Encryption AES - is there really a backdoor

[3w`Sparky]

OK so I chat with alot of government bods maily Techie but some pen pushers, they all say that AES is not secure and that the US have a backdoor to access it. when you ask them how they know this they can't really say where they got it from , but they heard it and beleive it's true. . . . .

Personally i think this is a complete load of bull **it but what are people thought's do you guys hear the same and or get the same issues arrise?

what other comparable encryptions are there ?

[decepticon_eazy_e]

OK so I chat with alot of government bods maily Techie but some pen pushers, they all say that AES is not secure and that the US have a backdoor to access it. when you ask them how they know this they can't really say where they got it from , but they heard it and beleive it's true. . . . .

Personally i think this is a complete load of bull **it but what are people thought's do you guys hear the same and or get the same issues arrise?

what other comparable encryptions are there ?

AES does not have a back door. The algorithm is published and if you like math, you can do the encryption by hand with a calculator if you like.

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Nobody (with a brain) uses encryption algorithms that are not published/open source because of the fear of back doors. There are plenty of other encryption methods out there you can use, they're not as widely supported or easy to implement as AES, but they are there for your enjoyment.

Now if the government had a computer big enough to brute force any AES encryption level... that might be possible, every code is brute force-able, it's just a matter of time vs computation speed. That would also be something they would want to keep quiet.

[decepticon_eazy_e]

OK so I chat with alot of government bods maily Techie but some pen pushers, they all say that AES is not secure and that the US have a backdoor to access it. when you ask them how they know this they can't really say where they got it from , but they heard it and beleive it's true. . . . .

Personally i think this is a complete load of bull **it but what are people thought's do you guys hear the same and or get the same issues arrise?

what other comparable encryptions are there ?

AES does not have a back door. The algorithm is published and if you like math, you can do the encryption by hand with a calculator if you like.

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Nobody (with a brain) uses encryption algorithms th

[stingwray]

OK so I chat with alot of government bods maily Techie but some pen pushers, they all say that AES is not secure and that the US have a backdoor to access it. when you ask them how they know this they can't really say where they got it from , but they heard it and beleive it's true. . . . .

Personally i think this is a complete load of bull **it but what are people thought's do you guys hear the same and or get the same issues arrise?

what other comparable encryptions are there ?

AES is the symmetric key encryption standard, given the amount of research the gone into proving its safety any backdoor that existed would have been found. The people you are talking to may work for the government but they won't be working for the part that deals with this kind of stuff.

AES 128bit is still unlikely to be crackable with even large supercomputers that are none to exist. However I have broken into AES encrypted data before, but its simple because either the implementation had a fault or the key that was chosen was extremely poor.

[Jason Cooper]

AES does not have a back door.

That is a very hard to prove statement :) I think the key thing is that there hasn't been one found yet and so the only people likely to have the knowledge and computing power to break it are large governments. And if they do have the power to do that they won't advertise it by breaking the encryption on anything small or public (Just other countries political/military communications and suspected terrorist communications) and even then they won't make the results of it public.

What I am trying to say in a round about way is that even if the government can break AES encryption they wouldn't be willing to give up the power it gives them by advertising that they can do it.

[loftrat]

That is a very hard to prove statement :)

No it isn't.

The AES standard is open source and available for all to see.

Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.

[IOSys]

"and so the only people likely to have the knowledge and computing power to break it are large governments."

Why "break" anything if you have a backdoor ?

The proof that AES has no government backdoor is the fact that they use it themselves .. It would be pretty

stupid to use a cipher you KNOW is weak, wouldn't it ?

[Daehlie]

The feasibility of a backdoor into AES with hashing and salting is laughable to say the least. Poor key selection allowing for rainbow attacks and things of that nature are operator error, not a flaw in the system. Properly chosen keys using the Rijndael implementation and salting, while it is difficult to say anything is unbreakable, humanity will have converted our species into a form of energy before you will be in any danger of attack.

The true wrench in the gears is the salting, once you start adding in random bits all over the place, you can significantly increase the complexity of brute-force attacks. And frankly, the default complexity of brute-forcing AES, even in its 128bit variety, stretches the limits of feasibility as it is.

[stingwray]

The feasibility of a backdoor into AES with hashing and salting is laughable to say the least. Poor key selection allowing for rainbow attacks and things of that nature are operator error, not a flaw in the system. Properly chosen keys using the Rijndael implementation and salting, while it is difficult to say anything is unbreakable, humanity will have converted our species into a form of energy before you will be in any danger of attack.

The true wrench in the gears is the salting, once you start adding in random bits all over the place, you can significantly increase the complexity of brute-force attacks. And frankly, the default complexity of brute-forcing AES, even in its 128bit variety, stretches the limits of feasibility as it is.

Salting does not improve the security of an algorithm, salting improves the quality of the key if it is a poor key, but not if it is already a good secure key.

You can't add random bits all over the place, a salt may be random but it is required then to decode the content, AES supplies support for an Initialization vector which will be different each message, this is to prevent the same message being encrypted the same way every time. IVs are sent with the encrypted message in the plain-text, because it is secure to do so as they can't gain any information from the IV and the IV is required to decrypt the content.

[Daehlie]

Salting does not improve the security of an algorithm, salting improves the quality of the key if it is a poor key, but not if it is already a good secure key.

You can't add random bits all over the place, a salt may be random but it is required then to decode the content, AES supplies support for an Initialization vector which will be different each message, this is to prevent the same message being encrypted the same way every time. IVs are sent with the encrypted message in the plain-text, because it is secure to do so as they can't gain any information from the IV and the IV is required to decrypt the content.

If you will note that I stated it increases the complexity of the brute-force attack, not increases the security of the cipher. The additional data from the salting increases the number of iterations to decode the key, as they will then need to brute force both the salt and the original key.

[Jason Cooper]

No it isn't.

The AES standard is open source and available for all to see.

Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.

That isn't proof that a back door doesn't exist, just proof that one hasn't been published yet. Note I am not saying that there is a back door I am just saying that it is a lot harder to prove that something doesn't exist than to prove that it does. The classic example is black swans, at the start of the 18th century a lot of professionals believed that all swans were white. Of course they never could prove their belief but later on in that century they managed to disprove it by finding a black swan in Australia.

[beakmyn]

No it isn't.

The AES standard is open source and available for all to see.

Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.

It's on Jannick's desk next to the telephone.

[IOSys]

How are rainbow-tables going to help "crack" AES ?

The reason they work so well on windows-pw's is the fact that

the geniuses in redmont "decided" to store the unsalted hash of your windoze-pw on disk .

(They also "decided" to use a weak RNG btw.. making it a pretty obvious backdoor IMO )

That is not the case with properly implemented AES (or any other well-reputable cipher for that matter) .

If you take the well-known crypto-program TrueCrypt it salts your pw with SHA 512

and it does that at least 2000 times.. Even if you computed all the permutations in a huge rainbow-table

you would STILL have to brute-force the key (potentially try every possible combination) because there is nothing to look-up..

Sorry but I'm just to lazy to do the math for you,suffice it to say that just the power-requirements to complete the task are astronomical,

we are talking GIGAWATTS ..

[decepticon_eazy_e]

It's on Jannick's desk next to the telephone.

Awesome quote!

T o o M a n y S e c r e t s.........

[stingwray]

That isn't proof that a back door doesn't exist, just proof that one hasn't been published yet. Note I am not saying that there is a back door I am just saying that it is a lot harder to prove that something doesn't exist than to prove that it does. The classic example is black swans, at the start of the 18th century a lot of professionals believed that all swans were white. Of course they never could prove their belief but later on in that century they managed to disprove it by finding a black swan in Australia.

The work that has gone into studying the algorithm is like studying the surface of the earth for Black Swans, two or three times, if there was a "backdoor" then it would have been found by now and would have been found very quickly.

How are rainbow-tables going to help "crack" AES ?

The reason they work so well on windows-pw's is the fact that

the geniuses in redmont "decided" to store the unsalted hash of your windoze-pw on disk .

(They also "decided" to use a weak RNG btw.. making it a pretty obvious backdoor IMO )

That is not the case with properly implemented AES (or any other well-reputable cipher for that matter) .

If you take the well-known crypto-program TrueCrypt it salts your pw with SHA 512

and it does that at least 2000 times.. Even if you computed all the permutations in a huge rainbow-table

you would STILL have to brute-force the key (potentially try every possible combination) because there is nothing to look-up..

Sorry but I'm just to lazy to do the math for you,suffice it to say that just the power-requirements to complete the task are astronomical,

we are talking GIGAWATTS ..

No one hashes things 2000 times, no one hashes anything twice, the definition of a good hash is a one way function, so after one hash you can't go back, doing it 2000 times isn't going to improve security and is just going to waste resources.

Rainbow tables don't work again encrypted data because the key isn't stored anywhere hashed or not hashed to compare anything to. Decryption of a block of data happens whether you know the key or not, if its wrong you get garbage back out again. When you decrypt something successfully its not garbage, there are lots of ways to verify that decryption has been successful.

So with nothing to compare to, you can't build a big lookup table to compare things against, this is hurt further by the fact that you can't build up a look up table for data, because now you need a table including every key encrypting every single piece of information. This is getting very big.

Hashes are used on encryption keys because people are lazy and choose bad passwords. A hash will do a relatively good job of making a small amount of data, into a slightly bigger standard amount, which is what encryption algorithms want from a key (padding with 0's would be a bad idea). Hashing doesn't improve the security more than that, because an attack probably knows that they key was hashed before and what algorithm was used. They could use a rainbow table then to find out the original password, but given they are probably more interested in the contents of encrypted file than the original password, they are unlikely to do this.

People are getting confused between a "backdoor" in an algorithm and a exploit in the math being discovered which reduces the amount of time to brute-force the algorithm. A backdoor is almost certain to have been discovered in testing of the algorithm. A method for reducing time however is a real possibility, but it won't be by much as again, a big flaw would have been picked up already. But this is why in a couple of years, NIST will have another competition to design the next symmetric key cipher to become a standard.

[3w`Sparky]

IOsys ,

the thats the interesting thing

Quote: The proof that AES has no government backdoor is the fact that they use it themselves

well this is the interesting thing you see, the UK don't like to use it they get all pissy when you suggest using it for data storage or to establish some tunnels, kind of the reason i thought i would post it !

very interesting thoughts from all of you tho

[stingwray]

Quote: The proof that AES has no government backdoor is the fact that they use it themselves

well this is the interesting thing you see, the UK don't like to use it they get all pissy when you suggest using it for data storage or to establish some tunnels, kind of the reason i thought i would post it !

Don't know where you've been living in the UK, but our government official endorses and recommends you use AES (FIPS 197). IOC

Personally I think you have to have a really big reason not to use AES, standards are there for a reason and you can't really argue that not having things like file formats and encryption standardized is a bad thing. Using other encryption algorithms that have different advantages, like a particularly low memory usage for an embedded device is an example of a good reason. Also everyone forget about ever creating your own algorithm, we all should know how that ends up!

[decepticon_eazy_e]

Don't know where you've been living in the UK, but our government official endorses and recommends you use AES

Yup, the UK allows high encryption, no problems there. Cisco defines high encryption as AES or 3DES. There are a few countries that prohibit the use (or at least the import) of devices or software that uses high encryption. That's why AES/3DES isn't activated on a Cisco devices by default, it's an option. There are part numbers for the firewalls that don't allow the upgrade to use AES/3DES. It's all for government compliance junk.

http://www.cisco.com/wwl/export/crypto/

Cuba, Iran, North Korea, Sudan and Syria do not. Either they don't allow it or we don't allow it, whichever.

I believe the biggest reason is we don't want to supply those countries with devices we can't crack, although the government would never admit that motive. Perhaps the enforcement actually comes from the government of those countries themselves, so they can monitor their people easier. Maybe someone has more insight into that reasoning?

[stingwray]

The export of cryptographic algorithm is often heavily prohibited and they are often treated as military assets. I don't know of anyone which bans the import of them, but certainly some countries make it illegal for their citizens to use them, given the internet now, it is extremely difficult to manage this sort of thing.

The US government generally doesn't care for backdoors anyway, they just prefer to put restrictions on shipping software, earlier US versions of IE were only allowed to use 64-bit versions of algorithms in SSL, so the government could break it if they wanted. I'll try and find a reference to that tonight.

[IOSys]

No one hashes things 2000 times, no one hashes anything twice, the definition of a good hash is a one way function, so after one hash you can't go back, doing it 2000 times isn't going to improve security and is just going to waste resources.

WRONG .. (and waste of resources is exactly why encryption-programs do it btw)

512-bit salt is used, which means there are 2*512 keys for each password. This decreases vulnerability to 'off-line' dictionary attacks (pre-computing all the keys for a dictionary of passwords is very difficult when a salt is used) .

The salt consists of random values generated by the TrueCrypt random number generator during the volume creation process.

The header key derivation function is based on HMAC-SHA-512, HMAC-RIPEMD-160, or HMAC-Whirlpool - the user selects which.

The length of the derived key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used

(in XTS mode, an additional 256-bit secondary header key is used; hence, two 256-bit keys are used for AES-256 in total).

1000 iterations (or 2000 iterations when HMAC-RIPEMD-160 is used as the underlying hash function) of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search for passwords (i.e., brute force attack)

http://www.truecrypt.org/docs/header-key-derivation

Also see

http://en.wikipedia.org/wiki/Salt_(cryptography)

http://en.wikipedia.org/wiki/Brute_force_attack

for more info and some boring math ...

[Jason Cooper]

The work that has gone into studying the algorithm is like studying the surface of the earth for Black Swans, two or three times, if there was a "backdoor" then it would have been found by now and would have been found very quickly.

Of course the black swan in this case could be one that lives on pluto so scouring the earth multiple times for it wouldn't help you find it. The point I was trying to make was that you can't prove that a backdoor doesnt' exist, just that it probably doesn't exist (Two very different things).

[Limbo]

I thinks there are so many great cryptographers from all over the world. Brilliant minds like Adi Shamir, Ronald Rivest, Leonard Adleman, Bruce Schneier, Ross Anderson, Eli Biham, Don Coppersmith, Hideki Imai and so on. I think if there is a backdoor someone would have found it and made it public.

I simply can't imagine that people of any goverment are smart enought to outsmart all these brilliant minds.

[stingwray]

WRONG .. (and waste of resources is exactly why encryption-programs do it btw)

Also see

http://en.wikipedia.org/wiki/Salt_(cryptography)

http://en.wikipedia.org/wiki/Brute_force_attack

for more info and some boring math ...

This is why I don't use TrueCrypt, they go about certain ways which are completely irrelevant and pointless. Hashing data multiple times does nothing but waste resources. For example, say you have some data (D), you hash that, and keep that (H1), hash it again and you get the output (H2) and you can see your way through the path. Now you want to build an exhaustive dictionary to brute-force with, fine.

Now in building this exhaustive dictionary, you build it up, your going to have D, H1 and H2 in your dictionary to try, so you hash them to find and you get H(D) = H1, H(H1) = H2 and H(H2) = new hash but also in your dictionary. So I've found the key which was used and I've only done one hash, not two.

You say encryption programs do it to waste resources, wasting resources does nothing to help anyone. A good encryption algorithm does not go through stages of activity, which could then help an attacker decrypt the information by looking at process cpu usage while it is encrypting, there is no need to waste resource to flatten out resource usage if your algorithm is good.

Also I hate the TrueCrypt documentation for using "Salt" everywhere, salts really aren't that useful with encryption, if you use the proper definition of a salt. Without reading any more of their documentation I think they mean initialization vector. Which is random data used in the algorithm to prevent the same data encrypted with the same key at different times looking the same, as if it did this would be valuable information to an attacker. IVs are sent in the clear with the encrypted data, so anyone can read them if they want, they are designed to be of no use to an attacker, salts have to be kept secret and you would have to remember them so that you could apply them every time you wanted to decrypt your information. At which point you have to keep it like a password and it serves no additional use.

[Jason Cooper]

You say encryption programs do it to waste resources, wasting resources does nothing to help anyone. A good encryption algorithm does not go through stages of activity, which could then help an attacker decrypt the information by looking at process cpu usage while it is encrypting, there is no need to waste resource to flatten out resource usage if your algorithm is good.

Of course there are some hashes that you can set the number of rounds that it does when generating the hash (Note: this is not the same as hashing the output again). The reason for this is purely to make it take longer to generate the hash. This can help with some aspects of security (e.g. increasing the length of time a dictionary attack would take against a hash).

One thing to look out for is that if you do use a large number of rounds in a hash for your passwords then your system could leak information about valid usernames (Though most OS's have measures in place to combat it).

[stingwray]

Of course there are some hashes that you can set the number of rounds that it does when generating the hash (Note: this is not the same as hashing the output again). The reason for this is purely to make it take longer to generate the hash. This can help with some aspects of security (e.g. increasing the length of time a dictionary attack would take against a hash).

One thing to look out for is that if you do use a large number of rounds in a hash for your passwords then your system could leak information about valid usernames (Though most OS's have measures in place to combat it).

The reason isn't to take longer generating the hash at all. Nearly all hash and encryption algorithms have a number of rounds which, loosely, the more rounds the more messed up the information. But due to some quirks of Maths, if you do certain numbers of rounds they will be significantly less secure than if you added a couple more. The number of rounds that the algorithms do is normally set on the implementation.

Passwords should always be hashed as the first thing that happens, even before looking up a username to compare the hashes against. I never looked into what OSs do this or not, but it should be all and all other software should do it as well.