In the world of IT security, one of the often-debated issues is whether the 128-bit symmetric keys used by AES (Advanced Encryption Standard) are truly safe against brute force attacks, which is another name for breaching security by way of entering all possible password combinations. Currently, IT experts are unanimously saying that AES is unbreakable in spite of its limitations. This article will briefly discuss the strength of protection offered by cryptographic systems against attacks performed at different key sizes and the time required for a successful brute force attack, even considering future developments in the field of processing speed. Whatever cryptographic algorithm you use, it requires a multi-bit key to encrypt the data, which will be stored or transmitted in encrypted form. The length of the encryption key determines how easy or difficult it is to crack the protection, since longer keys are exponentially harder to crack than shorter ones. Such attacks are done by systematically checking all possible key combinations, and hackers will not give up until they find the right key. In the case of such attacks, it is not possible to exploit any other potential vulnerabilities of the encryption system.
How much protection does AES encryption offer from hacker attacks?
As you can see, it takes up to 16 turns to check all possible keystrokes starting with "0000". Given enough time, a brute force attack can crack any known algorithm. Success actually depends on whether the hackers have enough time.
The following table shows the number of possible key combinations by key size:
|Key||Time required for hacking|
|32-bit||4.2 x 1019|
|56-bit (DES)||7,2 x 1016|
|64-bit||1,8 x 1019|
|128-bit (AES)||3,4 x 1038|
|192-bit (AES)||6,2 x 1057|
|256-bit (AES)||1,1 x 1077|
It is easy to see that the number of possible combinations increases significantly together with the key size. "DES" is a 56-bit key-sized symmetric cryptographic algorithm that was successfully hacked several times in the past, first in 1977. Today, this has progressed to the point where a supercomputer can crack such encryption within 24 hours.
It is easy to put forward sound mathematical arguments in favor of the 128-bit symmetric key providing protection against this type of attack. Let’s calculate it together:
According to Wikipedia, the computing power of a faster supercomputer is: 10.51 pentaflops = 10.51 x 1015 flops [flops = floating point operations per second]. Number of flops needed to check the combination: 1,000 (a rather optimistic estimate, but let’s go with that).
Number of combination checks per second = (10.51 x 1015) / 1000 = 10.51 x 1012
Number of seconds per year = 365 x 24 x 60 x 60 = 31,536,000
The number of years required to crack a 128-bit AES key = (3.4 x 1038) / [(10.51 x 1012) x 31,536,000]
= (0.323 x 1026 )/31,536,000
= 1.02 x 1018
= 1,000,000,000 billion years (1,024,226,281,075,596,144 years)
It would take an absolutely mindboggling amount of time to crack a 128-bit AES key, even with a supercomputer. In fact, this is more time than the entire age of the universe, which is currently estimated at 13.75 billion years. Assuming there is a computer system that can recover a DES key in a second, it would still take about 149 trillion years for that machine to crack a 128-bit AES key. But there is more to it. The following is an excerpt from one of Seagate's technical documents ("128-bit versus 256-bit AES Encryption”), which explains why 128-bit AES is sufficient to meet any future needs.
Let’s assume the following:
- Every person on the planet has 10 computers.
- There are 7 billion people on the planet.
- Each computer is able to test 1 billion key combinations per second.
- On average, the key is cracked after going through 50% of all combinations.
In this case, the entire population of Earth together will be able to crack an encryption key in 77,000,000,000,000,000,000,000,000,000,000,000,000 years!
To put it differently, the world will stop before an AES key is cracked. The difference between hacking the AES-128 algorithm and the AES-256 algorithm is negligible. If there was a solution to crack the 128-bit algorithm, it would probably crack the 256-bit algorithm as well.
|Key||Time required for hacking|
|128-bit||1,02 x 1018|
|192-bit||1,872 x 1037|
|256-bit||3,31 x 1056|
AES has never been hacked and, contrary to belief and arguments, it can withstand brute force attacks. However, the encryption key must be large enough to resist the power of modern computers, even considering the rate of processor speed development as defined in Moore’s Law.
We at Anvert use AES-128 encryption both for the encryption of access data and for the information stored in the database. Therefore, if someone were able to access Anvert's database in spite of all the protection discussed above, they would face the same problem again. However, at this point, someone would need to read each piece of information separately to see if they did indeed manage to revert the encrypted data into meaningful text, as there is no clear indication as to the success. This effort would require an additional eternity after the billions of years indicated earlier. If you want to keep your mail safe, or want to make a backup of your entire corporate mail, consider using Anvert. Whatever happens to your corporate correspondence, we guarantee that you can reach it and search it from anywhere.