Skip to content

Should we abandon AES Encryption?

11/11/2013

http://silentcircle.wordpress.com/2013/09/30/nncs/

Which Encryption has been subverted?

One of the most upsetting things about the recent revelations about the NSA’s shenanigans is that it has apparently devoted US$250M to suborning international standards.  Over the last few weeks, just about everyone in the standards and crypto business has been looking over the crypto with an eye towards seeing what the NSA might have subverted.

Dual Ecliptic Curve… (NSA tried to run rings around you)

The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid… Matt Green has an excellent blog post on its multi-dimensional stupidity. Was the NSA so stupid they think we wouldn’t notice the flaws (we did notice nearly immediately)? Was the NSA so stupid that this is the best they can do? The issue of the Suite B curves is more interesting. Cryptographers Dan Bernstein and Tanja Lange have been arguing that the Suite B curves are weak since before we ever heard of Ed Snowden. I’ve been public and pointed; I’ve always thought that the DUAL_EC_DRBG random number generator is patently stupid. But I’ve always believed that the Suite B curves were designed secure. All crypto has a lifespan of utility. Even if there are issues with the Suite B curves, I think they were designed well at the time.

“Not the NSA” – SilentCircle abandons AES

  • We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement.
  • We are going to replace our use of the SHA–2 hash functions with the Skein hash function.

AES is for legacy use only.

  • The old cipher suites will remain in our systems. We’re not going to get rid of them, but the new ones will be the default in our services.

****

Who else has abandoned AES?

Schneier wrote an article in 2000, warning that AES was almost a broken cipher, just as it was selected as the “winner”. If a broken ciper = 1 and a safety margin of 2 is generally acceptable, the AES 128 result was = 1.11.

1.11 is almost a broken cipher

And well below the minimum safety factor of 2. In 2000, AES didn’t make sense… but today, we understand the NSA.  They were promoting broken ciphers – so that their offensive capabilities were strong.  You can’t mix offensive and defensive, as offensive will always win out.  If the NSA could break these ciphers, so could state intelligence in other countries, like Russia  and China.  And that’s before we get to Criminal activity.  So yes, I agree with Sir Tim Berners Lee – the breaching of encryption security by the NSA is pretty stupid. Schneier also tried to calculate the extra rounds needed to make AES safe – and he found it couldn’t be made safe, without becoming too slow to use.  AES should never have been a finalist… unless the motive of the NSA – was to weaken Global security. THEN AES makes perfect sense.

So, what to do?

  • Well, Schneier developed Twofish… it has a good safety factor of 2.56.
  • There’s also Serpent, with a safety factor of 3.56 – it’s slow on software but fast on hardware.

Twofish looks the best replacement NON NSA cipher – and swapping might give society some sense of security.

Truecrypt

Now we just have to convince enough open source applications, to offer Twofish.  It’s available in Truecrypt, but not in OpenVPN… yet.  But with public pressure to drop AES mounting, it would make good commercial sense to offer Twofish and Skein rather than NSA crypto bundles.

The next phase, would be to automatically disqualify any AES candidate that fails to meet the generally agreed safety factor of 2.

All war is based on deception.  Alas, the first thing that happens when society is betrayed, is they turn on the betrayer. We already know the ending to this story.   It’s game over.

Advertisements
24 Comments
  1. There is no known practical attack that breaks AES. Meaning theoretical attacks (such as related-key attacks) don’t count as correct implementation will use related-key to encrypt the same data. Given it’s the most studied encryption history, if there is a break, everyone in the world will know it. Using less studied encryptions is a bad idea since if NSA breaks it, it’s less studied by the rest of world, and no one else will know about the break.

    As of now, AES is still the best choice, and will remain that way for decades, if not more.

    Like

  2. There is no known practical attack that breaks AES. Meaning theoretical attacks (such as related-key attacks) don’t count as correct implementation will NOT use related-key to encrypt the same data. Given it’s the most studied encryption history, if there is a break, everyone in the world will know it. Using less studied encryptions is a bad idea since if NSA breaks it, it’s less studied by the rest of world, and no one else will know about the break.

    As of now, AES is still the best choice, and will remain that way for decades, if not more.

    Like

    • Hi Amir,

      Check out Bruce Schneier’s research in 2000; he actively fought against the adoption of the current AES ciphers.
      They are too weak to be in widespread deployment.
      AES 128 is especially weak…

      The Open Source ciphers designed by Schneier such as Twofish and Serpent are more robust.
      Truecrypt offers these open source ciphers.

      Google are working on much stronger ciphers. The only form of AES not broken is AES GCM (Galios counter method).
      Lookout for Chacha 20 and poly1305 ciphers – as they offer quadruple the speeds of AES even using specialised hardware. The fact these new ciphers are quadruple the speed means we will see widespread deployment of them – but that takes around a decade.

      The attacks that render AES hopelessly defeated include the BEAST and Lucky 13. The German military offer some of the best details regarding the BEAST attack.

      Like

      • First, of Bruce Schneier was promoting his own cipher in AES competition, so of course he was going to say only good things about his own cipher and bad about others. That was his job and the purpose of the paper.

        Second, Bruce Schneier’s doesn’t say AES is weak in a sense that it can be broken. If he said something that stupid, he should be laughed out and publicly humiliated.

        Third, there are no known attacks against AES that are practical despite the fact this is the most studied cipher in history. Twofish and Serpent lost the competition and haven’t been studied for 15 years. If NSA breaks them, you won’t even know about it as no academic even looks at them.

        “Google are working on much stronger ciphers”

        Google uses AES on hardware that supports it (like on desktop and laptop). . On Chrome on android they use Chacha20 because it’s faster (only few sites use it) but that is going to change back to aes as new ARM processor adds support for aes in hardware.

        Android full disk encryption is based on AES XTS

        Apple’s IOS full disk encryption is also based on AES.

        AES not broken. Not even close. Only an idiot will say something that stupid.

        “Google are working on much stronger ciphers. The only form of AES not broken is AES GCM (Galios counter method)”

        AES GCM is a in fact AES with authentication included. That’s what we mean by AES. There are other modes of AES (like CBC) that would be just fine where authentication is not required. (like disk encryption) In fact Google Android full disk encryption is based on AES XTS

        Like

      • In ciphers, the standard test is the safety factor. We look for a safety factor of at least 2.
        AES cannot achieve that.
        Twofish and Serpent offer higher safety factors. Serpent has a safety factor of 3.56.
        This was the argument – and the maths back it.

        Like

  3. “In ciphers, the standard test is the safety factor. We look for a safety factor of at least 2.”

    You are quoting from Schneier paper again in AES competition. There is is absolutely no safety standard that is assignable as numbers like 1 or 2.. These were just subjective numbers assigned based on the knowledge of crypto back then and characterics like number of rounds in the algorithm. This is not a standard.

    There is no guarantee that Twofish and Serpent are safer. They just use more rounds and are more complex, but that doesn’t guarantee that they are safer. No academic has studied Twofish and Serpent for 15 years, as they lost the competition. AES on other hand is the most studied cipher in history. There are still no practical attacks and it could be that way for hundreds of years, if not forever. It’s also faster and easy to implement in hardware.

    Second, Rijndael, which became AES, was not NSA cipher. It was a cipher submitted by Belgian cryptographers and it was chosen because it received most votes by the community. NSA played no role in picking AES. Clearly crypto community who voted made the right decision, given it’s still standing unbroken and is incredibly fast and efficient.

    Like

  4. Here is the summary: If security is a concern, we should always use AES. A talented cryptanalyst simply gets more “bang for the buck” finding a flaw in AES then he does for the much less known and used twofish and serpent. Obscurity provides no protection in encryption. More eyes looking, studying, probing, attacking an algorithm is always better. You want the most “vetted” algorithm possible and right now that is AES. If an algorithm isn’t subject to intense and continual scrutiny you should place a lower confidence in its strength.

    The other advantage of using AES is speed. Intel, AMD, ARMv8 (Android), Apple all now have hardware/cpu level instructions to speed up AES. People concerned with battery life and daily performance on the phones and netbooks simply won’t be happy with obscure slow (and no longer even studied) ciphers like you recommended in this article.

    Like

    • AES is faster – but not as strong as the accepted standards. Schneier attempted to make AES stronger – but could not without making it too slow. At that point, AES should have been deselected – as it could not met the agreed safety factor of 2. ALL the other contestants could. So *why* was AES selected, when it was clearly the weakest option?

      Like

      • “Schneier attempted to make AES stronger”

        He was promoting his own cipher. Given now that intel, AMD, ARM, and Apple, all have aes instructions at cpu level, AES would be several times faster than Twofish even with more rounds.Why no one use more round now in 2015? Because there is no need for it. Turns out that AES designers were actually correct (Schneier was wrong), as 10, 12, 14 rounds of AES remains unbroken, and it will likely stay that way for hundreds of years, if not forever. In fact there has been almost no progress made in that area despite all the attention on aes for 15 years (not counting related-key attacks that are irrelevant as properly designed software would not use related keys) .

        “So *why* was AES selected, when it was clearly the weakest option?”

        Why? Because the community voted for it. It received most votes. That’s a fact. Also, RC6 was considered weakest in that competition (not Rijndael) and even RC6 remains unbroken 15 years later. The community voted for Rijndael because the design was simple, it was easy to understand, analyze, it was seen as secure, and it was easy to implement both in software and hardware (RC6, MARS, and Twofish were harder to implement in hardware). Serpent (not Twofish) was clearly the second best choice. Rijndael was good both in hardware and software.

        Like

      • I disagree on the community accepted the cipher. The accepted standards were a security factor of two. AES never has and never can achieve this safety factor. AES should have been disallowed at this stage – as not safe “enough” to meet the accepted standards. NIST was too close to the NSA – this is becoming self evident with critics targeting NIST’s use of the NSA to manage decision making committees. Would the NSA vote for a weak or a strong cipher? Obviously they selected the weakest cipher on offer. What a surprise!

        Like

  5. Googling around I found this 270 page book pdf

    https://autonome-antifa.org/IMG/pdf/Rijndael.pdf

    where the designers explain their rational for various design decisions for Rijndael

    Like

    • And they still couldn’t reach a safety factor of two.

      We just have to make sure that no weak or weakened ciphers are accepted in future – and open criticism is the best way of ensuring this.

      Like

      • I looked through the book and your whole argument is nonsense. The safety factor thing is totally made thing by schneier which basically is just a ratio of numbers of rounds broken (at that time when he wrote the paper) vs total number of rounds. Just changing number of rounds will change that made up “safety” factor .

        Also, more serious flaw with simplenton “safety factor” (just a ratio of rounds) in that in Twofish a round only operates on half of the state bits and full diffusion can at best be obtained after three rounds and in practice it typically takes four rounds or more.

        Quting from the book,

        “Two rounds of Rijndael provide ‘full diffusion’ in the following sense:
        every state bit depends on all state bits two rounds ago, or a change in
        one state bit is likely to affect half of the state bits after two rounds.
        Adding four rounds can be seen as adding a ‘full diffusion step’ at the
        beginning and at the end of the cipher. The high diffusion of the Rijndael
        round transformation is thanks to its uniform structure that operates on
        all state bits.”

        For Rij ndael adding four rounds actually doubles the number of rounds through which a propagation trail has to be found.

        The basic argument still said: There are no known practical attacks against AES, If security is a concern, people should use AES. A talented cryptanalyst simply gets more “bang for the buck” finding a flaw in AES then he does for the much less known and used twofish and serpent. Obscurity provides no protection in encryption. More eyes looking, studying, probing, attacking an algorithm is always better.

        That’s why AES will remain superior to ciphers like Twofish and Serpent. It’s more secure as it’s studied more and all the time.

        Like

  6. “I disagree on the community accepted the cipher. The accepted standards were a security factor of two. ”

    There was absolutely no such “safety factor” as standard that was assignable as 1 or 2 or 3 which as I said in my last post is just made up thing by schneier who gets this “factor” just by dividing the total number of rounds vs number of rounds broken at the time. The argument totally ignores that 2 rounds in Rijndael provide full diffusion vs round in Feistel ciphers only operates on half of the state bits (full diffusion after 4 rounds). The safety factor is just a meaningless ratio and says nothing about actual math or security.

    There is actually no proof that twofish is stronger than aes. If NSA has already broken twofish, too bad for you, that you won’t even know it as smart cryptographers haven’t been studying it for 15 years.

    Is that’s your standard for “safe” cipher? That no one gives a crap about it for 15 years?

    No thanks. AES is safer.

    Like

    • The only form of AES unbroken is AES GCM.
      Any cipher based on CBC is broken. As most forms of AES are AES CBC – then they’re all at risk.
      The German military offer the best explainations of how to hack AES that I’ve seen.

      Google are developing Chacha – which is 4 times faster than AES.
      Any cipher that is quadruple the speed, will become mainstream.

      Like

      • Art permalink

        You are posting nonsense. AES CBC isn’t broken. It’s unauthenticated and authenticated encryption is preferred, especially on the web. . AES CBC is perfectly secure, depending on the cases where authentication isn’t needed. . Also. CBC is block cipher mode and the problem associated with CBC would also be the same for all other block ciphers like Twofish and Serpent.

        You admit that speed is very important, so NIST in fact made the right decision picking Rijndael as a winner 16 years ago as it was the fastest and remains secure 16 years later. Twofish would have been worst of three as it is hard to implement on hardware.

        By the way, AES is faster than ChaCha on cpus that have AES-NI instructions. That include not only Intel, AMD, but ARMv8 and up used by all newer phones. That’s why google switches back from Chacha to to AES on newer phones that have ARMv8 CPUs.

        Looks like AES isn’t going anywhere as it remains the best choice, as it clearly was best choice 16 years ago when it was picked as a winner.

        Like

      • Speed is important, but not as important as being secure. This is where AES Rijndael fails. Way back in 1999, reports were published regarding concerns relating to AES. Extra rounds were added to AES to make it secure – but then it failed on speed.. it was too slow to be usable. I don’t agree that AES was the right choice – AES should have been disqualified as a finalist for being too weak. There are plenty of other ciphers that are much safer. The open source community tried to raise a red flag at the time, to highlight their concerns.

        Like

      • No, you are wrong. Extra rounds were not needed to to make Rijndael secure, as it’s still secure 17 years later without needing any extra rounds. In fact no real progress has been made in 17 years, despite all the research as no more rounds are broken. AES will remain unbroken probably for next million years. Speed is very important as for example without speed and lower power consumption, phones would not be encrypted by default;t as consumers wouldn’t buy phones that are slower and have worse battery life, That’s why Google switched back from Chacha20 to AES on newer phones as these newer phones have CPUs with AES-NI instructions that make it not only faster but more secure as AES-NI protects against side-channel attacks.

        AES is not only faster but it’s also more secure than Twofish as Twofish uses even more lookups tables than AES.

        If AES would be replaced, it won’t ve Twofish which is way weaker (due to side channel attacks and no hardware support). It would be some newer algorithm that takes advantages of AES-NI instructions that all modern CPUs have. In any case, AES isn’t going anywhere as it withstood the test of time. Almost 20 years and it remains solid as ever.

        Like

      • There were other competitors who strongly disagreed that it was safe. there is an unwritten agreed safety factor of 2, that is accepted in Encryption. AES 128, has a safety factor that is 1.1. They tried to get AES to a safety factor of 2 – must this made the cipher too slow.

        Like

      • “There were other competitors who strongly disagreed that it was safe.”

        These other competitors were promoting their own algorithms, like Twofish, but 20 years later they have been proven wrong as AES remains not only secure but no additional rounds were broken, despite far more research on aes than on others.

        Twofish is weaker as it’s prone to even more side-channel attacks as it has more lookup tables.

        If AES is replaced, it would be replaced with something that uses AESNI instructions
        (that’s billions of dollars of investment) that all modern CPUs have (Intel, AMD, IBM, android and apple phones, tablets etc). It’s not going to be replaced with Twofish which is slow and weak and old.

        Like

      • They are also some of the greatest open source encryption developers on the planet, and in a knowledgeable position to criticise the selection. Yes, they had developed a rival product, which was much safer. They were probably bewildered at the decision.

        Like

      • No, they were not bewildered by decision. AES received most votes by the community back then

        Rijndael: 86 positive, 10 negative
        Serpent: 59 positive, 7 negative
        Twofish: 31 positive, 21 negative

        There were no rival products that are as widely used as AES in the last 20 years. Twofish is not used by anyone except some obscure software. Even your own site (uwnthesis.wordpress.com) is encrypted by AES on Chrome, Firefox, and Edge, and mobile browser.

        Eventually CAESAR: Competition for Authenticated Encryption will have a selection of newer better algorithms (most of them use AESNI as AESNI supported by all modern CPUs) I am pretty sure within next few years most of the word will be using authenticated algorithms from CAESAR.

        Twofish and Serpent are dead with no future and will never be used except obscure irrelevant software.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: