AES has been hacked! The sky is falling, the sky is falling!

Published On August 18, 2011 | By Randy Sabett | Data Security
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

While the headline was a bit of FUD to get you to read this, it is true that a team of Microsoft and Dutch researchers have released a report detailing a theoretical attack on the Advanced Encryption Standard (AES).  The attack, to be presented at ASIACRYPT 2011 in early December, utilizes a complex process known as biclique analysis that advances a technique that originally targeted just hashing algorithms.

NIST originally commissioned AES in a 1997 competition that resulted in fifteen candidate algorithms.  Based on research within the crypto community, NIST further downselected to five candidates – MARS, RC6, Rijndael, Serpent and Twofish.  NIST ultimately accepted Rijndeal as the Advanced Encryption Standard.  The stated goal during the competition was to specify “an encryption algorithm(s) capable of protecting sensitive government information well into the next century.”  This latest research, while not viewed as a major vulnerability, is still a chink in what was originally thought to be a highly secure algorithm.  According to published reports, Joan Daemen and Vincent Rijmen (who created AES) have acknowledged the validity of this attack.

AES, specified in Federal Information Processing Standard (FIPS) 197, has been adopted by the U.S. Government and many corporate entities for securing highly sensitive information.  In particular, NSA has specified AES as part of its Suite B cryptography framework.  Under Suite B, AES with 128-bit keys can be used to secure information up to the SECRET level and AES with 256-bit keys can be used to secure information up to the TOP SECRET level.  This latest attack could call those key lengths into question.  For those entities that have deployed AES, a review of their implementation might be appropriate.  If increasing key length isn’t possible, other compensating controls might be in order.  As Bruce Schneier pointed out in his coverage (quoting an NSA source), “[a]ttacks always get better; they never get worse.”

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.