Are 128 and 256bit AES encryption considered weak?
I wanted to archive files and i figure i can write an app to automatically do it with winrar or 7z. Winrar uses AES-128 and 7z uses AES-256. I was wondering if that's easily breakable now that the market have quad cores? Some of these files are small like 10kb and even 4kb (maybe a few files with be <1k)
I want to backup many disc but i am nervous how easily they can be broken if someone really wanted to break it.
A recent AES-256 break described by Bruce Schneier in his July 30, 2009 posting,
Another New AES Attack
There are three reasons not to panic:
- The attack exploits the fact that the key schedule for 256-bit version
is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend
to AES with a 128-bit key.
- It's a related-key attack, which requires the cryptanalyst to have access to
plaintexts encrypted with multiple keys that are related in a specific way.- The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.
Not much comfort there, I agree. But it's what we have. Cryptography is all about safety margins. If you can break n rounds of a cipher, you design it with 2n or 3n rounds. What we're learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NIST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don't want to be revising the standard again and again.
And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.
The paper I have is still a draft. It is being circulated among cryptographers, and should be online in a couple of days. I will post the link as soon as I have it (paper ref).
The quote above has highlights relevant to the question and
mild typographical changes I made.
Schneier was probably typing slower then he thinks...
The original reference is linked for the purists.
Finally, if you want to look at what some Stackoverflow users want to say about,
Is it possible to reverse engineer AES256?
Short answer: no. For the moment at least.
There was a published attack against AES128 that if I remember rightly knocked a bit or so off the effective strength of the algorithm and key size combination used.
The more recent attack vectors identified against AES256 are potentially more serious as they could theoretically push the effective strength below that of AES-128 but only in certain very very specific circumstances. IIRC these attack vectors are not practical in the real world. They are being taken seriously by the crypto community though, as the existence of an impractical-but-possible attack method may lead to the discovery/development of a more real-world practical one.
Bruce Schneier discussed this on his blog on 2009-07-30. Superficially, it appears that AES-192 and AES-256 may be less strong than AES-128. Although the algorithms are secure for the time being, as David Spillet says in his answer, there are questions being raised now, and (as Bruce Schneier says in the linked blog entry) "This again proves the cryptographer's adage: attacks always get better, they never get worse".
The answer is "it depends". The US Government consider them secure enough for "non-classified" information (http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf) so unless you're storing stuff like what's really going on in Area 51 they should be sufficient. I believe that potential attacks (in unlikely scenarios) against them have been discovered, but are the methods used really feasible for the casual hacker or script kiddie? And anyway a potential attack does not make an algorithm "weak".
Read more here: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
