Which AES implementation is tested and flawless?

Discussion in 'privacy technology' started by rpk2006, Sep 22, 2016.

  1. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    35
    Location:
    India
    Several posts on the Internet say AES is very good only if it is implemented correctly.

    I want to know which tool is recommended with AES implementation thoroughly reviewed and seems to be free from vulnerability.

    Some common tools we use:
    PGP (now owned by Symantec)
    GnuPG
    AxCrypt
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Perhaps a hint at what you need to encrypt would help with suggestions ------ files, system disk, email messages/body content
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I can answer the flawless bit easily enough - there are none. There's some progress with formal verification, but you have to go a long way up and down the chain to ensure that can execute on real-life hardware, it's not today!

    A tool can normally be split into an application, and then the cryptographic libraries for the AES itself. Both can have vulnerabilities, but normally, good quality cryptographic libraries are the stronger part of the equation, if actively maintained by good people. Normally, the biggest threats are weak implementations of the facilities offered by the library, incorrect selection of options, parameters or functions, or poor coding in the application itself. Or vulnerabilities in associated pre-requisites such as RNG, if compromised can substantially weaken any algorithm.

    Independent assessment of code quality is expensive, think of the situation for the Truecrypt audit - and I'm not aware of any similar reviews for the products you mention. Which leave the normal assessments - is it open source; active; responding to bugs quickly; using high-quality crypto libraries? Does it take steps to avoid out-of-bounds vulnerabilities, strengthen RNG (as Truecrypt does), or protect the password entry from keyboard sniffing, does it hide in-memory keys and so on.

    PS - forgot the weakest link - the user. Many of the potential vulnerabilities are lessened by using decent passphrases!
     
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    AES is a pretty simple algorithm and I am sure there are AES implementations that work flawlessly. But implementing the algorithm itself is just a small part of the equation, as you said. And that other part is almost impossible to guarantee that it works perfectly.
     
  5. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    35
    Location:
    India
    Please let me know which implementations are flawless. Is GPG secure?
     
Loading...