[RcouF1uZ4gsC]

>However, it turned out after the analysis that all these modes offer only a security level of 128-bit.

>A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation.

My understanding was that even 128-bit security is safe from brute forcing at the present. Am I missing something?

[zinekeller]

The proprietary "AES-1024" is actually AES-128 encrypted four times (like Triple DES which is an actual standard). The actual problem is that the key derivation is literally MD5 and the "salt" is static (making brute-force laughable). So, no, AES is not broken, just this weird one that happens to be the encryption program you've get free with the purchase of certain brands of USB drives.

[bawolff]

They are bruteforcing pbkdf2 with too low number of iterations (people are talking about md5, but md5 isn't really the problem here. A memory hard hash would be better [albeit maybe impractical in context], but if you are using pbkdf2, md5 isn't any different from sha256 or whatever else)

[NovemberWhiskey]

If your password is 22 randomly generated characters chosen from the alphabet of upper and lower case letters plus numbers (which implies ever-so-slightly-less than six bits of entropy per character) then you will get 128 bit security from one of these devices - meaning that an attacker will just as well have to brute-force the cipher as attack the password. And, as you said, that is currently believed infeasible.

If you are a human being, your password is more likely to be a single English word or name with some arbitrary capitalization, some swapping out of o/0 a/@ s/$ t/+ or some such, and then a number tacked on the beginning or end.

At this point, brute-forcing your password is going to be a much simpler proposition; you're reliant on a key-derivation function being sufficiently expensive to compute to slow down that brute-force attack.

The attack in this case was of the latter kind; the KDF was so poor that it could be attacked very quickly. No 128-bit encryption was harmed in the filming of that presentation.