The title says "AES-256 is as safe as AES-128" for a translation.
Hi, Dear everyone who I contacted and haven't contacted so far. I have run a test program against a practiced attack against AES-256. While trying to restore the key with just 1 guessed t0 value (I have almost given up) But in spirit of international cooperation I'm going to pass the torch to someone else to continue on this work as priorities shift me to my main project which was supposed to start today. Earlier today I sent a mail to b...@openbsd.org commemorating their good efforts in bringing us security. Earlier this week I wondered on the tech@ mailing list if chacha20 or whatever it's called could be made functional. I personally have switched to 3des as to me AES is insecure now. When I get chacha20 working on OpenBSD I will switch to that and continue on. Details of the attack are simple. In the modules of AES there is an AddRoundKey functionality. This key is generated before encryption and used as keying boxes. It is possible to reverse this given any point below the main key. Just, one needs to inverse the order of all variables and the main key is recovered. This works for 10 rounds as well as 100 million rounds given you have a large enough memory. This function has 4 "T" variables which are temporary. They are discarded at the end but not wiped. In the another bug report (which I will post the URL) I recommended wiping these values to NULL (zeroize) before exiting the function. One t0 value is 32 bit. This means 4.2 billion operations are needed to recover it's value... just what value is it. Taking into consideration that the main key flies past in row 0 over and over, there is still no solid sure shot method of finding it. But I will work on it when I see fit, believe me. The fact is. Given that there is four "t" values of 32 bits this adds up to 128 bits. The operation of brute forcing this 128 bits is just shorter than a full decrypt() as many parts have been able to be cut out. This makes AES-192 and AES-256 just as strong as AES-128. However there is a catch. You must know the plaintext and the ciphertext of the first block (16 or 32 bytes). In many cases on TLS this may be "GET / HTTP/1.1\n" or an additional Host: www.example.org which fills out the full 32 bytes for AES-256. This part is theory and I don't have code right now to prove this. I'm a single unemployed ex-sysadmin and my resources are limited. But I believe the sending side of a TLS transaction may be breakable, which may include all the sensitive data. Here is my work so far that demonstrates study and run with a practice key: https://github.com/pbug44/misc/tree/main/cg4 Here is my original post to b...@openbsd.org (first responders): https://marc.info/?l=openbsd-bugs&m=171500211927736&w=2 Here is a small explanation of AddRoundKey: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard I'm sending this mail to BSI, CERT, Theo de Raadt and the misc@openbsd.org mailing list. Just so that it doesn't get lost. Please when you mention a credit give credit to OpenBSD as this would not have been possible without that project. Best Regards, -pjp -- my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
