http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html

AES is running out of time

This article is purely about brute force password guessing using GPUs. Nothing new.
Interestingly, the article discusses passwords up to 12 characters so of course, if you have a room full of computers with fast GPUs you can brute force a 12 character password in months or possibly weeks.

AES is still as secure as ever. Never use a password less than 16 characters and use 20+ character passwords when possible. A 20 character random password will not be brute forced in your lifetime.

Thanks for the link. Interesting read. I wonder how soon this might become common? For true hackers, it's going on now. But they are limited in numbers. Which bides some time for the masses. But that will change...

The thing about the article is not the encryption used or length of passwords but what parallel computing brings to the table. Programs able to make use of 2 gpu setups. What about 3 or 4? The number of passwords crunch per second is getting bigger and its a huge amount comparing to 2 or 3 years ago. Well there is a hole in 256 AES which reduces the time for brute forcing even more. 128 AES is safer than 256. But the question is why are we relying so long on a 7 year old encryption technique? they are waiting for someone to crack it or for it to become in hardware range which is really awefull.

Let them try breaking my 28 character triple encryption (Serpent-Twofish-AES) volume. Not that they'll find me and gain access in the first place.

What the hell are you hiding? lol

I don't bother encrypting anything -- nothing to hide.

-{ Quote: "Let them try breaking my 28 character triple encryption (Serpent-Twofish-AES) volume. Not that they'll find me and gain access in the first place." }-
last time RSA security said that a bloke with a P3 made them eat their words and he won a nice cash prize. The blokes from the university were still feeding scripts into their Supercomputer crunching through billions and billions passwords a seconds. So don't look at the brute force. Look at it as a old algebra equation which no one hasn't worked out yet. Few came close though and I expect its just a matter of time

-{ Quote: "The thing about the article is not the encryption used or length of passwords but what parallel computing brings to the table. Programs able to make use of 2 gpu setups. What about 3 or 4? The number of passwords crunch per second is getting bigger and its a huge amount comparing to 2 or 3 years ago. Well there is a hole in 256 AES which reduces the time for brute forcing even more. 128 AES is safer than 256. But the question is why are we relying so long on a 7 year old encryption technique? they are waiting for someone to crack it or for it to become in hardware range which is really awefull." }-

AES-128 bit is only stronger in theory. There are NO real world attacks against AES or any other AES contender for that matter.

About the known attacks:

-{ Quote: "Known attacks

For cryptographers, a cryptographic "break" is anything faster than a brute force attack - trying every possible key. Thus, an attack against a 256-bit-key AES requiring 2200 operations (compared to 2256 possible keys) would be considered a break, even though 2200 operations would still take far longer than the age of the universe to complete. The largest successful publicly-known brute force attack against any block-cipher encryption has been against a 64-bit RC5 key by distributed.net.[10]

AES has a fairly simple algebraic description.[11] In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, purporting to show a weakness in the AES algorithm due to its simple description.[12] Since then, other papers have shown that the attack as originally presented is unworkable; see XSL attack on block ciphers.

During the AES process, developers of competing algorithms wrote of Rijndael, "...we are concerned about [its] use...in security-critical applications."[13] However, at the end of the AES process, Bruce Schneier, a developer of the competing algorithm Twofish, wrote that while he thought successful academic attacks on Rijndael would be developed someday, "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."[14]

On July 1, 2009, Bruce Schneier blogged[15] about a related-key attack on the 192-bit and 256-bit versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich,[16] which exploits AES's somewhat simple key schedule and has a complexity of 2119. In December 2009 it was improved to 299.5. This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolić, with a complexity of 296 for one out of every 235 keys.[17] Another attack was blogged by Bruce Schneier[18] on July 30, 2009 and released as a preprint[19] on August 3, 2009. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is against AES-256 that uses only two related keys and 239 time to recover the complete 256-bit key of a 9-round version, or 245 time for a 10-round version with a stronger type of related subkey attack, or 270 time for an 11-round version. 256-bit AES uses 14 rounds, so these attacks aren't effective against full AES.

In November 2009, the first known-key distinguishing attack against a reduced 8-round version of AES-128 was released as a preprint.[20] This known-key distinguishing attack is an improvement of the rebound or the start-from-the-middle attacks for AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called Super-Sbox. It works on the 8-round version of AES-128, with a time complexity of 248, and a memory complexity of 232.

In July 2010 Vincent Rijmen published an ironic paper on "chosen-key-relations-in-the-middle" attacks on AES-128.[21]" }-
Source: WikiPedia (https://secure.wikimedia.org/wikipedia/en/wiki/Advanced_Encryption_Standard#Security)

For that matter in order to crack an AES-256 bit key (NOT the password) you would need to calculate every posible key (2^256 combinations). This would take longer than the age of th universe. Now provided that was possible and you had the CPU power to do so you would need a HUGE amount of power. By huge I mean approximently the power of the sun. Now take that and turn that into money - No one would waste their time cracking a AES-256 bit key when passwords are far easier to crack.

-{ Quote: "
Key size in bits[2] Permutations Brute-force time for a device checking 256 permutations per second
8 28 0 milliseconds
40 240 0.015 milliseconds
56 256 1 second
64 264 4 minutes 16 seconds
128 2128 149,745,258,842,898 years
256 2256 50,955,671,114,250,100,000,000,000,000,000,000,000,000,000,000,000,000 years" }-
https://secure.wikimedia.org/wikipedia/en/wiki/Brute-force_attack#Theoretical_limits
Note 256 bit key there. Good luck with that.


Yes CPU's and GPU's are getting faster and faster but consider now the Von Neumann-Landauer Limit (https://secure.wikimedia.org/wikipedia/en/wiki/Landauer%27s_Principle) Which states:
-{ Quote: "he so-called Von Neumann-Landauer Limit implied by the laws of physics sets a lower limit on the energy required to perform a computation of ln(2)kT per bit erased in a computation, where T is the temperature of the computing device in kelvins, k is the Boltzmann constant, and the natural logarithm of 2 is about 0.693. No irreversible computing device can use less energy than this, even in principle.[3] Thus, in order to simply flip through the possible values for a 128-bit symmetric key (ignoring doing the actual computing to check it) would theoretically require 2128 − 1 bit flips on a conventional processor. If it is assumed that the calculation occurs near room temperature (~300 K) the Von Neumann-Landauer Limit can be applied to estimate the energy required as ~1018 joules, which is equivalent to consuming 30 gigawatts of power for one year (30×109 W×365×24×3600 s = 9.46×1017 J). The full actual computation—checking each key to see if you have found a solution—would consume many times this amount." }-

Also take into account that even with our technology improvin there is a point in time where it will not be improving enough. Unless a HUGE scientifc breakthrough is made or a vulnerability in AES is found it is unbreakable.

99.9% of anyone trying to break in will always aim at the weakest link - your password. GPU's and CPU's (and rainbow tables) aid cracking passwords (not keys). Strong password? Than YOU are the weak link and all an attacker needs to do is trick you into giving away your password. Until you can crack AES in a few years it isn't practical as most passwords would be cracked before hand (lots of people use crap passwords with encryption)

-{ Quote: "last time RSA security said that a bloke with a P3 made them eat their words and he won a nice cash prize. The blokes from the university were still feeding scripts into their Supercomputer crunching through billions and billions passwords a seconds. So don't look at the brute force. Look at it as a old algebra equation which no one hasn't worked out yet. Few came close though and I expect its just a matter of time" }-

Didn't see this when I posted.:-[ I stand by my above post but wanted to add that I agree with this statement. Any day someone COULD find a flaw in AES but that goes for any algorithym sadly. Also if you don't like AES check out CAST5 it has been impervious to all theoritical attacks so far (Making it stronger than AES)

-{ Quote: "This article is purely about brute force password guessing using GPUs. Nothing new.
Interestingly, the article discusses passwords up to 12 characters so of course, if you have a room full of computers with fast GPUs you can brute force a 12 character password in months or possibly weeks.

AES is still as secure as ever. Never use a password less than 16 characters and use 20+ character passwords when possible. A 20 character random password will not be brute forced in your lifetime." }-
Also wouldn't the program you used come into play? Some have failsafes against Bruteforce that would further slow it down don't they?

"wait 5 seconds before reentering password"

and bruteforcing just got destroyed

-{ Quote: "AES-128 bit is only stronger in theory. There are NO real world attacks against AES or any other AES contender for that matter." }-
its over 2 years old now
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
heres to asp.net Aes encrypted or not
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

There is plenty of software bugs for attackers to use to bypass breaking the keys. That's what keeps me awake at night, not the algorithms

-{ Quote: "What the hell are you hiding? lol" }-
Why should I tell you something I'm hiding?

-{ Quote: "Why should I tell you something I'm hiding?" }-
Now where do you keep the password?

In my brain.

-{ Quote: "its over 2 years old now
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
heres to asp.net Aes encrypted or not
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

There is plenty of software bugs for attackers to use to bypass breaking the keys. That's what keeps me awake at night, not the algorithms" }-
Read the full article:

-{ Quote: "There are three reasons not to panic:

The attack exploits the fact that the key schedule for 256-bit version is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend to AES with a 128-bit key.
It's a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way.
The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds." }-

So basically this is nothing. I use AES 256 with 14 rounds (min. Keypass I use about 10,000) like most people and software (TC, PGP, etc.).

-{ Quote: "...
There is plenty of software bugs for attackers to use to bypass breaking the keys. That's what keeps me awake at night, not the algorithms" }-
Don't you worry about the size of the wrench? --http://xkcd.com/538/-- (j/k, I know the link was posted recently in another privacy thread but couldn't resist)

-{ Quote: "Read the full article:



So basically this is nothing. I use AES 256 with 14 rounds (min. Keypass I use about 10,000) like most people and software (TC, PGP, etc.)." }-
lol your understanding it wrong. A year or two ago a password with 7 random character was SECURE. Now its in hardware range. Look at the 2nd link. Doesn't matter how strong the encryption. A simple flaw in a application lets you bypass it. Do you think the AVG joe uses a password like this:
6hEoI!Zwi2WQZKvm

Nope. They use passwords like places and all those you get in a dictionary and all they're passwords like lastpass are based on 1 security setup. Thats your email. I get into your email I get into your keepass lastpass whatsoever. So how secure is a persons email?

Very interesting ;D

-{ Quote: "lol your understanding it wrong. A year or two ago a password with 7 random character was SECURE. Now its in hardware range. Look at the 2nd link. Doesn't matter how strong the encryption. A simple flaw in a application lets you bypass it. Do you think the AVG joe uses a password like this:
6hEoI!Zwi2WQZKvm

Nope. They use passwords like places and all those you get in a dictionary and all they're passwords like lastpass are based on 1 security setup. Thats your email. I get into your email I get into your keepass lastpass whatsoever. So how secure is a persons email?" }-

Not understanding anything wrong. I was talking about cracking AES not passwords. I think you are confusing the two. Yes a 7 character password is nothing (especially with rainbow tables). BUT all mine are at minimum 34 characters long (with the sole exception of site (like forums) that don't matter).

Now name one vulnerability found in either PGP WDE or TrueCrypt that allowed an attacker to access the data AND supply a LINK to support it. I am not talking about external attacks either (DMA/Cold boot don't count). only attacks on the program itself.

Now of course it's possible but since both programs are under public review and PGP goes through it's own review board as well (Bruce Schnirer is on there as well as countless other respected security analysts) it is slim and has yet to happen.

Also I don't even expect a person who doesn't use a secure password to know or use encryption. If they don't care about their passwords why would the encrypt their HDD?

Keypass and last pass are VERY different things. Last pass is online storage for an encrypted Database while KeyPass is OFFLINE. I use key pass and store it on an Encrypted IronKey. Again KeyPass has never had a flaw that exposed data either (also open source).

Last pass is online (why I don't use it) but that isn't a flaw. Last Pass is secure. You can not only use two factor authentication on it but also use two factor on your email account. I use it on my gmail account as well as a ~40 char. Password (randomly generated). Let's se someone defeat that.

Found some more information I would Like to share:

Those so called attacks on AES only apply if AES is used as a Hash function in so called Davies-Meyer mode. This is futher explained by Justin Troutman here:

-{ Quote: "These related-key attacks, in a nutshell, assume that an adversary has access to different plaintexts encrypted under different, related, keys, which can be ruled out, if you do things right. From the way it looks now, the attacks would apply if the AES was used as a hash function, in Davies-Meyer mode, for example, which is essentially the construct on which MD5, SHA-1, SHA-2. However, we don't need to use the AES this way, because we have dedicated hash functions already that meet security requirements of which the AES was never intended.

We use the AES for purposes like message encryption and message authentication, where modes, such as CTR (i.e., encryption for confidentiality) and CMAC (i.e., authentication for integrity) assume the AES to be a PRP; this is still just fine. On the other hand, if we expect the AES to behave like an ideal block cipher, as might be assumed in Davies-Meyer mode, then we might have a problem. So, TrueCrypt and PGP aren't susceptible. Furthermore, I can't think of any application that is.
" }-
Source (https://www.wilderssecurity.com/showpost.php?p=1516509&postcount=48)

Sorry for the slight bumb, I wanted to clear up the confusion on that attack ( as it was mentioned earlier).

-{ Quote: "Not understanding anything wrong. I was talking about cracking AES not passwords. I think you are confusing the two. Yes a 7 character password is nothing (especially with rainbow tables). BUT all mine are at minimum 34 characters long (with the sole exception of site (like forums) that don't matter).

Now name one vulnerability found in either PGP WDE or TrueCrypt that allowed an attacker to access the data AND supply a LINK to support it. I am not talking about external attacks either (DMA/Cold boot don't count). only attacks on the program itself.

Now of course it's possible but since both programs are under public review and PGP goes through it's own review board as well (Bruce Schnirer is on there as well as countless other respected security analysts) it is slim and has yet to happen.

Also I don't even expect a person who doesn't use a secure password to know or use encryption. If they don't care about their passwords why would the encrypt their HDD?

Keypass and last pass are VERY different things. Last pass is online storage for an encrypted Database while KeyPass is OFFLINE. I use key pass and store it on an Encrypted IronKey. Again KeyPass has never had a flaw that exposed data either (also open source).

Last pass is online (why I don't use it) but that isn't a flaw. Last Pass is secure. You can not only use two factor authentication on it but also use two factor on your email account. I use it on my gmail account as well as a ~40 char. Password (randomly generated). Let's se someone defeat that." }-
Yes thats you using the long password not the avg joe. The avg joe think this is a secure password AdECdEc - Because its uppercase and lowercase.
Lastpass the stuff gets encrypted on your pc and the key is on your pc. Not on the servers.

-{ Quote: ""wait 5 seconds before reentering password"

and bruteforcing just got destroyed" }-
Are we talking about web security? For that why brute force when you can rip the webconfig file and session cookie? They dont use brute force much these days. They don't need to SQL injection

-{ Quote: "Yes thats you using the long password not the avg joe. The avg joe think this is a secure password AdECdEc - Because its uppercase and lowercase.
Lastpass the stuff gets encrypted on your pc and the key is on your pc. Not on the servers." }-

1) As I said i doubt any that thinks adECdEc is a good password is using Encryption LOL (Ok, maybe one or two people but not most; one of the first things TrueCrypt and other encryption programs tell you to do is use a long and complex password). But fine you're right.

2) I know what LastPass does. It is different for two reasons (IMHO at least) Keypass is offline only - LastPass backsup the encrypted database online. Keypass supports multiple algorithms (AES, Serpent) - LastPass only supports AES256. You are right but I should have clarified what I meant ;)

-{ Quote: "Are we talking about web security? For that why brute force when you can rip the webconfig file and session cookie? They dont use brute force much these days. They don't need to SQL injection" }-

HTTPS would stop session hijacking provided there is no MITM. Also this is why you should always use a VPN or a home network protected with WPA2.