Page 1 of 1

AES encryption vulnerable to attack

Posted: Tue Aug 23, 2011 5:29 pm
by Egaladeist
Researchers from Microsoft and the Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard (AES), the encryption algorithm used to secure most all online transactions and wireless communications.

The attack can recover an AES secret key three to five times faster than previously thought possible, reported the Katholieke Universiteit Leuven, a research university based in Belgium.

The researchers caution that the attack is complex in nature, and so cannot be easily carried out using existing technologies. In practice, the methodology used by the researchers would take billions of years of computer time to break the AES algorithm, they noted.
With this work, the "safety margin" of AES continues to erode, noted security expert Bruce Schneier. "Attacks always get better; they never get worse," he wrote, quoting an expert from the National Security Agency.

Though unwieldy to execute, the attack can be applied to all versions of AES.
http://www.techcentral.ie/article.aspx?id=17280

Re: AES encryption vulnerable to attack

Posted: Wed Aug 24, 2011 7:34 am
by SirDice
Even though the keyspace will be drastically reduced it will still take a couple of million years to crack it.

Your data is still safe ;)

Re: AES encryption vulnerable to attack

Posted: Wed Aug 24, 2011 10:19 am
by Egaladeist
If all the banks/businesses are on this Advanced Encryption Standard (AES), then how do some banks/businesses get compromised?

Re: AES encryption vulnerable to attack

Posted: Wed Aug 24, 2011 10:23 am
by SirDice
Because they're stupid enough to think that just a username/password combination is good enough to protect your bank account.

There's no Dutch bank that does this, they all use two-factor authentication. American banks however are a completely different story.

Re: AES encryption vulnerable to attack

Posted: Thu Aug 25, 2011 10:02 am
by Aspman
SirDice wrote:Because they're stupid enough to think that just a username/password combination is good enough to protect your bank account.

There's no Dutch bank that does this, they all use two-factor authentication. American banks however are a completely different story.
And the UK. No 2FA here unless it's being sold as and extra.

Re: AES encryption vulnerable to attack

Posted: Thu Aug 25, 2011 12:32 pm
by Egaladeist
I thought anything was ( reasonably ) penetrable given the right knowledge, tools, and ' preferably ' physical access?

If this Advanced Encryption Standard (AES) is so impenetrable that it would take millions of years to crack...why isn't it ' standard ' on every computer in every circumstance? Why doesn't it come ' standard ' like a DVD player and a graphics card when you purchase a computer?

I'm assuming...that AES is just encrypting passwords, and isn't a lot more complicated than that.

Re: AES encryption vulnerable to attack

Posted: Thu Aug 25, 2011 1:38 pm
by SirDice
Egaladeist wrote:I thought anything was ( reasonably ) penetrable given the right knowledge, tools, and ' preferably ' physical access?
True but it's a lot harder when you also have to crack hardware keys like we have here. They're basically code generators, you stick your bankcard in them, type your pincode. The website will offer a challenge, that challenge needs to be typed in on the 'calculator' and it will give a response. It's this response that will give you access. The challenge/response mechanism works really well and is pretty hard to beat. Not impossible but highly impractical.
If this Advanced Encryption Standard (AES) is so impenetrable that it would take millions of years to crack...why isn't it ' standard ' on every computer in every circumstance? Why doesn't it come ' standard ' like a DVD player and a graphics card when you purchase a computer?
Because data needs to be unencrypted or you won't be able to use it. If I'm not mistaken Windows Bitlocker uses it. It's not standard on all versions of Windows but on the professional ones it is.
I'm assuming...that AES is just encrypting passwords, and isn't a lot more complicated than that.
It can be used to encrypt pretty much everything, including passwords. Passwords are usually stored as a hash though. Hashes aren't 'reversible' while encryption is.

Re: AES encryption vulnerable to attack

Posted: Fri Aug 26, 2011 10:33 am
by Aspman
There will always be a problem with the nut between the keyboard and the screen

Re: AES encryption vulnerable to attack

Posted: Wed Aug 31, 2011 1:40 pm
by keezel
Aspman wrote:There will always be a problem with the nut between the keyboard and the screen
PEBCAK - problem exists between chair and keyboard :D

Re: AES encryption vulnerable to attack

Posted: Wed Aug 31, 2011 2:26 pm
by Aspman
Issues with Layer 8 in the stack