AES-256 Attacks Get More Sophisticated, But Security is Maintained

August 18, 2009 Alex Woodie

A group of respected cryptographers recently publicized details of a new attack on the AES-256 encryption algorithm that appears to be quite sophisticated. For years, hackers have used blunt-force attacks to try and crack AES-256–the strongest of the U.S. Government-sanctioned Advanced Encryption Standards–with no major progress. The new approach appears to be easy enough to use that it’s making security experts worried, but that doesn’t mean you should give up on AES-256 for your enterprise security needs just yet.

Security expert Bruce Schneier, one of the first to alert the industry to the new cryptographic research, dubbed the attack “very impressive” and “completely practical” in his blog entry on the topic last month. “These new results greatly improve” on older attempts to crack AES-256.

However, that doesn’t mean that AES-256 is as weak and compromised as your Facebook password just yet.

The security experts over at Pat Townsend Security Solutions say their customers should not worry, and neither should anybody using an AES-256 solution that’s been certified by the National Institute of Standards and Technology.

That’s because all NIST-certified encryption solutions are required to use at least 14 rounds during the encryption process. The new attack on AES-256 exploits a problem with key management that is evident when 10 or fewer rounds are employed. “There is no known practical attack on 256-bit AES encryption that implements 14 rounds,” the Pat Townsend blog says. A list of all NIST-certified encryption solutions can be found at csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

While it’s not time to pile into the ark just yet, the weakness in AES-256 encryption should serve as a wake-up call for the security-minded. After all, AES-256 was considered the gold standard in encryption. It had a 256-bit key, which supposedly makes it harder to crack than keys with 192-bit or a 128-bit lengths, right? As it turns out, the number of rounds the encryption engine takes could be just as important as key length, and this might encourage the NIST to increase the number of rounds required.

The luster is off AES-256, but other, more important security vulnerabilities will undoubtedly follow. A smart security administrator will use the event as a reminder that is no single silver bullet for achieving good security. “Cryptography is all about safety margins,” Schneier writes in his blog. “What we’re learning is that the safety margin of AES is much less than previously believed.”

Pat Townsend Security Solutions is using the episode to promote the use of trusted partners. If you went the cheap route and hacked together your own encryption routines using AES-256 or installed an open source solution, there’s a chance that work may soon be compromised by newly created attacks, the vendor writes on its blog. But if you paid for a validated solution from a vendor like PTSS, then you have less to worry about. There is some truth to that, too.

Good security isn’t a black-or-white, on-or-off proposition, but rather an on-going process that requires continual work. Keep that in mind as you’re plugging the holes in your enterprise.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”¹

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com

Q&A with TVMUG’s Don Rima Validate DBCS-Open Data

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search