• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • AES-256 Attacks Get More Sophisticated, But Security is Maintained

    August 18, 2009 Alex Woodie

    A group of respected cryptographers recently publicized details of a new attack on the AES-256 encryption algorithm that appears to be quite sophisticated. For years, hackers have used blunt-force attacks to try and crack AES-256–the strongest of the U.S. Government-sanctioned Advanced Encryption Standards–with no major progress. The new approach appears to be easy enough to use that it’s making security experts worried, but that doesn’t mean you should give up on AES-256 for your enterprise security needs just yet.

    Security expert Bruce Schneier, one of the first to alert the industry to the new cryptographic research, dubbed the attack “very impressive” and “completely practical” in his blog entry on the topic last month. “These new results greatly improve” on older attempts to crack AES-256.

    However, that doesn’t mean that AES-256 is as weak and compromised as your Facebook password just yet.

    The security experts over at Pat Townsend Security Solutions say their customers should not worry, and neither should anybody using an AES-256 solution that’s been certified by the National Institute of Standards and Technology.

    That’s because all NIST-certified encryption solutions are required to use at least 14 rounds during the encryption process. The new attack on AES-256 exploits a problem with key management that is evident when 10 or fewer rounds are employed. “There is no known practical attack on 256-bit AES encryption that implements 14 rounds,” the Pat Townsend blog says. A list of all NIST-certified encryption solutions can be found at csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

    While it’s not time to pile into the ark just yet, the weakness in AES-256 encryption should serve as a wake-up call for the security-minded. After all, AES-256 was considered the gold standard in encryption. It had a 256-bit key, which supposedly makes it harder to crack than keys with 192-bit or a 128-bit lengths, right? As it turns out, the number of rounds the encryption engine takes could be just as important as key length, and this might encourage the NIST to increase the number of rounds required.

    The luster is off AES-256, but other, more important security vulnerabilities will undoubtedly follow. A smart security administrator will use the event as a reminder that is no single silver bullet for achieving good security. “Cryptography is all about safety margins,” Schneier writes in his blog. “What we’re learning is that the safety margin of AES is much less than previously believed.”

    Pat Townsend Security Solutions is using the episode to promote the use of trusted partners. If you went the cheap route and hacked together your own encryption routines using AES-256 or installed an open source solution, there’s a chance that work may soon be compromised by newly created attacks, the vendor writes on its blog. But if you paid for a validated solution from a vendor like PTSS, then you have less to worry about. There is some truth to that, too.

    Good security isn’t a black-or-white, on-or-off proposition, but rather an on-going process that requires continual work. Keep that in mind as you’re plugging the holes in your enterprise.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    VAULT400:  White paper: National bike retailer "rolls" with Vault400
    Raz-Lee Security:  iSecurity Compliance Evaluator: Instant network-wide compliance checks
    COMMON:  Celebrate our 50th anniversary at annual conference, May 2 - 6, 2010, in Orlando

    IT Jungle Store Top Book Picks

    Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
    The System i Pocket RPG & RPG IV Guide: List Price, $69.95
    The iSeries Pocket Database Guide: List Price, $59.00
    The iSeries Pocket SQL Guide: List Price, $59.00
    The iSeries Pocket Query Guide: List Price, $49.00
    The iSeries Pocket WebFacing Primer: List Price, $39.00
    Migrating to WebSphere Express for iSeries: List Price, $49.00
    Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
    Getting Started with WebSphere Express for iSeries: List Price, $49.00
    Can the AS/400 Survive IBM?: List Price, $49.00
    Chip Wars: List Price, $29.95

    Q&A with TVMUG’s Don Rima Validate DBCS-Open Data

    Leave a Reply Cancel reply

Volume 9, Number 30 -- August 18, 2009
THIS ISSUE SPONSORED BY:

New Generation Software
Bytware
Profound Logic Software
Computer Keyes
East Coast Computer

Table of Contents

  • Stonebranch Bolsters i OS Support in Workload Automation Tools
  • ASTI Sees Promise in Plasmon’s UDO Technology
  • Data Control Issues Bring vLegaci QuickerApps to Market
  • Oracle Gives JDE More Supply Chain Planning Brains
  • Infor Snaps Up SoftBrands, Gets i OS-Based Hotel Suite
  • AES-256 Attacks Get More Sophisticated, But Security is Maintained
  • IdF in Reseller Deal with Dewpoint for Identity Management Software
  • Bsafe Adds AIX Support to Auditing and SIEM Product
  • Open Source Software Growing Faster Than Expected: IDC
  • Original Software Teams with AppLabs for Software Testing

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • To Comfort The Afflicted And Afflict The Comfortable
  • How FalconStor Is Reinventing Itself, And Why IBM Noticed
  • Guru: When Procedure Driven RPG Really Works
  • Vendors Fill In The Gaps With IBM’s New MFA Solution
  • IBM i PTF Guide, Volume 27, Number 27
  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle