My speculation: NSA can break AES crypto

Caveat: This post is considered nothing more than speculation on my part, as I have no knowledge of the government's abilities beyond what's been reported.

With the supercomputing power they possess -- and with the budget that's classified but rumored to be $10 BILLION$ annually -- why can't they brute force attack all encrypted communications?

Supercomputers are getting stronger and faster and where there's a will, there's a way -- and NSA definitely has the will. We learned the other day that they are giving special attention to encrypted communications.

Some people still use weak algorithms but for those of us who are in the know, AES-256 is the strongest (I think? correct if I'm wrong) cryptography and has not, to our knowledge, been "broken." Yet we would NEVER know if NSA mathematicians and scientists had achieved what we consider "the impossible."

So if they haven't discovered a way to break it, perhaps they are simply brute-forcing all of it. Sigh.

Some depressing food for thought..

 

I share your concern but for a different reason. Whenever the question of strong encryption algorithms comes up, "experts" come out of the woodwork, all recommending AES over all other options. AES is not the only strong encryption available. Blowfish and Twofish are both unbroken. Blowfish has stood up for 20 years now. Both are in the public domain, freely available to all.

Call me paranoid if you want, but this single minded push to AES sets off alarms for me. The lack of mentioning other viable options like Blowfish and Twofish makes me think "sock puppets" and leaves me believing that they do have a way to attack AES. That alone is enough to convince me to use another option, especially when they're also unbroken.

 

It's been said a million times but it's going to get said again. If you use a strong password it doesn't matter.

Outside of a backdoor which I will address next the time it takes to bruteforce a long password, even MD5, is ridiculously long.

If you use a 95 character set and 16 characters it is going to take millions of years to crack your system. EVEN if the NSA somehow has access to super computers that can crack a quadrillion passwords per second by the time you've hit 20 characters (probably 16 is enough) that's completely irrelevant, and it will take many trillions of years to crack it still.

Now consider the amount of energy this would all take. For a single password. All of this effort, all of this computation, for a single password. Not to mention that secure services like LastPass can use hundreds of thousands of rounds of PBKDF2, making even large GPU clusters struggle to do a single hash.

This GPU cluster can only do about 30-90 hashes per second of SHA1 with 250,000 rounds. So even if we can scale perfectly (we can't) and the NSA bought 1,000,000 of those they would at best be able to crack 100,000,000 hashes per second, at which point a 14 character password is still plenty strong. Even if they got 1 billion of those of those it would still be strong enough to use a 14 character password.

We are talking about expending more power than the US can produce to crack one guys encryption if he's used a good enough password and key generation. Someone did a calculation once on how much energy it would cost to crack a long password - you'd bankrupt the planet.

No one considers "cracking" AES impossible. What they consider it is difficult, and we have years and years (centuries) of cryptographic knowledge to base that off of. It is not like one day you get "omg AES is cracked" it's more like a gradual implementation of the AES algorithm that gets faster and faster on current hardware.

Now, on to the backdoor.

The reason those "experts" recommend AES is because the top people in the field, the people who analyze and create cryptographic functions professionally ALL chose rjndael as the algorithm to make the new standard. They all chose their own algorithms first (of course) and rjndael second.

It has been analyzed extensively. It has been looked at by experts, yes, *experts*, in the field. It is not some closed source algorithm that just a few have seen, anyone can see it. THAT is why it's the one people recommend, because the most people have seen it.

Why does no one mention Twofish and Blowfish? Because they didn't win... because even the people behind those algorithms who oyu somehow trust more than the people behind the current AES chose it as the best contender.

Can an implementation be "attacked"? Yes. If I were to backdoor an encryption algorithm I would probably try to seed it with as little entropy as possible as my attack. This is not nearly as relevant with a 256bit keyspace, as it would still require more energy than the planet has to flip every bit and attack the keyspace directly.

 

Good post Hungryman. I would also like to add, the U.S government follows its own standards and recommendations. If there was a glaring vulnerability in the standards used, many of its own assets would be put at risk.

also

I can send you my linkedin if you would prefer.

 

Or, alternatively, the courts can just "compel" you to provide the password, saving the planet and the government a lot of hassle.

 

Who keeps making these threads. Seriously? AES is safe, now please stop making the threads.

 

I find it interesting that AES is actually a restricted version of Rijndael.
Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.
Block sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128-bit block size is specified in the AES standard.

Regarding AES being recommended by the experts, I wouldn't call this much of a recommendation.

Both Bruce Schneier and Rich Schroeppel seem to have doubts about AES. Both seem to suggest that algebraic attacks on AES are possible but have not yet been identified. It appears to me that they're recommending it just because it is a government standard.

Since Blowfish and Twofish both remain unbroken, I see no good reason not to use them. The fact that the US government has made it a standard is reason enough for me not to use AES. If you trust it, that's fine. I don't trust anything recommended by the NSA.

 

I would be more suspicious if they didn't use the same AES themselves.

Another alternative is Serpent, it's supported by TrueCrypt, along with Twofish which is the successor of Blowfish. I think Rijndael won due to its efficiency, not necessarily because it had the strongest encryption strength (currently more than enough).

 

@noone_particular

You've really misinterpreted.

Every one of them would have been "cracked" at some point. They will all be broken, and sped up. AES has been sped up multiple times already, though only slightly.

If you read Schneier's other posts about AES where he explains attacks on it, you realize he considers it strong. He doesn't think it'll ever be possible to go straight from AES -> Plaintext without bruteforcing. And bruteforcing has not been sped up nearly enough - nor will it be for many years. On a proper implementation (ie: the standard number of rounds) AES has only gone from something like 10^128 to 10^127.5.

Use whatever you like. There's nothing wrong with Twofish/Serpent other than them being much slower. But claiming AES to be backdoor'd simply by virtue of the NSA endorsing it is silly.

 

Exactly, J_L.....

I've heard Schneier say many times that people should use the AES. He boasts about his Twofish, but ultimately says Rijndael (AES) should be the go-to algorithm. He's hardly a government-friendly guy either, so it's not some sort of conspiracy of disinformation.

 

I didn't misinterpret his reason for recommending it.

and I didn't misinterpret his doubts regarding AES.

Obviously I can't prove it, but I suspect that the NSA has figured out how to attack AES.

You'd also think that computer "experts" would have learned another lesson by now. When everyone uses the same thing, they're all at risk when it's found vulnerable. Windows itself should have driven that lesson home by now. Nature and our own food supply have been demonstrating that point since history began. Strength comes from diversity, not from everyone relying on the same thing, be it an OS, encryption algorithm, or specific type of seed.

 

There's no question you make some good points. If we're talking good, solid algorithms, there's really no 'right' or 'wrong'...

 

What experts have learned is that being obscure doesn't really save anyone, and having everyone looking at a product actually makes it better. Kerschoff's principal started in cryptography.

What exactly are you calling an attack? A method to speed up bruteforcing/ decryption? Or a way for the NSA to go from encrypted content to plaintext through pure cryptanalysis?

I'm sure the NSA has a lot of research into speeding up bruteforcing that hasn't been made public yet. I'm also sure they don't have a way to go to plaintext without bruteforcing.

Schnier's point on not recommending other algorithms is to avoid conversations exactly like this, where people ask "Why is this one being recommended? Is the other one weak?" because they never have any substance. Other algorithms are fine, but they aren't as tested, and they are slower. No one is goin gto recommend them, but you're not going to get hacked with them anyways.

 

Sorry for asking, but how does NSA's ability to break through AES crypto affect the average civilian? I am a huge fan of privacy and anonymity, as a part of America's god-given constitutional rights, but I need to understand the practical implications of this. Perhaps this means the NSA can decrypt tor/vpn traffic and therefore intercept terrorists' messages lol.

 

If you use a strong password AES cannot be broken right now. Maybe in the future a weakness will arise although this is unlikely. If you use AES encryption with a strong password your data is safe.

However, if you are a high profile target, there are many other ways to get access to your encrypted data, such as simply looking through your window with a binocular while you type your password, install a keylogger on your computer, hardware or software based. Or even kidnap a loved one or torture you to make you reveal your password.

 

Thanks to our convoluted, special interest and big money serving laws, the average person commits 3 felonies a day. They've equated file sharing with terrorism. Got any music or videos you didn't pay for? Did you buy anything online, from another state, etc? A few trinkets from a roadside stand on your last vacation? Did you declare it on your taxes? If not, you're guilty of tax evasion. There's all kinds of examples that you and I would call ridiculous, but if it involves someone not getting their money, it's probably a felony. A casual comment about your vacation in an e-mail can be evidence of one of these pathetic "felonies". A picture you saw on the web and used as wall paper or part of a screensaver could make you guilty of theft of intellectual property and various computer crimes. Yes, it's ridiculous, but it's happening.

 

Well said. .

 

Do not always believe that governments always practice what they teach. You will be unpleasantly surprised. .

 

It's one of the most unsafe, regarding the AES finalists.

 

Really? All of the creators of the other finalists disagree, as they all chose AES as the second most secure (after their own, respectively).

 

Yes. Rijndail had a security factor of 1.11, 1.33 and 1.56 (IIRC) for their 128, 196 and 256bit key.

Twofish had a SF of 2.67 and Serpent had 3.56.

You can read more: http://www.schneier.com/paper-twofish-final.pdf

I spent the whole day reading about Ciphers and Cryptanalytics. My conclusion was to NOT use AES, but Twofish, for my system partition. On my Data partition I'm still trying to decided, but probably just Serpent or a cascade of Twofish-Serpent.

 

quote:The requested URL /paper-twofish-final.pdf‎ was not found on this server.

 

Correct link: http://www.schneier.com/paper-twofish-final.pdf

 

Thank you. Somehow my link didn't work. I tried to post a link where I uploaded the file (thinking the link might be corrupted) but some message appeared about my content being moderated.

 

You are welcome. Your link did not work because there was at the end of it additional spaces.