Content deleted Content added
Citation bot (talk | contribs) Alter: template type, pages, title. Add: isbn, pages, volume, series, chapter, chapter-url, date, authors 1-1. Removed or converted URL. Removed parameters. Formatted dashes. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Abductive | Category:Cryptography | #UCB_Category 80/220 |
→External links: demo link added |
||
| (26 intermediate revisions by 18 users not shown) | |||
Line 16:
| cryptanalysis = Attacks have been published that are computationally faster than a full [[brute-force attack]], though none as of 2023 are computationally feasible.<ref name="aesbc">{{cite web |url=http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf |archive-url=https://web.archive.org/web/20160306104007/http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf |archive-date=March 6, 2016 |title=Biclique Cryptanalysis of the Full AES |access-date=May 1, 2019 |url-status=dead |df=mdy-all}}</ref>
For AES-128, the key can be recovered with a [[computational complexity]] of 2<sup>126.1</sup> using the [[biclique attack]]. For biclique attacks on AES-192 and AES-256, the computational complexities of 2<sup>189.7</sup> and 2<sup>254.4</sup> respectively apply. [[Related-key attack]]s can break AES-
Another attack was blogged<ref name="Bruce Schneier">{{cite web |url=http://www.schneier.com/blog/archives/2009/07/another_new_aes.html |title=Another New AES Attack |author=Bruce Schneier |date=2009-07-30 |work=Schneier on Security, A blog covering security and security technology |access-date=2010-03-11 |url-status=live |archive-url=https://web.archive.org/web/20091005183132/http://www.schneier.com/blog/archives/2009/07/another_new_aes.html |archive-date=2009-10-05}}</ref> and released as a [[preprint]]<ref>{{cite web |url=https://eprint.iacr.org/2009/374 |title=Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds |author=Alex Biryukov |author2=Orr Dunkelman |author3=Nathan Keller |author4=Dmitry Khovratovich |author5=Adi Shamir |date=2009-08-19 |access-date=2010-03-11 |archive-url=https://web.archive.org/web/20100128050656/http://eprint.iacr.org/2009/374 |archive-date=28 January 2010 |url-status=live}}</ref> in 2009. This attack is against AES-256 that uses only two related keys and 2<sup>39</sup> time to recover the complete 256-bit key of a 9-round version, or 2<sup>45</sup> time for a 10-round version with a stronger type of related subkey attack, or 2<sup>70</sup> time for an 11-round version.
Line 24:
The '''Advanced Encryption Standard''' ('''AES'''), also known by its original name '''Rijndael''' ({{IPA|nl|ˈrɛindaːl}}),<ref name="Rijndael-ammended.pdf" /> is a specification for the [[encryption]] of electronic data established by the U.S. [[National Institute of Standards and Technology]] (NIST) in 2001.<ref name="fips-197">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf |title=Announcing the ADVANCED ENCRYPTION STANDARD (AES) |publisher=United States National Institute of Standards and Technology (NIST) |work=Federal Information Processing Standards Publication 197 |date=November 26, 2001 |access-date=August 26, 2024 |url-status=live |archive-url=https://web.archive.org/web/20240823165748/https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf |archive-date=August 23, 2024}}</ref>
AES is a variant of the Rijndael [[block cipher]]<ref name="Rijndael-ammended.pdf">{{cite web |url=http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=1 |title=AES Proposal: Rijndael |last1=Daemen |first1=Joan |last2=Rijmen |first2=Vincent |date=March 9, 2003 |publisher=National Institute of Standards and Technology |page=1 |access-date=21 February 2013 |url-status=live |archive-url=https://web.archive.org/web/20130305143117/http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf#page=1 |archive-date=5 March 2013}}</ref> developed by two [[Belgium|Belgian]] cryptographers, [[Joan Daemen]] and [[Vincent Rijmen]], who submitted a proposal<ref name="Rijndaelv2">{{cite web |url=http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf |url-status=dead |archive-url=https://web.archive.org/web/20070203204845/https://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf |archive-date=February 3, 2007 |title=AES Proposal: Rijndael |author=Joan Daemen and Vincent Rijmen |date=September 3, 1999}}</ref> to NIST during the [[Advanced Encryption Standard process|AES selection process]].<ref>{{Cite news |title=U.S. Selects a New Encryption Technique |
AES has been adopted by the [[Federal government of the United States|U.S. government]]. It supersedes the [[Data Encryption Standard]] (DES),<ref>{{cite news |url=http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479 |title=NIST reports measurable success of Advanced Encryption Standard |work=Journal of Research of the National Institute of Standards and Technology |first=Harold B. |last=Westlund |date=2002 |url-status=dead |archive-url=https://web.archive.org/web/20071103105501/http://findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479 |archive-date=2007-11-03}}</ref> which was published in 1977. The algorithm described by AES is a [[symmetric-key algorithm]], meaning the same key is used for both encrypting and decrypting the data.
Line 125:
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.<ref name="improved">[[John Kelsey (cryptanalyst)|John Kelsey]], [[Stefan Lucks]], [[Bruce Schneier]], [[Mike Stay]], [[David A. Wagner|David Wagner]], and [[Doug Whiting]], ''Improved Cryptanalysis of Rijndael'', [[Fast Software Encryption]], 2000 pp213–230 {{cite web |title=Academic: Improved Cryptanalysis of Rijndael - Schneier on Security |url=http://www.schneier.com/paper-rijndael.html |url-status=live |archive-url=https://web.archive.org/web/20070223215007/http://www.schneier.com/paper-rijndael.html |archive-date=2007-02-23 |access-date=2007-03-06}}</ref>▼
=== Known attacks ===
Line 137 ⟶ 135:
During the AES selection process, developers of competing algorithms wrote of Rijndael's algorithm "we are concerned about [its] use ... in security-critical applications."<ref name="rijndael-algebraic">
{{cite conference |author=Niels Ferguson |author-link=Niels Ferguson |author2=Richard Schroeppel |author2-link=Richard Schroeppel |author3=Doug Whiting |title=A simple algebraic representation of Rijndael |book-title=Proceedings of Selected Areas in Cryptography, 2001, Lecture Notes in Computer Science |pages=103–111 |publisher=[[Springer-Verlag]] |date=2001 |url=http://www.macfergus.com/pub/rdalgeq.html |format=PDF/[[PostScript]] |access-date=2006-10-06 |archive-url=https://web.archive.org/web/20061104080748/http://www.macfergus.com/pub/rdalgeq.html |archive-date=4 November 2006 |citeseerx=10.1.1.28.4921}}</ref> In October 2000, however, at the end of the AES selection process, [[Bruce Schneier]], a developer of the competing algorithm [[Twofish]], wrote that while he thought successful academic attacks on Rijndael would be developed someday, he "did not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."<ref>Bruce Schneier, [http://www.schneier.com/crypto-gram-0010.html AES Announced] {{webarchive|url=https://web.archive.org/web/20090201005720/http://www.schneier.com/crypto-gram-0010.html |date=2009-02-01 }}, October 15, 2000</ref>
▲By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.<ref name="improved">[[John Kelsey (cryptanalyst)|John Kelsey]], [[Stefan Lucks]], [[Bruce Schneier]], [[Mike Stay]], [[David A. Wagner|David Wagner]], and [[Doug Whiting]], ''Improved Cryptanalysis of Rijndael'', [[Fast Software Encryption]], 2000 pp213–230 {{cite web |title=Academic: Improved Cryptanalysis of Rijndael - Schneier on Security |url=http://www.schneier.com/paper-rijndael.html |url-status=live |archive-url=https://web.archive.org/web/20070223215007/http://www.schneier.com/paper-rijndael.html |archive-date=2007-02-23 |access-date=2007-03-06}}</ref>
Until May 2009, the only successful published attacks against the full AES were [[side-channel attack]]s on some specific implementations. In 2009, a new [[related-key attack]] was discovered that exploits the simplicity of AES's key schedule and has a complexity of 2<sup>119</sup>. In December 2009 it was improved to 2<sup>99.5</sup>.<ref name=relkey /> This is a follow-up to an attack discovered earlier in 2009 by [[Alex Biryukov]], [[Dmitry Khovratovich]], and Ivica Nikolić, with a complexity of 2<sup>96</sup> for one out of every 2<sup>35</sup> keys.<ref>{{cite book |volume=5677 |chapter=Distinguisher and Related-Key Attack on the Full AES-256 |last1=Nikolić |first1=Ivica |title=Advances in Cryptology - CRYPTO 2009 |date=2009 |publisher=Springer Berlin / Heidelberg |isbn=978-3-642-03355-1 |pages=231–249 |doi=10.1007/978-3-642-03356-8_14 |series=Lecture Notes in Computer Science}}</ref> However, related-key attacks are not of concern in any properly designed cryptographic protocol, as a properly designed protocol (i.e., implementational software) will take care not to allow related keys, essentially by [[Related-key attack#Preventing related-key attacks|constraining]] an attacker's means of selecting keys for relatedness.
Line 169:
In November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use compression tables, such as OpenSSL.<ref>{{cite journal |url=http://eprint.iacr.org/2010/594.pdf |title=Cache Games – Bringing Access-Based Cache Attacks on AES to Practice |author=Endre Bangerter |author2=David Gullasch |author3=Stephan Krenn |name-list-style=amp |date=2010 |journal=IACR Cryptology ePrint Archive |url-status=live |archive-url=https://web.archive.org/web/20101214092512/http://eprint.iacr.org/2010/594.pdf |archive-date=2010-12-14}}</ref> Like some earlier attacks, this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.<ref>{{cite web |url=http://news.ycombinator.com/item?id=1937902 |title=Breaking AES-128 in realtime, no ciphertext required |publisher=Hacker News |access-date=2012-12-23 |url-status=live |archive-url=https://web.archive.org/web/20111003193004/http://news.ycombinator.com/item?id=1937902 |archive-date=2011-10-03}}</ref>
In March 2016, C. Ashokkumar, Ravi Prakash Giri and Bernard Menezes presented a side-channel attack on AES implementations that can recover the complete 128-bit AES key in just 6–7 blocks of plaintext/ciphertext, which is a substantial improvement over previous works that require between 100 and a million encryptions.<ref>{{Cite conference |date=12 May 2016 |title=Highly Efficient Algorithms for AES Key Retrieval in Cache Access Attacks |conference=2016 IEEE European Symposium on Security and Privacy (EuroS&P) |last1=Ashokkumar |first1=C. |pages=261–275 |last2=Giri |first2=Ravi Prakash |last3=Menezes |first3=Bernard |___location=Saarbruecken, Germany |doi=10.1109/EuroSP.2016.29}}</ref> The proposed attack requires standard user privilege and key-retrieval algorithms run under a minute.
Many modern CPUs have built-in [[AES instruction set|hardware instructions for AES]], which protect against timing-related side-channel attacks.<ref>{{cite conference |last1=Mowery |first1=Keaton |last2=Keelveedhi |first2=Sriram |last3=Shacham |first3=Hovav |conference=CCS'12: the ACM Conference on Computer and Communications Security |date=19 October 2012 |___location=Raleigh, North Carolina, USA |pages=19–24 |title=Are AES x86 cache timing attacks still feasible? |url=https://cseweb.ucsd.edu/~kmowery/papers/aes-cache-timing.pdf |archive-url=https://web.archive.org/web/20170809152309/http://cseweb.ucsd.edu/~kmowery/papers/aes-cache-timing.pdf |archive-date=2017-08-09 |doi=10.1145/2381913.2381917}}</ref><ref>{{cite web |url=https://www.intel.in/content/dam/doc/white-paper/enterprise-security-aes-ni-white-paper.pdf |title=Securing the Enterprise with Intel AES-NI |access-date=2017-07-26 |url-status=live |archive-url=https://web.archive.org/web/20130331041411/http://www.intel.in/content/dam/doc/white-paper/enterprise-security-aes-ni-white-paper.pdf |archive-date=2013-03-31 |website=[[Intel Corporation]]}}</ref>
=== Quantum attacks ===
AES-256 is considered to be [[
== NIST/CSEC validation ==
Line 185:
The Cryptographic Algorithm Validation Program (CAVP)<ref>{{cite web |url=http://csrc.nist.gov/groups/STM/cavp/index.html |title=NIST.gov – Computer Security Division – Computer Security Resource Center |publisher=Csrc.nist.gov |access-date=2012-12-23 |url-status=live |archive-url=https://web.archive.org/web/20130102044410/http://csrc.nist.gov/groups/STM/cavp/index.html |archive-date=2013-01-02}}</ref> allows for independent validation of the correct implementation of the AES algorithm. Successful validation results in being listed on the NIST validations page.<ref>{{cite web |url=http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm |title=Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules |url-status=dead |archive-url=https://web.archive.org/web/20141226152243/http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm |archive-date=2014-12-26 |access-date=2014-06-26}}</ref> This testing is a pre-requisite for the FIPS 140-2 module validation. However, successful CAVP validation in no way implies that the cryptographic module implementing the algorithm is secure. A cryptographic module lacking FIPS 140-2 validation or specific approval by the NSA is not deemed secure by the US Government and cannot be used to protect government data.<ref name="cnss.gov"/>
FIPS 140-2 validation is challenging to achieve both technically and fiscally.<ref name="openssl">{{cite web |author=OpenSSL, openssl@openssl.org |url=http://openssl.org/docs/fips/fipsnotes.html |title=OpenSSL's Notes about FIPS certification |publisher=Openssl.org |access-date=2012-12-23 |url-status=dead |archive-url=https://web.archive.org/web/20130102203126/http://www.openssl.org/docs/fips/fipsnotes.html |archive-date=2013-01-02}}</ref> There is a standardized battery of tests as well as an element of source code review that must be passed over a period of a few weeks. The cost to perform these tests through an approved laboratory can be significant (e.g., well over
== Test vectors ==
Line 225:
* [http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf Animation of Rijndael] – AES deeply explained and animated using Flash (by Enrique Zabala / University ORT / Montevideo / Uruguay). This animation (in English, Spanish, and German) is also part of [[CrypTool|CrypTool 1]] (menu Indiv. Procedures → Visualization of Algorithms → AES).
* [https://formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng-html5.html HTML5 Animation of Rijndael] – Same Animation as above made in HTML5.
* [https://infsec.de/aes-in-excel-eng/ AES Demo in Excel] - Example implementation and demonstration in Excel (without macros) by Tim Wambach.
{{Cryptography navbox | block}}
Line 230 ⟶ 231:
[[Category:Advanced Encryption Standard]]
[[Category:Cryptography]]
[[Category:Belgian inventions]]
| |||