13

Imagine I have this:

$cdata = AES_256($data, $pass);

AES_256 implements the AES algorithm.

If I know the content of $cdata and the content of $data and also have the AES_256() code, can I reverse engineer and find $pass?

Joachim Sauer
  • 302,674
  • 57
  • 556
  • 614
acemtp
  • 2,971
  • 6
  • 34
  • 43
  • 2
    You're going to need alot of paper and pens – Chad Grant May 01 '09 at 08:07
  • 14
    Just a matter of wording: Reverse engineering AES would give you the AES algorithm. You already know that algorithm. What you are asking is called "breaking AES". – Magnus Hoff May 01 '09 at 09:23
  • Yes, of course, given sufficient time. :-) – Nemo Jun 20 '11 at 04:00
  • I found a related answer on [security.stackexchange.com regarding known-plaintext with AES](http://security.stackexchange.com/questions/5355/compute-the-aes-encryption-key-given-the-plaintext-and-its-ciphertext) which may be helpful. – Foot Sep 04 '12 at 15:59

9 Answers9

15

Simple answer: NO.

This has been tested, and mentioned in the Wiki link.

A related-key attack can break up to 9 rounds of 256-bit AES. A chosen-plaintext attack can break 8 rounds of 192- and 256-bit AES, and 7 rounds of 128-bit AES, although the workload is impractical at 2128 - 2119.

Or put it another way: you have a better chance of being struck by lighting... on the same day you win the Lottery, than breaking it!

Joachim Sauer
  • 302,674
  • 57
  • 556
  • 614
kevchadders
  • 8,335
  • 4
  • 42
  • 61
  • 1
    "break up to 9 rounds of 256-bit AES" What is a "round" in this definition? – acemtp May 03 '09 at 17:32
  • 2
    Block ciphers scrambles the message repeatedly using the same algorithm. A single "pass" of scrambling is called a "round". How many rounds are needed create a secure algorithm depends on how much a single round scrambles the input. AES-256 uses 14 rounds. – Nuoji Mar 09 '11 at 13:01
  • @Nuoji I get what a 'round' is for AES and in the context of an encryption algorithm but what does it mean when something says when "an attack can break up to *x* rounds..."? – greatwolf Aug 05 '11 at 05:43
  • This means, if you only use x rounds of the algorithm, there is an attack less complex than brute force to retrieve the plaintext. – Nuoji Jun 29 '12 at 14:00
13

This is called a known-plaintext attack. A good cipher like AES should be immune to it, as the others explained.

starblue
  • 55,348
  • 14
  • 97
  • 151
4

If $pass is actually a password and not a 256-bit key, you may be in luck.

While it is far from trivial to perform, a brute-force attack against a normal password is much faster than brute-forcing a 256-bit key.

So modify one of the many password-brute-forcing tools, and you have a attack that (depending on the strength of the password) might take weeks to several years - but that is fast compared to 3x10^51 years...

Rasmus Faber
  • 48,631
  • 24
  • 141
  • 189
3

Another quote, from Wikipedia:

AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second would require about 3 x 10^51 years to exhaust the 256-bit key space.

Brute forcing when you know the original text might be faster but still, 3 x 10^51 years is a long time. Plus there's the problem of probably not having a device that can check a billion billion (10^18) keys/second.

In short: everything is possible, but this is not feasible in the world we are now living in.

pyrocumulus
  • 9,072
  • 2
  • 43
  • 53
2

You could brute force it, but it would take a long time. As in decades or even longer. That's the point of encryption algorithms like AES.

Unknown
  • 45,913
  • 27
  • 138
  • 182
  • 2
    The duration you are looking for is not "decades". It's more like "heat death of the universe". – joeforker May 19 '09 at 18:20
  • 2
    @joeforker and in 20-30 years I'm sure we'll be laughing about how trivial it is to break AES 256 and current encryption uses megabyte keys to keep up with computers. – Chris Marisic Nov 16 '09 at 19:05
1

AES, like all good crypto algorithms, doesn't rely on security through obscurity.

In other words, there are no "secrets" in the code, so you having the code won't help you particularly.

Known plaintext is a separate issue, which I don't know much about so I'll leave that up to the other answerers.

Blorgbeard
  • 101,031
  • 48
  • 228
  • 272
0

with the power of super computers the time to crash AES encryption with be dramatically shortened.... I heard...

lolalaputana
  • 1
0

2x2^256 possible combinations is a lot to bruteforce. But bruteforcing is the only way. It would actually take about 3 decades. AES is the best Encryption possible right now I'd say. But that would only take that much time using a CPU. Because GPU's (Graphic Processing Units) are strictly math based, people have been making programs that only use the GPU to crack math based algorithms much more quickly than a CPU could. In other words AES might not last 3 decades. If only eternity codes were possible. Well looks like dynamic encryption may be the only way people can really hide their information in the near future.

L33t
  • 9
  • 1
  • Three decades?! You can't even *count* to 2^192 in three decades if you used the *entire output power of the Sun* with an *ideal* computer. ["If we built a Dyson sphere around the sun and captured *all* its energy for 32 years, without *any* loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter."](https://security.stackexchange.com/a/25392/28624) This means that it would take 59,029,581,035,870,565,171 decades with all that computing power just to *count to* 2^256. – Olathe Mar 29 '16 at 07:20
0

Of course not - the only approach is brute force. Do you really think NIST is so stupid as to choose a cipher that is so easily cracked for a new standard?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Francis
  • 11,388
  • 2
  • 33
  • 37