Military Grade Encryption (AES-1024) — Snake Oil Crypto?

Military Grade Encryption (AES-1024) — Snake Oil Crypto?

I have had many occasions where companies have asked me whether 256-bit encryption is secure, and the answer always asks what they actually use. A lot depends on the randomization process and whether passwords and key derivation functions (KDFs) are involved.

And so, there are products on the market that perhaps try to over-market themselves and where users think that they provide some form of enhancement to an existing “standard” system. This can especially be the case for a “military-grade” system provided to users, and which can sometimes be flawed, especially if they involve a “cook your own crypto” approach.

So, let’s look at the crazy world of 1,024-bit AES encryption.

Brute force

In order to understand the concept of work in cracking cryptography, Lenstra [here] defined the concept of Global Security in order to show the amount of energy required to crack cryptographic algorithms and compare this with the amount of water that energy could boil. This could be seen as the carbon footprint of cracking. For a 35-bit key, you only need to pay for the boiling of a teaspoon of energy, and for a 50-bit key, you just need to have enough money to pay for a shower:

We can see that to crack a 105-bit symmetric key would take the amount of energy to boil the sea. And so, to crack 128-bit encryption, we would have to boil 8,388,608 seas. This is a lot of energy … will just crack a single key. And then for 256-bit keys, we would have to boil 2,854,495,385,411,919,762,116,571,938,898,990,272,765,493,248 seas. This is obviously crazy figures, and only to crack a single key. And, so the brute-forcing of 256-bit encryption is way out of anyone’s budget.

1,024-bit AES — Surely a joke?

So why would you need larger keys than 256 bits? Well, as if boiling billions and billions of seas weren’t secure enough, there is ultimate encryption, and where we get 1,024-bit AES — defined as “military-grade”. This solution has been developed by ENCSecurity and is known as DataVault. It is used by Sony, SanDisk, and Lexar for their encryption software on USB keys, hard drives, and other storage products.

But, Sylvain Pelissier and Bio Sletterink have found a way to crack 1,024-bit AES, without even boiling the water for a shower [link]:

And so, there are products on the market that perhaps try to overmarket themselves, and where users think that they provide some form of enhancement to an existing “standard” systems. This can especially be the case for a “military-grade” system provided to users, and which can sometimes be flawed, especially if they involve a “cook your own crypto” approach.

They used reverse engineering of the DataVaultand found that the keys used involved the PBKDF2 method with 1,000 rounds of MD5. The salt used to generate the key was static and hardcoded into the application. Using a hardcoded salt value means that it is possible to crack a rainbow table of possible passwords to key mappings. Thus if a user selects “qwerty123” for the password, the mapping to the encryption key can simply be mapped, without it being required to be brute-forced with PBKDF2. An adversary could then build up a table of encryption keys for common passwords. But they also found that the implementation of the method was incorrect, and even with a random salt value, it is simple to recover the password.

In general, they found that a CTR (Counter) type method has been used for the encryption, and which basically has a security strength of only 128 bits. The basic element of the keys to create a 1,024-bit key used the PBKDF2, and then with the addition of a salt value and an integer value:

It then becomes fairly trivial to generate each part of the key, once the password is known. The 1,024-bit element is then created by 128-bit encryption blocks, with the addition of the key derivations:

And, so, not “military-grade” encryption is really only as strong a 128-bit, and where the flaws in the implementation meant that it was nowhere near as strong as that, too.

Full disclosure

The researchers, in this case, have acted ethically and disclosed their findings to the company and in a CVE (CVE-2021–36750), and who have since updated their key derivation function:

Conclusions

But, saying all this, there’s really no need for 1,024 bit, and it’s all a bit silly. If done properly, 256-bit AES, with strong key derivation is all your really need. With any method that depends on a password, we always significantly reduce the size of the key, and if they user users “qwerty”, we have shorted-circuited much of our security. For a product to use a fixed salt value, it is pretty bad, and so I finish this article with another slide that represents this well:

and which minds me of the Sony PS3 hack: