Monday, May 01, 2006

More on AES encryption

Okay - some people have been making some rather brazen claims about the ability to crack a PDF document which uses the AES 128 bit key to encrypt the content. I am not sure if they are truly psychic (one plausible way to crack AES), but doing such using a brute force attack is probably not going to work without a bit of luck. To understand how complex AES is, let's explore how the key is derived and what it means to "break" or "crack" encryption.

The AES standard has a fixed block size of 128 bits and a key size of either 128, 192 or 256 bits. The key is expanded using Rijndael's key schedule in which most of AES calculations are done in a special finite field. Operates on a 4 x —4 array of bytes (the State) and uses four distinct steps to encrypt.

1. AddRoundKey - each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule (simple).

2. SubBytes - SubBytes is a non-linear substitution step where each byte is replaced with another according to a lookup table. In order to add non-linearity to the key, the Galois Field (GF) is used to derive the inverse function of 2 to the power of 8. This has been credited with keeping things unlinear.

3. ShiftRows - a transposition step where each row of the state is shifted cyclically a certain number of steps.

4. MixColumns - a mixing operation which operates on the columns of the state, combining the four bytes in each column using a linear transformation. This provides diffusion in the final cipher in conjunction with ShiftRows. Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4 + 1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2.

The final round replaces the MixColumns stage with another instance of AddRoundKey.

To give you an idea of the complexity of the resulting decryption process, to crack a 128 bit key would take approximately 3.4 x 10^38 guesses assuming the correct key was the last one you tried. To place this in perspective, is estimated that if a DES key generator were able to discover 1 DES key per second, it would take 149 thousand-billion (149 trillion) years to crack a single 128 bit AES key. As a side note, most physicists accept that the universe is approximately 20 billion years old.

As Homer Simpson would say - "D'oh!!!".

What people who are claiming to "break" AES have to use as a metric is a methodology which is anything faster than an exhaustive search for all the keys, also referred to as a "brute force" attack. There is another type of attack methodology called a "side channel attack which does not operate on the actual cipher but on mechanisms around it. There have been two claims of success in breaking AES using side channel attacks. You should note that both of these required access to an application running on the same machine.

Anyone still feel they can get the $500 I offered for cracking the document?

17 comments:

  1. Don't quote me on this, but wouldn't a quantum computer (if one could be built) allow all 3.4 x 10^38 guesses to be performed at once.

    ReplyDelete
  2. That may be true depending upon the architecture and what kind of algorythmn one could design. Since no one is in danger of marketing one any time soon, I think that the core goals of the AES algorithm are being met. Most cryptograms are designed to make it unfeasible to crack it by brute force.

    ReplyDelete
  3. What you say is true, however, what you call brute force is actually a dictionary crack, a compendium of words and phrases. A brute force cracker, will, given time crack anything because it does not need a basis for cracking. If the password is five characters or less, a brute force crack would take less than one year on the average PC.

    However that is assuming a cracker with a great deal of money would limit themselves to 20 permutations per second and would use an average PC.

    A brute force cracker simply inputs a specific number of different letters every 1/20 of a second and tests passwords individually, one at a time, changing one letter each time.

    The only time a brute force crack will not work is when one mixes letters, numbers and symbols. Such a contingency would yield an innumerable amount of testable permutations.

    That is assuming one cannot use multiple PCs to test different permutations. In fact 20 computers working together with simple duel cores would be able to test 400 predetermined permutations per second. That means that file that took a year now takes two weeks.

    Or if you work for the government you could afford some Itanium CPUs that would cut that time in half, down to one week.

    But I'm afraid the NSA has more than 20 computers. In fact the Tordella Supercomputer Building has several floors of interlinked computers dedicated to brute force cracking, the equivalent of well over 1000 computers. using this system ones nice AES encryption can be broken in the "minutes" to "hours" range.

    That is of course assuming the NSA and America own the most powerful computer on the planet. But one should note that that may not be true.

    In short, that rar,pdf or 7z file you thought was secure really isn't, no matter how powerful your encryption is. The weakness is not in the encryption, but in the amount of tries it takes to guess most passwords.

    AES is only strong if the password that protects it, is strong as well. A complex number of letters, numbers and symbols is the best way to secure your AES encrypted document ,Also note that by starting your password with a "Z" you make a crackers job very difficult because "A" is usually the starting permutation.

    Some simple thoughts from a cracker ;)
    <>smootch<> anon

    ReplyDelete
  4. its anon again, google owns 82,000 computers. Cut that time down to .0004 seconds per passworded rar.

    Set sail for fail

    <>smootch<> anon

    ReplyDelete
  5. Knock yourself out. This was posted in 2006 and no one has broken it. I will give you a full year from today to earn the money. You don't think I would use a simple word from one of the 4 languages I speak, do you?

    (duck!!!)

    ;-)

    Duane

    ReplyDelete
  6. Oh - and I'll give you a head start. I did not set my password with a letter and definitely not with Z. This will narrow down your crack to less than one trillion trillion combination's.

    ;-)

    ReplyDelete
  7. and you can use as many zombies/PC's as you want.

    ReplyDelete
  8. Post a link to a passworded 7zip archive. Such an archive by default is protected by a 256bit AES encryption. I am willing to try it out.

    The only thing I ask is that the password is less than 5 digits and is composed of only upper case and lower case letters. That is what my above statement is based upon.

    Bring it ;)

    <>smootch<> anon

    ReplyDelete
  9. I have actually forgotten the password but here is the link to the document:

    http://www.nickull.net/blogimages/challenge.pdf

    If you can crack this within one year of today I will pay you the money ($500.00 USD). I am not going to make it easy for you though by limiting my choice of combination's to ((26 X 26) * 5) as you want. You will have to accept the challenge as written.

    You may use as many systems as you want and any algorithms you wish.

    Good luck!

    Duane

    ReplyDelete
  10. Alright sir, I accept your challenge.
    http://img171.imageshack.us/img171/8646/anonwarriorut0.png
    <>smootch<> anon

    ReplyDelete
  11. Alright, Starting crack 7:10 PM eastern time, August 1

    ReplyDelete
  12. "Don't quote me on this, but wouldn't a quantum computer (if one could be built) allow all 3.4 x 10^38 guesses to be performed at once."

    Implementing an algorithm on a quantum computer normally acts only to reduce the complexity of an algorithm, not make it instantaneous.

    For example it is true that a linear algorithm on a quantum computer often becomes order 1; however, something like breaking AES is probably considered to be, at least, big O factorial.

    The resulting improvement by implementing it on a quantum computer is to make the algorithm quadratic. While a huge improvement, it is far from being order 1.

    ReplyDelete
  13. "Don't quote me on this, but wouldn't a quantum computer (if one could be built) allow all 3.4 x 10^38 guesses to be performed at once."

    Implementing an algorithm on a quantum computer normally acts only to reduce the complexity of an algorithm, not make it instantaneous.

    For example it is true that a linear algorithm on a quantum computer often becomes order 1; however, something like breaking AES is probably considered to be, at least, big O factorial.

    The resulting improvement by implementing it on a quantum computer is to make the algorithm quadratic. While a huge improvement, it is far from being order 1.

    ReplyDelete
  14. Tyler is correct here. You could also say "technically I could crack it on an ordinary computer if it had 3.4 X 10^38 simultaneous calculations. The fact is that it would take longer than the entire time period our universe has existed for to build such a computer. At for what end? To get a $500 prize for cracking a PDF document?

    No encryption is 100% foolproof. If you take a thousand monkey hammering on a thousand keyboards, one of them could randomly enter the key.

    Note that none of the people who have threatened to crack it have updated us on their status.

    ;-)

    ReplyDelete
  15. Tyler is correct here. You could also say "technically I could crack it on an ordinary computer if it had 3.4 X 10^38 simultaneous calculations. The fact is that it would take longer than the entire time period our universe has existed for to build such a computer. At for what end? To get a $500 prize for cracking a PDF document?

    No encryption is 100% foolproof. If you take a thousand monkey hammering on a thousand keyboards, one of them could randomly enter the key.

    Note that none of the people who have threatened to crack it have updated us on their status.

    ;-)

    ReplyDelete
  16. Suppose your used an encryption program that used 128 bit AES to encrypt files.

    Then you forget the password used as the key. But you know the pw must be made from a combination of 11 letters and 7 numbers and will not be more than 11 characters long. Could you break it? And, since these are my files :-( how?

    TIA

    Thanks.

    ReplyDelete
  17. Unfortunately, you cannot get access without proving who you are. Otherwise it would defeat the purpose of encryption. While it might seem trivial, the number of combinations is staggering. 52 letters (upper + lower case) and punctuation plus number (average of another 50) means you have 102^11 which is a Very Large number.

    ReplyDelete

Do not spam this blog! Google and Yahoo DO NOT follow comment links for SEO. If you post an unrelated link advertising a company or service, you will be reported immediately for spam and your link deleted within 30 minutes. If you want to sponsor a post, please let us know by reaching out to duane dot nickull at gmail dot com.