Currently in wide use, AES is a great algorithm that has been implemented in a number of hardware and software systems. It has been carefully studied by legions of cryptanalysts, so it’s often assumed that a system which includes AES is secure. But that assumption isn’t always true – in this post, let’s explore three situations that could cause problems.
Like all cryptographic systems and algorithms, AES depends on a key. If an attacker can get the key, he or she can impersonate the authentic party, decrypt all the network messages and generally eliminate every aspect of the system security. However, a few systems have a great place to store keys that is truly isolated from attack. With the increasing commonality of connected systems, software bugs like Heartbleed can easily find keys that you thought you had carefully protected. If you’re not familiar with Heartbleed, see this great panel from XKCD which does a nice job of explaining it.
Like all cryptographic algorithms, there are many variations to the way in which AES can be used. Lots of systems have been cracked because an improper mode, protocol or procedure was used. The illustration below shows a mode of AES which is the right answer in some cases — but definitely not this one!
The last point is a bit trickier. When encrypting something with AES, most modes require an Initialization Vector (IV). The IV should never be repeated, and in some modes it must be random. There are two problems with a repeated IV: (1) If the attacker could discover the plain text of the first message, he could determine the contents of the second; and (2), If the same message is sent with the same IV, the ciphertext will be the same both times, which could be vital information all by itself.
Problem is that it’s hard to generate a random number. One famous random number generator used the hash of an image of lava lamps – for some years an online site (lavarand) was supported by Silicon Graphics to provide online numbers.
Assuming you don’t have lava lamps and a camera in your system, you might be tempted to use ‘random’ keystrokes, noise on a signal wire, the current time to the ms, or some similar thing. Problem is, while the resulting numbers appear to be random there are often a limited number of choices. Given how fast modern computers execute, an attacker can try literally millions of possibilities in a few seconds and guess your random number!
Many designers rely on dedicated hardware cryptographic devices to help resolve this issue. Generally speaking, they offer solutions to the three points mentioned above:
- Strong protection for cryptographic keys that is not subject to bugs, malware or other aggressive attacks;
- Proper use of modes and protocols for the operations performed within the devices; and,
- High quality random number generators that rely on random physical phenomena and which are rigorously tested