Is 128 Bits Better than 256?

Several months ago, the Fortify Security Research Group (SRG) published Crypto Manifesto -- a technical note that contains the guidelines for the usage of various cryptographic algorithms in a variety of popular programming languages. The blog entry that accompanied this publication is here. One of the guidelines we gave in the paper (and that we enforce in Fortify Secure Coding Rulepacks) states that keys for symmetric encryption algorithms (such as AES) should be no less than 128 bits in length, naturally implying that keys of 192 and 256 bits are better or at least are as good as those of 128 bits. It turns out, though, that this might not actually be the case.

A recent paper describes new cryptanalytic attacks on AES that are better than brute force. The attacks work only on AES-192 and AES-256, and the idea used for these attacks does not apply to AES-128, making it theoretically stronger than the other two variants of the block cipher, at least against these attacks. Interestingly enough, the attacks are based on the idea of local collisions -- the notion derived from the cryptanalysis of hash algorithms. This means that these attacks will have implications on AES-based hash functions. The publication of the paper raised many interesting questions about security of AES, and a lot of them are addressed by the authors in their FAQ.

How does this affect the guidance we've been giving? We do not think it does. Even though the new attacks are better than brute force, they are still a long way from being practical. As far as we are concerned, symmetric keys of 128, 192, and 256 (no less than 128) bits might not be safe forever, but they're still safe today.

Technorati Tags: crypto encryption keys AES