15

Some background: I am using the MicroChip ATAES132a for hardware encryption/decryption. The ATAES132a is very configurable and can be misconfigured in such a way that the encryption/decryption will be performed using the same nonce. In theory, if the nonce is known I can do an encryption of the plain text and get the same ciphered text result. Based on this, I could possibly try to encrypt the same plain text with the known nonce and compare to the generated ciphered text until I get a match.

For example, in theory my target key could be some thing like this (see below). I would need to calculate every possible key, use the known nonce and the same plain text until I get the same ciphered text result.

const uint8_t g_key0[] = { 0x01, 0x08, 0x0E, 0x91, 0xe2, 0x64, 0x8f, 0x49, 0x0c, 0xe9, 0x80, 0x45, 0x38, 0xb5, 0x85, 0x3f };

This would exploit how the device was configured incorrectly. The ATAES132a does all its encryption with AES in CCM mode. I can perform the attack either on the ATAES132a or on any PC using any standard AES library.

Is this attack plausible using a modern PC?

psmears
  • 137
  • 3
PhillyNJ
  • 264
  • 5
  • 13

1 Answers1

40

Is this attack plausible using a modern PC?

No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^{128}$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^{128}/2=2^{127}$. At $100,000,000$ attempts per second (or around $2^{26}$), it would take around $2^{101}$ second. The universe is around 13.7 billion years old (about $2^{59}$ seconds). So the amount of time it would take you is $2^{42}$ times the age of the universe.

There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.

Finally, the relevant XKCD:

Security

Jacob Bundgaard
  • 103
  • 2
mikeazo
  • 39,117
  • 9
  • 118
  • 183