Chipping away at AES

Chipping away at AES

Postby LPhifer » Tue Sep 13, 2011 9:20 am

Many WLAN security woes were laid to rest back in 2004, when 802.11i replaced WEP with AES-CCMP, certified in Wi-Fi products as WPA2. At the time, AES (nee Rijndael) was beginning broad adoption, having been selected as the FIPS-standard symmetric encryption algorithm used by U.S. government organizations to protect sensitive information.

AES was then - and still remains - a highly-regarded very robust cipher. But over the years, researchers have repeatedly analyzed AES, looking for possible flaws. This kind of scrutiny is common; theoretical weaknesses identified through cryptanalysis may or may not end up having practical impact.

This is the pragmatic lens through which to view the just-published Biclique Cryptanalysis of the Full AES by Andrey Bogdanov and Dmitry Khovratovich and Christian Rechberger:


In their paper, the authors describe a new method they developed to perform key recovery attacks against AES-128, AES-192 and AES-256. However, the paper also notes:

"As our attacks are of high computational complexity, they do not threaten the practical use of AES in any way." Moreover, "To the best of our knowledge, there are no generic methods known that would speed-up key-recovery attacks given a part of the codebook."

Nonetheless, this paper has triggered headlines touting the discovery of AES flaws. While other researchers will be scrutinizing this paper to confirm and elaborate upon the authors' biclique cryptanalysis method, it's important to put their current findings into practical perspecive.

For example, consider this blog post by Townsend Research:


which quantifies the (lack of) practical impact this way: "The effect is to weaken 128-bit AES encryption to about 126-bit AES encryption."

Or as ScienceDaily.com put it:

"Even with the new attack, the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an 8 followed by 37 zeros. To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key."

For the cryptographers, this AES research finding is important. For those worried about safe-guarding WLAN traffic, there's no reason to panic. Continue to use AES-CCMP and stay focused on avoiding mistakes that have far bigger impact, such as weak PSKs and inadequate certificate validation.
-- Lisa Phifer
User avatar
Registered User
Posts: 201
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US

Return to WLAN Security

Who is online

Users browsing this forum: No registered users and 1 guest




Whitepaper: WLAN Design and Site Survey
Site Survey Check List
802.11n Reference Guide
RF Basics
Planning for 802.11n
Voice-over-Wireless Best Practices
Home  |  Security Center  |  All Things Wi-Fi  |  Blog  |  Library  |  AirMagnet.com  |  FlukeNetworks.com
© 2006-2013 Fluke Corporation. All rights reserved.