AES128 vs AES256 using bruteforce

Asked 17/9, 2013 at 10:37 Answered 17/9, 2013 at 10:59

Solved encryption cryptography aes combinations brute-force

I came across this:

Key combinations versus Key size

I don't understand how AES128 is stronger than AES256 in a brute force attack, or how AES256 allows for more combinations than AES128.

These are my simplified premises - assuming I have 100 unique characters on my keyboard, and my ideal password length is 10 characters - there would be 100^10 (or 1x10^20) combinations for brute force attack to decry-pt a given cipher text.

In that case, whether or not AES128 or AES256 is applied doesn't make a difference - please correct me.

Torture answered 17/9, 2013 at 10:37 Comment(2)

AES-256 is stronger than AES-128. But it's very rare for either to be the weakest point in your system, so the choice rarely affects the practical security of the combined system. – Correspond 17/9, 2013 at 13:31

@Correspond Thanks for your comment. I understand that both your points. My question was actually on the effect of bruteforce on a assumed password on the above premises and the attack's effectiveness in comparison. – Torture 18/9, 2013 at 2:11

Yes, you are correct (in that a weak password will negate the difference between AES128 and AES256 and make bruteforcing as complex as the password is). But this applies only to the case when the password is the only source for key generation.

In normal use, AES keys are generated by a "truly" random source and never by a simple pseudorandom generator (like C++ rand());

AES256 is "more secure" than AES128 because it has 256-bit key - that means 2^256 possible keys to bruteforce, as opposed to 2^128 (AES128). The numbers of possible keys are shown in your table as "combinations".

Personally, I use KeePass and passwords of 20 symbols and above. Using 20-symbol password composed of small+capital letters (26+26), digits (10) and special symbols (around 20) gives (26+26+10+20)^20 = 1.89*10^38 possible combinations - comparable to an AES128 key.

Sebi answered 17/9, 2013 at 10:47 Comment(5)

Note that as @ShashankKadne pointed out in his answer, AES256 might not be more secure than AES128 after all. – Dita 17/9, 2013 at 13:15

Nope, he is wrong. The only known attack only works for weakened version of AES-256 (9 or 10 rounds). Full AES-256 has 14 rounds (see schneier.com/blog/archives/2009/07/another_new_aes.html) – Sebi 17/9, 2013 at 13:29

Read the above as the only known key schedule attack. Other known attacks are insignificant, though. – Sebi 17/9, 2013 at 14:1

Thanks @DarkWanderer. Your explanation is clear. My concern is mainly towards Dropbox, when they mentioned they use AES256 and has rock solid security. On this, I guess I can conclude there isn't a difference on AES128 and AES256 then, in my premise. – Torture 18/9, 2013 at 2:1

In principle, you're right. Dropbox is a totally different case, however :) Since Dropbox allows you to 1.share your files with anyone 2.recover your password, it is highly unlikely your key is dependent on your password. More feasibly, there are internal AES keys with which the data is encrypted on Dropbox datacenter's drives and/or temporary one-session key used for transmission. Otherwise both sharing and password recovery would not be possible (example: Keepass or Bitcoin. If you lose your password, you're screwed). So, Dropbox's reference to AES256 is actually pure marketing. – Sebi 18/9, 2013 at 8:28

how AES128 is stronger than AES256 in a brute force attack

AES does multiple rounds of transforming each chunk of data, and it uses different portions of the key in these different rounds. The specification for which portions of the key get used when is called the key schedule. The key schedule for 256-bit keys is not as well designed as the key schedule for 128-bit keys. And in recent years there has been substantial progress in turning those design problems into potential attacks on AES 256.This is the basis for advice on key choice.

how AES256 allows for more combinations than AES128

AES256 uses 256 bits, giving you the permissible combination of aroung 2^256, while in case of 128, its 2^128.

These are my simplified premises - assuming I have 100 unique characters on my keyboard, and my ideal password length is 10 characters - there would be 100^10 (or 1x10^20) combinations for brute force attack to decry-pt a given cipher text.

I am not quite sure what your understanding is, but when you say applying AES128/AES256, you actually encrypt your password into a cipher text.It is encoded information because it contains a form of the original plaintext that is unreadable by a human. It won't just use all the 100unique characters from your keyboard. It uses more than that. So, if you want to get the original password, you must find the key with which it is encrypted. And that gives you the combination figures 2^128 ans 2^256.

Waldo answered 17/9, 2013 at 10:59 Comment(5)

The statement about AES128 is wrong. See comment from Bruce Schneier on the topic: "Yes and no. Neither can be broken. There are no attacks against any AES variants that are better than brute force; all of these attacks are against reduced-round variants." (schneier.com/blog/archives/2009/07/another_new_aes.html#c386957). There is no proof AES128 is "stronger". – Sebi 17/9, 2013 at 13:34

If you read it carefully I never said AES128 is "stronger". I just said it is advisable to use AES128! – Waldo 17/9, 2013 at 16:20

The first line was actually taken from the posted question. – Waldo 17/9, 2013 at 16:26

Okay, after you said that, I see. It's not clear from your answer that it's a citation, though. I'd recommend to change it to be more clear. – Sebi 17/9, 2013 at 19:34

@ShashankKadne - My understanding is that in both encryption, there are 100^10 possible passwords using my assumed keyboard. So a brute force attack will be equally strong/weak on both. I was looking for any explanations that my answer is wrong. Thanks. – Torture 18/9, 2013 at 2:4

Recommended topics

Hot tags