Design Article
How secure is AES against brute force attacks?
Mohit Arora, Sr. Systems Engineer & Security Architect, Freescale Semiconductor
5/7/2012 1:29 PM EDT
In the world of embedded and computer security, one of the often debated topics is whether 128-bit symmetric key, used for AES (Advanced Encryption Standard) is computationally secure against brute-force attack. Governments and businesses place a great deal of faith in the belief that AES is so secure that its security key can never be broken, despite some of the inherent flaws in AES.
This article describes the strength of the cryptographic system against brute force attacks with different key sizes and the time it takes to successfully mount a brute force attack factoring future advancements in processing speeds.
Any cryptographic algorithm requires multi-bit key to encrypt the data as shown in Figure 1.
The key length used in the encryption determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones.
Brute-force attack involves systematically checking all possible key combinations until the correct key is found and is one way to attack when it is not possible to take advantage of other weaknesses in an encryption system.
Here is an example of a brute force attack on a 4-bit key:
As shown, it will take a maximum 16 rounds to check every possible key combination starting with "0000." Given sufficient time, a brute force attack is capable of cracking any known algorithm.
The following table just shows the possible number of key combinations with respect to key size:
Notice the exponential increase in possible combinations as the key size increases. "DES" is part of a symmetric cryptographic algorithm with a key size of 56 bits that has been cracked in the past using brute force attack.
There is also a physical argument that a 128-bit symmetric key is computationally secure against brute-force attack. Just consider the following:
Faster supercomputer (as per Wikipedia): 10.51 Pentaflops = 10.51 x 1015 Flops [Flops = Floating point operations per second]
No. of Flops required per combination check: 1000 (very optimistic but just assume for now)
No. of combination checks per second = (10.51 x 1015) / 1000 = 10.51 x 1012
No. of Years to crack AES with 128-bit Key = (3.4 x 1038) / [(10.51 x 1012) x 31536000]
= (0.323 x 1026)/31536000
= 1.02 x 1018
= 1 billion billion years
As shown above, even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key.
There are more interesting examples. The following snippet is a snapshot of one the technical papers from Seagate titled "128-bit versus 256-bit AES encryption" to explain why 128-bit AES is sufficient to meet future needs.
|
If you assume:
Then the earth's population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years! |
The bottom line is that if AES could be compromised, the world would come to a standstill. The difference between cracking the AES-128 algorithm and AES-256 algorithm is considered minimal. Whatever breakthrough might crack 128-bit will probably also crack 256-bit.
In the end, AES has never been cracked yet and is safe against any brute force attacks contrary to belief and arguments. However, the key size used for encryption should always be large enough that it could not be cracked by modern computers despite considering advancements in processor speeds based on Moore's law.
About the author
Mohit Arora (mohit.arora@freescale.com) is a Sr. Systems engineer and Security Architect at Freescale Semiconductor. He is responsible for product and architecture definition for 32-bit industrial and general-purpose parts. "Embedded Security" is one of his main expertise and focus areas and he also leads the Security IP Asset team in AISG (Automotive Industrial and Solution Group). He holds more than 35 publications and is also the author of the book "The Art of Hardware Architecture."
For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the biweekly Embedded Internet newsletter (free registration).
|
|
|
|
|
Luis Sanchez
5/14/2012 2:45 AM EDT
This is quite interesting! This article is talking about a brute force attack, however there can be other kind of attacks. more sophisticated and with higher complexity algorithms. Like the next link http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsoft_researchers
belongs to an article in which a pair of scientists doing research in Microsoft facilities discovered a way to crack the AES encryption 3 to 5 times faster. Still this seems to be actually hypothetical since even so, they'd need still billions of years to actually decode the key.
However all this makes us realize that is a thing of time and the progress of technology. Today's supercomputer's power will become tomorrow's laptop's power.
Sign in to Reply
Mohit.arora
5/14/2012 8:46 AM EDT
Thanks. To be able to do anything meaningful, encryption has to be way way faster. Microsoft may doing it to support decryption of past smaller key size AES(i.e 64 bits). May be similar to what NSA came up recently setting up huge facility with army of super-computers to reduce decryption time.
http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/
Now what is being suspected is NSA may have been recording past encrypted data since long and now it may help recover data that was previously encrypted by 64 bit AES or less.
At the end, i agree it a matter of time...
Sign in to Reply
Badtz82
3/25/2013 8:37 PM EDT
Yup i belive it only a matter of time , i don't know if using big masive grid computing it maybe hapend. And i belive military have huge masive computer can make it. Or it has bean try i don't know
Sign in to Reply
MarkRC
10/29/2012 5:51 PM EDT
That may have been true yesterday, however today the fastest computer in the world is capable of 27 quadrillion operations per second, next year it will be a quintillion, a few years later it will be sextillion... in a decade or two it will take minutes to decrypt AES 128. The real question is how long do you need to protect your information?
Sign in to Reply
Forensics1
1/16/2013 11:39 PM EST
@ MarkRC - OK, when that happens I will just go to 192, or 256 bit keys. Or, in the same time frame as you so wildly assume, perhaps the AES will also increase its complexity exponentially.
One of the many other barriers you are ignoring is the problem of energy.
To power such supercomputers as you theorize (and more likely that it will be a group of supercomputers like the NSA now uses) it would require about one-half of the world's current electrical energy production. And that is if you run them at normal room ambient temperatures.
How will you meet the needs of the world's population if you feed every other gigawatt to a computer?
As you wildly increase the computational limits you forget that everything has a cost. Be it energy, world resources, money, people, or whatever, there are limits to even a global effort.
The foresight of youth is so shortsighted.
Sign in to Reply
David1965
5/5/2013 9:31 AM EDT
I have written an encryption/decryption system which uses Blowfish to generate the DES keys of which there are 4x blocks also I am using AES 256 as the filling to this DES sandwich algorithm which also uses cipher block chaining so would this be a better solution and resistant to hacking.
Sign in to Reply
David1965
5/5/2013 9:37 AM EDT
Sorry to have forgotten to add this the way the system would work is to start with DES being used 4 times on the four input blocks then those four input blocks are fed into AES256 and finally into 4 OUTPUT blocks via the DES to complete one cycle of encryption also the system can be used in reverse.
Sign in to Reply