21

It seems there are legal issues associated with AES-256 (it is disabled in Java, and Oracle tells me in their UnlimitedJCE Policy that I am "advised to consult" my "export/import control counsel or attorney to determine the exact requirements" before turning it back on and the page on Wikipedia does not look very friendly either).

It also seems that AES-128 is "fine" (at least the people responsible for putting together the JDK have come to that conclusion).

So can I just use AES-128 and feel happy with my encryption? Is it still safe enough to protect the data for a couple of more years from all but the most resourceful attackers?

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • Why not? Even the so called ["groundbreaking" attack](http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/) on AES is not practical and would take trillions of years. Something I've read somewhere is that it's not the algorithm that breaks the system but the implementation – Ranhiru Jude Cooray May 14 '13 at 07:43
  • "He said it would still take trillions of years to recover strong AES keys using the biclique technique," I assume by *strong AES keys* they don't mean AES-128. If someone told me the groundbreaking attack on AES brings it down to ten million years for AES-128, I'd still be happy. – Thilo May 14 '13 at 07:50
  • Also, is "recover the key" necessary to "decrypt the message"? – Thilo May 14 '13 at 07:51
  • 1
    Maybe something you'll find interesting. http://serverfault.com/questions/51895/are-128-and-256bit-aes-encryption-considered-weak – Ranhiru Jude Cooray May 14 '13 at 07:53
  • 1
    Voted to close as "off topic" - perhaps a question for http://crypto.stackexchange.com? FWIW, people often turn to NIST for such advice; the guts of which is summarised on [this page](http://www.keylength.com/en/4/). – Duncan Jones May 14 '13 at 08:20
  • Tidbit from @RanhiruCooray's link: "And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future" – Thilo May 14 '13 at 08:28

1 Answers1

25

Check this very simple website: http://www.keylength.com.

There you can find the various recommendations made by academic and private organizations across the world. They don't all say the same thing, but they are all in the same ballpark.

For instance, NIST claims that AES-128 is fine at the very least up to 2030.

SquareRootOfTwentyThree
  • 7,606
  • 32
  • 43