A group of researchers uncovered new attacks on AES-256 encryption not too long ago. But while the research is definitely an improvement over the attacks of the past, experts say that is no reason to toss out the algorithm just yet.
The research was performed by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir. In it, the team laid out a number of related key attacks.
But while impressive, the attacks only pose a threat in theory for the most part. After all, the National Institute of Standards and Technology (NIST) certified AES implements 14 rounds, whereas the research focuses primarily on 9 and 10 round implementations. They also outline related-subkey attacks on 8 and 11 round implementations as well.
“The attacks are primarily interesting as theoretic progress on the analysis of AES,” said
Terence Spies, CTO of Voltage Security. “No AES encrypted data is at risk from this attack, as the work factor involved is essentially infinite. The attacks with smaller work factors require that only part of the algorithm is used, so are ineffective against the full cipher. These attacks are also related key attacks, meaning that any well-designed protocol that uses randomized keys would not be vulnerable.”
Ramon Krikken, an analyst with the Burton Group, noted that the attacker would need a special set of circumstances to even create the possibility for attack on a specified piece of encrypted information.
“Specifically the attacker would need information encrypted with keys that are mathematically related – not something that should happen easily in a well-designed system,” he wrote in an e-mail.
“So while there’s no immediate need to panic, it may be prudent to look at changes such as increasing the number of rounds or perhaps using “single-key double-AES” or another construct that increases attack resistance,” he suggested.
Security researcher Bruce Schneier expressed a similar sentiment on his blog last month that the attacks are proof the safety margin of AES is less than previously thought.
“And while there is no reason to scrap AES in favor of another algorithm, (NIST) should increase the number of rounds of all three AES variants,” he wrote. “At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds.”
However, as Bob Blakley, another Burton Group analyst, pointed out to eWEEK, that would require a significant amount of analysis to ensure it was effective.
In addition, the cipher in general use is AES-128, Blakley said in an e-mail.
Still, he argued, the advances may not bode well for the future security of AES-256.
“AES-256 is probably secure ‘for now’ but I wouldn’t feel good recommending it to people as this set of attacks will probably continue to make progress as time goes on,” Blakley said.