Just last week a group of cryptographers announced a practical attack on some versions of 256-bit AES encryption. This announcement initially created quite a stir in the cryptography community, before reality set in and the scope of the vulnerability was defined. The attack is quite sophisticated and represents a major step toward breaking AES. While you might think that 256-bit AES encryption is the strongest encryption you can deploy because it has the largest key, in fact, key size is only one aspect of the strength and reliability of encryption. And in this case a weakness in key handling at the 256-bit level exposed a weakness in some, but not all, versions of AES encryption.
At this point you are probably asking yourself – am I at risk?
The answer is – that depends. Is your encryption solution NIST certified as Patrick Townsend Security Solutions are, or is it an open source or proprietary solution that some programmer hacked together on their own?
The recent attack that everyone’s talking about used 256-bit AES encryption that implements 10 or less rounds (repetitive processing that transforms the input using the encryption key) during the encryption process, combined with a set of related encryption keys and known plaintext values. The good news is that NIST defines the minimum number of rounds for standard 256-bit AES encryption at 14. There is no known practical attack on 256-bit AES encryption that implements 14 rounds.
If you are using a NIST-certified AES encryption solution you can now relax (our Alliance AES encryption solutions are NIST certified on all platforms).
If you are NOT using a NIST certified solution, or if you don’t know if your solution is NIST certified, you have some work to do. First, rather than ask your vendor if they are NIST certified, you can determine if your vendor has completed NIST certification by looking at the NIST AES Validation list. A NIST AES validation is specific to the operating system and hardware platform. Be sure you find a match with your implementation. If your vendor is not on the list it’s time to pick up the phone, call your encryption vendor, and ask some questions:
• Does your implementation use 256-bit AES encryption?
• How many rounds are used, and can the number of rounds be independently verified ?
• Where did you get your implementation of AES? Which Open Source version did the developer start with?
• Is the solution NIST compliant? Can the vendor prove it? If it is not NIST certified, why not? Do they have a plan to get their solution certified?
• Can the vendor replicate the published NIST encryption results to validate that the code is working correctly?
You should get some clear answers to these questions. If your vendor experiences one of those “deer in the headlights” moments, or if the answers are not clear and simple, you may have a vulnerable version of an encryption solution on your hands. Your vendor might say something like “Well, it’s an implementation of Rijndael, so it’s Okay”. This is why independent laboratory certification from NIST is important. Some older versions of Rijndael used a smaller number of rounds, and less talented encryption programmers may not even understand what the difference is.
NIST certification is not an absolute guarantee that a security vendor has done encryption right. Nor is it a guarantee that there won’t eventually be a weakness in the encryption algorithm. But NIST does represent the very best in encryption standards and guarantees that your vendor has had some independent review of its encryption solution. Doing encryption right is important not only to guarantee that your solution is less vulnerable to attack, but also to give you the peace of mind that your data can be decrypted by you when you need it.
While this published attack on 256-bit AES will probably not pose a significant risk to your encryption strategy, it will serve as a wake-up call to many organizations that it is time to get serious about encryption vendors. Any serious vendor of encryption will take the minimum step of completing NIST certification. We all think it is a good idea for teenagers to have a driver’s license, security vendors should get NIST certified, too.
Bruce Schneier has a really good description of the attack and it is well worth reading. I really like Bruce’s view on security in general. He writes well on a wide variety of security topics and brings a nuanced view to the subject. You can sign up to get his email newsletter on his web site.
One last thought: the cryptographers who found this weakness were not up to anything bad. The study of encryption ciphers and the attempt to compromise them (called cryptanalysis) is an important part of keeping encryption secure. You REALLY should worry about using encryption that is home-grown, or out of the mainstream, because the only ones trying to find the weakness are the bad guys. And they are not going to tell you if and when they break your encryption. They are going to exploit it as much as possible and your business will suffer. Don’t wait for that to happen. Realize that the right time to take a good hard look at your encryption solution vendor is now.