, and keys are generated. It is necessary
to ensure each and every implementations security,
but hard since it requires careful examination by
experts. An important aspect of an evaluation of any
specific implementation is to determine that such
an examination has been made, or can be conducted.
Correctly implemented AES-128 is likely to protect
against a million dollar budget for at least 50 –
60 years and against individual budgets for at least
another 10 years.
|
