Cryptographers have found a new chink in the widely used AES encryption standard that suggests the safety margin of its most powerful cipher is not as high as previously thought.
In a soon-to-be-published paper, researchers Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir show that the 256-bit version of AES is susceptible to several so-called related-key attacks that significantly diminish the amount of time it takes to guess a key. One technique against the 11-round version of the cipher can be completed in 270 operations, an improvement that cryptographer Bruce Schneier says was strong enough to be "almost practical."
Another attack uses only two related keys to crack the complete key of a nine-round version in 239 time, a vast improvement over the 2120 time of the best previous attack. A third attack breaks a 10-round version in 245 time.
Like previous attacks on AES, the latest techniques are still wildly impractical, cryptographers say. But because most of the world depends on the encryption standard to keep sensitive records and communications secure from outsiders, the findings are nonetheless significant. AES is also the foundation of several candidates for a new cryptographic hashing algorithm called SHA-3 that will be adopted by the US National Institute of Standards and Technology.
"When you're trying to build a system with a long life span, you want to have ciphers that are very conservative, so if there is a new attack that comes along, you have a long safety margin," says Paul Kocher, president and chief scientist at Cryptography Research, a San Francisco-based consultancy. "If you're trying to design a system that will be in the field for 30 years, you start worrying about stuff like this."
Kocher says that banks and other organizations have already spent billions of dollars moving away from DES, or the Data Encryption Standard, which enjoyed widespread use until cryptographers uncovered significant weaknesses that allowed it to be cracked using practical attacks.
Related-key attacks require a message to be encrypted with one key that is later changed to one or more different keys. It's usually hard for an outsider to control what keys get used, so the technique is considered hard to carry out under real-world settings.
Still, the findings have the surprising effect of making 256-bit AES less hardened than the 192-bit version. The related-key attack doesn't work on either AES-192 or AES-128.
The attack builds off of previous research that described a way to infer clues about keys used in AES by employing what's known as boomerang switching techniques to infer clues about the keys used in the algorithm.
That attack is also extremely hard to carry out in practical environments, but the latest findings suggest that new data continues to chip away at the viability of the AES ciphers. ®