There is no such thing as AES-1024 specified by NIST. AES is a NIST standard, it has three (and only three) variants: AES-128, AES-192, and AES-256. If you see something other than those three, it's almost certainly proprietary junk.<p>Note that AES is always used in a "mode of operation" to provide any sort of secure encryption. AE-secure modes are AES-SIV, AES-GCM-SIV, AES-OCB, and AES-GCM in decreasing order of safety/performance (possibly others, but those are the most well reviewed and most used). Those sometimes get noted with the key length, eg AES-256-GCM-SIV, sometimes not.
> SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products.<p>I'm someone who bought several Sandisk devices over the years. The first thing I do after buying and unboxing is setup LUKS[0] on the device with the Disks utility in Ubuntu. These USB flash drives usually ship with an `.exe` piece of 'security software' written to the disk, which I never execute because I don't trust their claims. I prefer battle-hardened and trusted things like LUKS, instead of proprietary products that use snake-oil terms like 'Military Grade'.<p>[0] <a href="https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup" rel="nofollow">https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup</a>
I was watching this just because it's fun to see bad implementations. I was totally caught offguard when the vendor presented their own view of the problem! Did not see that coming. Makes for a more interesting presentation IMHO (both sides of the issue, no finger pointing)!<p>often we hear about how broken something is, very RARELY do you get to see the remediation action and decision making. Hats off to the guys at EncSecurity for stepping up to fix their issues AND sharing the lesson with the industry.
Isn't key derivation function completely separate from aes implementation. I mean you could have used the same broken key derivation with some other aes implementation.<p>Also aes-1024 sounds like some proprietary thingy, not something people should probably trust anyway...
I've yet to see a good definition of what constitutes "military grade encryption" vs. regular old encryption. It generally has the opposite effect, for me at least, in the sense that I avoid any product that advertises "military grade <something>".<p>Edit: I'm not <i>actually</i> looking for definitions of "military grade encryption", thank-you everyone who tried to explain it though. I work in cybersec, and encryption is encryption. It is either compliant with standards or it is not. But "military grade" is pure marketing fluff, hence why I avoid it.
PSA: AES is not broken at all here. This is a break of a crap key derivation function that used MD5.<p>It shows that all components of a cryptosystem are important. Attacks seldom target things like actual ciphers unless it's one known to be weak like RC4 or single-DES. They target bad constructions (like this), implementation bugs, etc.
Summary:
AES was not really broken or brute forced at all. The title is clickbait, and also is factually wrong.<p>What really happened:
Yet another random company simply implemented the password code wrong. This has nothing to do with the integrity of AES which remains unbroken in principle.<p>Nothing to see here.
> PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors.<p>I feel like this is being bad on purpose.
> . It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices.<p>Yikes
> multiple encryptions<p>Correct me if I am wrong, but isn't AES a group, like DES? If so, encrypting twice under keys of the same strength is the same as encrypting once, with a different key.<p>This is why, e.g., 3-DES uses encryption-decryption-encryption, under different keys.
>However, it turned out after the analysis that all these modes offer only a security level of 128-bit.<p>>A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation.<p>My understanding was that even 128-bit security is safe from brute forcing at the present. Am I missing something?
The software in question: <a href="https://www.encsecurity.com/solutions.php" rel="nofollow">https://www.encsecurity.com/solutions.php</a><p>(Technically, the actual software in the USB is white-labeled with the USB flash drive brand, but apart from that this is it.)
Considering the amount of free encryption software, a lot even opensource, where you just add your logo and a pdf with instructions, bundle the source in a zip file somewhere not to break GPL, and you're done, fuckups like these seem more and more intentional to me.<p>Tech-savy users will always use "the best" tools, but for "normal people", the police having the ability to decrypt their data, is a thing government wants. If the encryption is bundled, they'll use the broken one, because the alternative (googling the software) will usually show them only the software that actually works.
The cracking script he wrote is at <a href="https://github.com/openwall/john/blob/bleeding-jumbo/run/encdatavault2john.py" rel="nofollow">https://github.com/openwall/john/blob/bleeding-jumbo/run/enc...</a>
In case anyone else was confused wtf aes-1024 was. The tl;dr is they were chaining aes-128 multiple times.<p>The bruteforcing is about bruteforcing pbkdf2 w/ only 1000 iterations being used with user passwords, and doesn't have anything to do with aes