What are the chances that AES-256 encryption is cracked?

Question

I'm currently building a web application and would like to encrypt all data on the back-end. I was thinking of using the AES-256 encryption but wasn't sure how safe it was. I did that math and felt safe.

I took this model to a professor at my college, who is a cyber security expert, and he seemed to have quite a different take. He told me there are only two encryption schemes that he knows of that cannot be broken, and AES is not one of them. He said sure, put it in, but just know that there are people out there who can crack it.

I Googled everything I could about the AES and it being cracked, and the only information I could find was this paper: Distinguisher and Related-Key Attack on the Full AES-256 (Extended Version). Sure it says the AES has been cracked but is still has a practical use, right? I believe it is $2^{231}$ instead of $2^{256}$.

So what gives? Is it practically secure to use or not? Does he just know something that most people don't? If my web application database credentials are somehow exposed, and a hacker gets the raw encrypted data, how can I ensure he won't be able to decrypt it within his lifetime?

Answer 1

He told me there are only two encryptions that he knows of that cannot be broken, and AES is not one of them

This tells me you asked your professor the wrong question. You asked a cyber security expert if an algorithm could be cracked, to which the answer is always yes, with the exception of a handful of inconvenient algorithms, such as One Time Use Pads used in exactly the correct way. Even in those cases, there's exploits to worry about.

AES-256 is an algorithm. It can be broken. If you look at the history of cryptography, every algorithm gets broken eventually. That's why we make new algorithms. The question is how long it takes to figure out the math to break it.

The real question to ask is "what is your threat model?" What sort of attack are you trying to prevent? Are you creating a digital lock on a diary to keep it safe from your sister's prying eyes, or are you Edward Snowden, on the run from several three letter agencies with billions of dollars of funding?

AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET/SCI information. That's pretty much the highest classification level they could clear it for, so the US government is pretty darn confident that nobody can break AES-256 on the timescales required to protect our nation's greatest secrets.

(Well, almost. What it really says is that they are confident that nobody outside of the US government can break AES-256. What you believe that that says about whether the US government, themselves, can break it depends on your threat model... and whether you engage in discussions of whether heavy-duty tin foil makes better hats or not)

Answer 2

AES-256 - the block cipher - as far as we know hasn't been broken. It has not even been close to broken. On the other hand, we cannot prove that it is secure. That means that an algorithm that is able to crack AES may be found. Most ciphers cannot be proven to be secure. Only a handful algorithms such as the one-time-pad are secure in the information-theoretical sense.

The paper you point to is about related key attacks. These attacks are indeed possible and they reduce the strength of AES for specific use cases to a value that theoretically breaks the cipher. Basically it is dangerous to use AES-256 to build a hash function. Practically, for achieving confidentiality, AES-256 is still considered secure, even against attacks using quantum cryptanalysis.

Having a secure block cipher doesn't provide any security on its own though. You need a secure system, and for that secure system you may need a secure protocol. And in that protocol you may need a scheme or a mode of operation (such as GCM). And that encryption scheme may require a block cipher. And that block cipher may be AES-256.

The AES-256 algorithm itself requires a well protected secret key and secure implementation - such as protection against side channel attacks, where required - to be considered secure. It could for instance be made FIPS compliant.

Although the AES-256 algorithm is considered secure, that doesn't mean your scheme, protocol or system is secure. For this you need a threat model and show that it is practically secure against all possible attack vectors.

---

TL;DR: when building a secure system you may use AES-256, it's considered secure even if this cannot be proven. Other aspects of the system are much more likely to fail than AES-256 - the block cipher by itself.

Answer 3

So what gives? Is it safe to use or not?

You seems to change what you are asking about from phrase to phrase. You ask if it is cracked, you ask if it is secure to use, you ask if it is "practical"...

AES-256 is indeed cracked, because it doesn't hold its original 256bit security. You ask if it is secure - security isn't a yes/no question, it is 231bit secure, and common wisdom is that 128bit+ is "pretty secure", and 90bit- is close to practically broken.

He said sure, put it in, but just know that there are people out there who can crack it.

This thought seems to persist because you can't prove something doesn't exist. There isn't any information that would suggest that AES is practically broken. If you had trillions of dollars you would be better of hiring security experts to hopefully find weaknesses somewhere to reduce complexity to something manageable than to build massive computer clusters. This is indeed how certain three-letter-agencies break some algorithms (and especially their implementations). This of course didn't apply to AES-256 or so we hope, but countless implementations were broken because they did misuse something.

How do I defend my web application from a professional hacker?

This has nothing to do with encryption or cryptography. There is misconception that encryption gives you security. What we should ask is what kind of security it gives you.

Does it protect your children on their way to school? Does it protect your house from burning down? Last I heard no.

Instead treat encryption and cryptography as a tool. It might work as smoke detectors/making house of nonflammable materials.

Does smoke detection prevent you from anything if you don't change batteries? No. Does house made of nonflammable materials prevent anything if build over it with all wood? No. Instead encryption has its dependencies (only people who are supposed to know the key, do know te key), and something that it gives you (people who don't have the key can't read message).

So question you ask shouldn't be "Is AES-256 secure and does it repel hackers?" but instead "what tools/techniques should I use to prevent/detect X?", only then you should focus on tools to do the job.

Answer 4

Maybe this isn't a full answer, but I think you might find a valuable insight in analyzing your own question more closely:

it is $2^{231}$ instead of $2^{256}$
So what gives?

That is not $256 - 231 = 25$ bit out of $256$ (~10%) less secure in an "added" way but $2^{25}=33.554.432$ in a multiplied way.

Adding a single bit doesn't add 1 to your security (i.e. length of time an attacker needs to crack your encrypted messages) but doubles it!
This may be a bit counter-intuitive but in encryption we do not suffer diminishing returns but enjoy increasing returns. The "last" bit in added key length has the greatest benefit to your security, because it doubles what all the bits before it achieved.

If AES key length was chosen to be

• minimal for efficient calculation on encryption/decryption
• sufficient against breaking the code (e.g. a brute force attack takes 3.000.000 years)

the loss in security (that you already found) would bring it down into the practical range of breaking it in 1-2 months.

I don't know, what actual time assumption was used for the AES key length definition. However your professor may have told you that his estimate as an expert is that the combined effect of

• known vulnerabilities
• qualitative computing power increase (better hardware) since the security assumptions have been made
• investment into quantity of computing power (more hardware chained together)

made AES practically breakable for certain attackers. I wasn't in the discussion, so I'm unsure, if that was actually his intended meaning.

Now that I think of it, the number of 2 unbreakable encryption schemes tipped me off that he probably meant One Time Pad and Quantum Encryption. So from his answer I'd put special emphasis like this

He said sure, put it in, but just know that there are people out there who can crack it.

The latter part could be an implication to threat model analysis. To this, I'd like to add an obligatory XKCD:

https://xkcd.com/538/
Actual actual reality: Nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)

Answer 5

If I recall a few years back AES256 was broken, but not in a significant way. Broken refers to finding a method which is faster than brute force to derive the key. And while i am not sure it was AES256 i know one of the popular encryption systems was broken, but it only reduces the expected time needed to break it slightly. As far as i know the only algorithms that have not been broken to date is Serpent, and DES. Now i know everyone will say that DES is broken, but in actuality it has not been broken, instead hardware advanced beyond the point where we could no longer consider it secure. Meaning it is trivial for us to iterate through all possible combinations of DES and find the key used. Which is why 3-DES is considered secure since it is essentially the same algorithm used 3 times in succession. This is a cautionary tale as well, as at any point we could see hardware advance to a point where it becomes trivial to brute force current algorithms. When DES was drafted they couldn't imagine a computer powerful enough to do this, now such hardware is so common that it is something they have us do as an exercise when teaching encryption. So in reality all you can do is use the best you know of and hope that it will last you for a reasonable period. (Please, note that I did not check my references before posting, so my facts may be off slightly as they are from memory.)