Feeds

New AES crypto standard broken already?

Depends who you ask

  • alert
  • submit to reddit

3 Big data security analytics techniques

Theoretical attacks against AES (Advanced Encryption Standard) winner Rijndael and runner-up Serpent have been published. They might work in the practical world; they might not. That's about all we can say from the latest edition of Bruce Schneier's CryptoGram newsletter, which seeks to simplify the issues discovered by researchers Nicolas Courtois and Josef Pieprzyk, and elaborated in a paper entitled "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations".

Now while this represents an interesting bit of research, it does not mean that AES has been or even can be cracked in the real world. The work is theoretical and needs to be reviewed by others; and even if it's confirmed in theory and partially confirmed empirically, it may never be possible to exploit it.

"You can try the attack on simplified versions of the cipher -- fewer rounds, smaller block size -- but you can never be sure the attack scales as predicted," Schneier points out.

That said, it's ironic that Serpent, which touts itself as more secure than Rijndael (though slower), appears at least for now to be more vulnerable in this case. And while there's no immediate problem for either cipher, we may find that AES' functional life-expectancy is considerably shorter than originally hoped (something like a century).

"If the attack really works, it can only get better. My fear is that we could see optimizations of the XSL attack breaking AES with a 2^80-ish complexity, in which case things starts to get dicey about ten years from now," Schneier reckons.

That's bad news for those who might require that an encrypted object remain impractical to decrypt for several decades. Some businesses perhaps, and certainly some government and military agencies do need very long-lasting and very strong levels of communications and data security. What we're seeing here is another example proving that asking for one-shot solutions is asking too much. We've said it before and we'll say it again: there's no substitute for a holistic approach to security and privacy in which no single component is ever fully trusted. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.