RHITCHCOCK wrote:
I've read all kinds of conflicting things online about AES-128 vs AES-256. Some people are even claiming that theoretically
AES-256 is LESS secure than AES-128, or that AES-256 is not substantially more secure than AES-128. Any thoughts on that?
Good article on AES security from Bruce Schneier:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
There have been some papers on breaking AES especially an attack on AES-256:
Over the past couple of months, there have been two (the second blogged about here) new cryptanalysis papers on AES. The attacks presented in the papers are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that most implementations use -- but they are impressive pieces of work all the same.
This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256:
There are three reasons not to panic:
- The attack exploits the fact that the key schedule for 256-bit version is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend to AES with a 128-bit key.
- It's a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way.
- The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.
The most accurate answer would probably what Bruce Schneier stated:
And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.
Hope that helps on AES 128/256. AES-128 is robust enough for industrial applications and AES-256 has still enough security margin against the latest attack.
