Practical bruteforce of military grade AES-1024 (2021) [video]
media.ccc.deThere is no such thing as AES-1024 specified by NIST. AES is a NIST standard, it has three (and only three) variants: AES-128, AES-192, and AES-256. If you see something other than those three, it's almost certainly proprietary junk.
Note that AES is always used in a "mode of operation" to provide any sort of secure encryption. AE-secure modes are AES-SIV, AES-GCM-SIV, AES-OCB, and AES-GCM in decreasing order of safety/performance (possibly others, but those are the most well reviewed and most used). Those sometimes get noted with the key length, eg AES-256-GCM-SIV, sometimes not.
To see how insecure a mode of operation can be, Wikipedia has a picture that was encrypted with ECB:
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation...
That picture has become some sort of meme of itself (I've heard it referred as "you can see penguins through ECB") because it's so damn popular.
However ECB is a lot worse than "you can see data patterns"--with a chosen plaintext attack (very common scenario in networking and storage applications) any dumbass can decrypt it trivially.
Those who want to try it for themselves can check out https://cryptopals.com/sets/2/challenges/12 (and that entire set).
Oh man, I loved doing cryptopals back in the day. I should try again.
I still havent see a regex for ECB though!
> with a chosen plaintext attack (very common scenario in networking and storage applications) any dumbass can decrypt it trivially.
No you can’t get decryption key using chosen plaintext attack with AES.
Read here: https://crypto.stackexchange.com/questions/1512/why-is-aes-r...
Parent said "decrypt", not "get the decryption key", and parent is correct. The attack looks kind of similar to a "padding oracle attack", where you work one byte at a time using a block boundary.
Yes, like the video states.
This is what the talk is called because that is what the vendor advertised not because it is a standardized thing which makes sense.
Actually the vendor does a lot of not so grate things, from a very very bad password hashing to how they handled file encryption.
Interesting is that the talk about the security ends at 32min, after this is a talk from a private contractor hired by the the company which messed up the encryption. Still watching it but that's unusual and nice.
The bullshit "AES-1024" is quoted from the product description and repeated in the title as clickbait.
The title is funny, they even intentionally put "military grade" in there to make the sarcasm even more apparent. This is different from click bait, which I see as an intentional dark pattern.
I think it would be a far better headline if "military grade AES-1024" were put in scare quotes. Otherwise it just looks like clickbait and presumably keeps a lot of people from ever clicking on it.
I agree it is a click bait because I also thought - "huh AES-1024, military grade, let's see what it is" and only after clicking - "aww yeah military grade was just pouring gas over the joke"
I immediately understood the joke, maybe it’s a German humor thing.
Yes, I merely want to reiterate as clearly as possible that there's no such algorithm endorsed by NIST. AES is a standard, AES-1024 isn't one of the variants of that standard. For good reason.
Symmetric key sizes larger than 256 bits are pretty much universally snake oil.
> Symmetric key sizes larger than 256 bits are pretty much universally snake oil.
512, actually - some symmetric applications are vulnerable to collision or collision-like attacks, and a cosmological-scale attacker can theoretically get up to about 2^308[0] bit operations at current-ish cosmic microwave background temperatures, so 2^256 bit operations is just about plausible in worst case scenario planning.
But 256-bit keys are probably sufficient for any practical application, and that doesn't excuse 1024 anyway.
0:
You have: log2(1e80 amu c2 / k 3K ln(2)) # (mass of observable universe / landauer limit) Definition: 307.99542
The company who wrote the software are in the presentation and explain this - 192 / 256 could not be used because of export restrictions, so AES-128 is actually what they used.
1024 is marketing fluff, which they justified by running 8 passes on the file encryption key (to paraphrase the presentation - ‘Regular consumers don’t understand encryption standards, but think bigger numbers = better and trust the term Military Grade’).
No military buys "military-grade" anything. Militaries buy stuff that conforms to some specific military standard.
Right, it's an unhelpful qualifier.
I'm reminded of the comments of chemistry experts about the UK government using the phrase "military-grade nerve agent"[0]. Firstly, no military would ever admit to owning the stuff (since even the permanent members of the UN security council are signatories of the Chemical Weapons Convention), but, more obviously, there's no such thing as a civilian-grade nerve agent.
I suppose what they meant was "no medical, industrial, or commercial uses", or "requires the resources of an entire country to create and manage", but those aren't attributes that you would want for your security software.
[0] The Financial Times, 2018 - https://archive.ph/0eZl8
> there's no such thing as a civilian-grade nerve agent
Paraoxon? Dichlorodiphenyltrichloroethane? Bifenthrin?
> Right, it's an unhelpful qualifier.
Depends who you are - If you are in marketing, it's a really helpful qualifier (i.e. it's something that the general public clearly put stock in, as mentioned in the presentation).
I must disagree with the "proprietary junk" assertion you made. While Your statement about AES is correct, Rijndael cipher of which AES is a subset can have bigger keys and block sizes. For marketing reasons they interchange Rijndael with AES since many have never heard of it.
While it is possible to do that, companies that understand what they're doing will generally stick to well-proven, standardized versions and companies that don't tend to also do other dangerous mistakes.
It's not a 100% guarantee that it's proprietary junk, but it's a very good indicator.
Is AES-XTS a secure mode? Or is that something else?
XTS is often used in disk encryption (or it was a few years ago when I worked on at-rest data encryption for a storage product at a major vendor).
It uses the sector number and block offset within the sector as input, a little like a counter mode. Its major advantage is zero overhead, so you don't lose disk capacity, or need to map blocks around, you can just sorta use it as a filter layer in your disk reads/writes.
It's not properly authenticated though, as data tampering can result in altered or scrambled plaintext rather than detectable errors, so you need other mechanisms for error detection, which then have to be secure against attacks.
> SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products.
I'm someone who bought several Sandisk devices over the years. The first thing I do after buying and unboxing is setup LUKS[0] on the device with the Disks utility in Ubuntu. These USB flash drives usually ship with an `.exe` piece of 'security software' written to the disk, which I never execute because I don't trust their claims. I prefer battle-hardened and trusted things like LUKS, instead of proprietary products that use snake-oil terms like 'Military Grade'.
I was watching this just because it's fun to see bad implementations. I was totally caught offguard when the vendor presented their own view of the problem! Did not see that coming. Makes for a more interesting presentation IMHO (both sides of the issue, no finger pointing)!
often we hear about how broken something is, very RARELY do you get to see the remediation action and decision making. Hats off to the guys at EncSecurity for stepping up to fix their issues AND sharing the lesson with the industry.
It's also a pretty strong indictment of any sort of add-on file encryption software. HMACing files is out of scope and not the intention of the software and too difficult to implement to boot? Waiting for enough PBKDF2 rounds will annoy customers, when Microsoft office products take multiple seconds in a splash screen to load? I am probably just spoiled by OSS/free software offerings.
It would be great if exFAT was not patent-encumbered and supported native encryption+integrity. ZIP archives at least provide cross-platform encryption+integrity with AES-256 but without block-level hmacs or encrypted file names. Maybe Windows will add support for ZFS someday?
Isn't key derivation function completely separate from aes implementation. I mean you could have used the same broken key derivation with some other aes implementation.
Also aes-1024 sounds like some proprietary thingy, not something people should probably trust anyway...
It's definitely proprietary. In the summary below the video, it states:
> It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user.
I'd stick with veracrypt for now.
Agreed: 'Breaking the DataVault encryption software' would be a better title
Any time I see encryption described as "military grade" it usually sets of my bullshit detector.
Maybe it was Russian military grade.
The complaint is that the user supplied password is easier to guess than it could be. A fast hash is used and not very many times. So you might have to, say, use 5 words rather than, say, 3 words in your diceware generated passphrase if you want to be secure against brute force attacks.
This ends up being a common usability issue whenever a user is asked to provide a passphrase for some sort of symmetrical encryption scheme. The user is almost never given any guidance to allow them to chose a passphrase strong enough for the system in use. So they end up with a dictionary word with a digit on the end and have no way to know that they have not actually protected anything. It ends up being sort of a con in practice. The user is allowed to believe that the system is much more convenient to use than it actually is.
The system under consideration is not really any worse than other things in this.
I mean it's worse from several points of view from the best-case implementation, other than just the grossly-insufficient iteration count.
First of all, every single devices shares a common, constant salt. Although that doesn't simplify a single instance of an attack on the key-derivation function, it permits the construction of rainbow tables to trade off storage against time and attack all devices simultaneously.
Secondly, the key-derivation function has a flawed construction. In PBKDF2, if you need more key bits than the hash function outputs, you repeat the process varying a value that's concatenated to the salt as the initial input. This means the cost to generate a key to test scales with the length of the key. In this implementation, the salt + constant is not actually an input in the hash function at all, but instead XOR'd against the result of the hash.
As a result, you get no increase in work factor at all.
There are other problems in the implementation of the actual cipher (AES-CTR is malleable, not authenticated; keys longer than 128 bits are only actually using half of the additional key bits - "AES-1024" only uses 576 bits of the generated key) but the KDF is the real problem.
> So they end up with a dictionary word with a digit on the end and have no way to know that they have not actually protected anything
a dictionary word with common letters substituted with a number, case-sensitive, and one or two punctuation.. that is "not protected anything" ? .. almost any two dictionary words put together, not even case sensitive also "not protected anything" ? the out-of-breath security analysis is bothersome and lead us to mandatory ten characters of garble and other extreme anti-user patterns.. I am looking at a stack of forty accounts with passwords as an ordinary library user.. not convinced of this expert analysis today
If your threat model is "someone cloned the database and can now perform unlimited attacks against the stored passwords", then yeah, word + digit protects just about nothing. Assuming a lexicon of 5,000 words, word+digit gives you about 50,000 variations to try. Say that L337 substitutions give you another 10x factor, so now you have 500,000 candidates for what the password might be. Now lets assume that instead of the stupid crap they did in this video, the folks storing your password did everything right and used bcrypt with a work factor of 12. A cracking rig from a couple years ago can run something like 10,000 hashes per second under these conditions, so it might take a whole minute to discover your password. (Remember this is if they did it right, most other password storage schemes would yield your password in a fraction of a second.)
Or, we could look at the two-words-separated-by-punctuation case. Same 5,000 word lexicon, maybe 10 different symbols likely to show up between the words. Call that ~250,000,000 possibilities for your password. That'll take up to a day to crack. A day is a long time to spend on one password, but maybe they don't have anything better to do. Maybe they hate you personally. Add another word, suddenly the hackers need years per password, which is obviously uneconomical.
These guidelines don't come out of nowhere, and there isn't really a tower of experts somewhere giggling at the unwashed idiots around them (well, there might be, but I wasn't invited). This is just one of many problems in computing that live around the intersection of math and psychology, where the "natural" thing to do is (unintuitively) quite dangerous.
the Oxford English dictionary has +200,000 words. Split the difference between your 5000 and that 200,000 and call it 100,000 word possibilities eliminating the 1,2 or three letter ones, case-sensitive with your own case rule .. (capital-S in the middle is fair).
each word, of say at least four characters.. with a "simple substitution of a letter with a number" .. which number? 10x per substitution..
add one or two special characters.. how many special characters are there? lets say numerals plus at least 16 more (counts key caps).. one or two adds means .. up to (10+16) squared more combinations
two words.. square that again? what am I missing? a brute force attack on that many combinations better include the right set of special characters.. because you will never match if you do not have the right set of characters in your brute force, right?
now, "10,000 hashes per second under these conditions" means you have hashed the guess, and compare to the hashed stored answer.. sure that is fast.. maybe you can do it, but did you say that you have a copy of the database and can run constant, undetected brute force in private for "forever" ? is that common? specific answers welcome
As far as I can see: yes and yes. Clickbait title.
I've yet to see a good definition of what constitutes "military grade encryption" vs. regular old encryption. It generally has the opposite effect, for me at least, in the sense that I avoid any product that advertises "military grade <something>".
Edit: I'm not actually looking for definitions of "military grade encryption", thank-you everyone who tried to explain it though. I work in cybersec, and encryption is encryption. It is either compliant with standards or it is not. But "military grade" is pure marketing fluff, hence why I avoid it.
Bruce Schneier always used the term 'snake oil' for such unfounded buzzwords and frequently did naming and shaming on his blog.
But military-grade is just a buzzword. Unlike something like MIL-SPEC there is no body that determines what is military grade. And even MIL-SPEC is not very specific, most of its standards have many components that don't apply unless the vendor specifically certifies for it.
But yeah most vendors that use such terminology demonstrate a very poor understanding of the technical principles and use their marketing buzzwords to make up for it.
Off topic, but please consider using the correct tense when talking about people. E.g ”Uses” instead of ”used”, otherwise you are implying that the person in question is dead…
(After reading your comment I went to wikipedia to check that Bruce Schneier hadn’t unexpectedly passed away.)
That is not what the past tense means, and you should maybe take some responsibility for this. OC doesnt know what Bruce schneier currently does or endorses.
I agree with you, even if I wouldn't have made the comment.
"has historically used" or "has used in the past" or "tends to use" or "uses".
The term "always used" does sound like the subject is departed.
I used past tense because he stopped his blog/mailing list ;) At least in the form I used to read it.
But I agree that 'used to use' would be a better form without this connotation. I will strive to use this in the future in such cases.
He used to have a monthly mailing list, and I wasn't sure whether he still had a blog or something.
One problem with 'used to use' is many might take it as implying that he now uses something different. Perhaps 'has used' would be better?
To me being FIPS compliment would be a good definition of something being “Military Grade” because that would be the actual standards the US military would use. However, that still doesn’t mean it has the best security because really good algorithms like Ed25519 aren’t FIPS compliant dispute being much better than their FIPS counterparts IMO.
> I've yet to see a good definition of what constitutes "military grade encryption"
Done by the cheapest contractor :)
The cheapest contractor who meets requirements who it turns out is not up to the task causing timelines to slip and end up costing more?
Plain old AES-128 is technically military-grade, at least if you're talking about the US military or if it's top secret, AES-256 is the approved one. It is military-grade but it's meaningless in this context. In some other context, it's even worse: you wouldn't prefer military-grade food (it's still edible, just that shelf life has been the top priority while taste took a back seat if it's even considered).
"Military grade encryption" means that the government has signed off on the algorithms use for information up to a specific classification level. Probably the NSA, but maybe the DOD has their own department. It's certainly a vote of confidence, probably by people more educated about cryptography than you specifically, although possibly less trusted by you (in terms of skill and/or ulterior motives) than other people.
A big, undisputed, downside is that newer algorithms take longer to be approved and it's possible that people keep using the term after algorithms get deprecated.
Encryption is more like "milspec", meeting military minimum quality guidelines than "military issue" which is the cheapest implementation of milspec in physical (or electronic for that matter) goods.
Unless someone is specifically naming the military standard they are compliant with (and provides an auditing record!) it’s bullshit, 99.99% of the time.
Legit vendors who sell actual mil-spec equipment (except stuff that has known shitty mil-specs like entrenching tools) don’t use ‘military grade’ anywhere when they’re selling to the military. They go through procurement and identify the specific mil-spec’s they are compliant with.
Military grade is the weasel word way of implying they have done that without being able to be sued because they aren’t.
Fair enough. The words mean nothing while implying exactly what I thought but not saying it, and I was one of the fools who fell for it. Although I won't after today. Thank you.
You’re welcome. If you find something like this elsewhere, please post it too.
I consider it part of the war against Bullshit, which never ends.
Also, ‘industrial grade’, ‘heavy duty’, ‘as seen on TV’ (that one is thankfully almost dead), celebrity endorsements, and the trend in tools over the last decade of buying out an aging brand with a great market reputation and ‘capturing brand value’ by selling cheaply made versions until no one can find anything fit for purpose anymore.
NSA is the entity in the DOD which sets certain minimum requirements and validates their cryptographic implementations. NIST owns the overarching standards for the whole government and sets requirements and performs validations through NVLAP that NSA doesn't, usually with their input.
When you see "FIPS", that means NIST approved/validated.
NSA approval/validation is relevant when the system has to handle classified information and often (but not necessarily) you start with components that have FIPS certification.
So, I understand what they intend it to mean (and maybe that wasn't clear from my original message; I work in cybersec). But what you have described is an encryption scheme which meets certain standards (i.e. it is XYZ compliant). I don't think it is justifiable to call that "military grade", and that saying so is a misrepresentation used by marketing folk.
For what it’s worth this is addressed in the linked video at the 6 minute mark.
The presenter shows a slide with an online post saying: “cryptography marketed as military grade is often to crypto what military music is to music”
The use in the title is almost certainly self aware and tongue in cheek.
The product website uses "military grade" all over the place in the marketing materials. Certainly not tongue-in-cheek. See https://www.encsecurity.com/solutions.php and search "military".
After spending time in the (German) military I translate “military grade” as “nothing special but really expensive and convoluted designed by committee”. I don’t really see why the military should have better encryption. More likely they have some stupid back doors added by clueless contractors.
Yep, totally, it's a big red flag. Another term like that when it comes to software is "patented technology" (or "algorithm", or "software", or whatever). Instant turn-off.
A long time ago, the US government ranked the available encryption algorithm by their security level. The highest level was considered equivalent to military equipment and their people were prohibited from exporting those.
Then a team from Europe published some free software that enabled people to use stronger encryption than the ones on the top rank from the US, and their government stopped with this nonsense. So, the only really "military grade" algorithms are broken stuff from the 90's.
The military is to insecure encryption what a canary is to gas in a coal mine. Hence a layperson can assume it's worthy encryption without extensive investigation and without needing to know the details of how it works. "Military grade encryption" is just the layperson's translation of "encryption" (assuming it's a strong implementation).
Perhaps it held more weight in the past? Now "military grade" encryption is cheap so everything is "military grade".
Nowadays it means outdated, bare minimum security so we can still certify 3DES.
Only for grandfathered-in systems that are critical to keep operating that can't be replaced. New systems and lower-impact existing systems cannot use 3DES at all, unless it's only to decrypt stuff previously encrypted with it.
Frankly it doesn’t even guarantee THAT. If they could certify it, they could list the mil-spec certification. It’s pure weasel wording.
Well, there's NSA certified devices (Type 1, Type 2, etc) which are military grade. Something using AES correctly could be a Type 3 device.. "when appropriately keyed" :-)
To me, this would be "XYZ Compliant", not "XYZ Grade".
Grade implies something fundamentally changed/altered/adjusted in the underlying product to make it suitable for government/military/whatever use. Here, though, AES is AES whether it is used by my mother or by the military.
"Military grade" means minimum that would be accepted by the military.
Mostly means someone is trying to sell you something and betting you dont know much about the subject matter.
There’s also no such thing as “sushi grade” fish.
Soon: “tactical encryption”
PSA: AES is not broken at all here. This is a break of a crap key derivation function that used MD5.
It shows that all components of a cryptosystem are important. Attacks seldom target things like actual ciphers unless it's one known to be weak like RC4 or single-DES. They target bad constructions (like this), implementation bugs, etc.
Actually the AES encryption they implemented is ALSO broken. The premium instances of AES-256, "512" and "1024" were totally broken and based on zero-content blocks, the security gets reduced to 128-bit in all scenarios. So yeah, AES itself not broken, but.. the places it implements AES-256, 512, and 1024, were broken by implementation.
Summary: AES was not really broken or brute forced at all. The title is clickbait, and also is factually wrong.
What really happened: Yet another random company simply implemented the password code wrong. This has nothing to do with the integrity of AES which remains unbroken in principle.
Nothing to see here.
> PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors.
I feel like this is being bad on purpose.
> . It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices.
Yikes
> multiple encryptions
Correct me if I am wrong, but isn't AES a group, like DES? If so, encrypting twice under keys of the same strength is the same as encrypting once, with a different key.
This is why, e.g., 3-DES uses encryption-decryption-encryption, under different keys.
>However, it turned out after the analysis that all these modes offer only a security level of 128-bit.
>A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation.
My understanding was that even 128-bit security is safe from brute forcing at the present. Am I missing something?
The proprietary "AES-1024" is actually AES-128 encrypted four times (like Triple DES which is an actual standard). The actual problem is that the key derivation is literally MD5 and the "salt" is static (making brute-force laughable). So, no, AES is not broken, just this weird one that happens to be the encryption program you've get free with the purchase of certain brands of USB drives.
They are bruteforcing pbkdf2 with too low number of iterations (people are talking about md5, but md5 isn't really the problem here. A memory hard hash would be better [albeit maybe impractical in context], but if you are using pbkdf2, md5 isn't any different from sha256 or whatever else)
If your password is 22 randomly generated characters chosen from the alphabet of upper and lower case letters plus numbers (which implies ever-so-slightly-less than six bits of entropy per character) then you will get 128 bit security from one of these devices - meaning that an attacker will just as well have to brute-force the cipher as attack the password. And, as you said, that is currently believed infeasible.
If you are a human being, your password is more likely to be a single English word or name with some arbitrary capitalization, some swapping out of o/0 a/@ s/$ t/+ or some such, and then a number tacked on the beginning or end.
At this point, brute-forcing your password is going to be a much simpler proposition; you're reliant on a key-derivation function being sufficiently expensive to compute to slow down that brute-force attack.
The attack in this case was of the latter kind; the KDF was so poor that it could be attacked very quickly. No 128-bit encryption was harmed in the filming of that presentation.
The software in question: https://www.encsecurity.com/solutions.php
(Technically, the actual software in the USB is white-labeled with the USB flash drive brand, but apart from that this is it.)
Considering the amount of free encryption software, a lot even opensource, where you just add your logo and a pdf with instructions, bundle the source in a zip file somewhere not to break GPL, and you're done, fuckups like these seem more and more intentional to me.
Tech-savy users will always use "the best" tools, but for "normal people", the police having the ability to decrypt their data, is a thing government wants. If the encryption is bundled, they'll use the broken one, because the alternative (googling the software) will usually show them only the software that actually works.
The cracking script he wrote is at https://github.com/openwall/john/blob/bleeding-jumbo/run/enc...
In this case it's surely a military grade. Grade F to be precise :)
Nobody will notice a little red line to turn `F` into `A` it worked from them in high school after all ;).
In case anyone else was confused wtf aes-1024 was. The tl;dr is they were chaining aes-128 multiple times.
The bruteforcing is about bruteforcing pbkdf2 w/ only 1000 iterations being used with user passwords, and doesn't have anything to do with aes
To be clear, this isn’t a break of AES itself, but the implementation of a whole system, of which AES is a part.
stopped reading at "military-grade"