[SAI_Peregrinus]

There is no such thing as AES-1024 specified by NIST. AES is a NIST standard, it has three (and only three) variants: AES-128, AES-192, and AES-256. If you see something other than those three, it's almost certainly proprietary junk.

Note that AES is always used in a "mode of operation" to provide any sort of secure encryption. AE-secure modes are AES-SIV, AES-GCM-SIV, AES-OCB, and AES-GCM in decreasing order of safety/performance (possibly others, but those are the most well reviewed and most used). Those sometimes get noted with the key length, eg AES-256-GCM-SIV, sometimes not.

[dehrmann]

To see how insecure a mode of operation can be, Wikipedia has a picture that was encrypted with ECB:

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation...

[hatsunearu]

That picture has become some sort of meme of itself (I've heard it referred as "you can see penguins through ECB") because it's so damn popular.

However ECB is a lot worse than "you can see data patterns"--with a chosen plaintext attack (very common scenario in networking and storage applications) any dumbass can decrypt it trivially.

[evh]

Those who want to try it for themselves can check out https://cryptopals.com/sets/2/challenges/12 (and that entire set).

[hatsunearu]

Oh man, I loved doing cryptopals back in the day. I should try again.

[Terry_Roll]

I still havent see a regex for ECB though!

[heavenlyblue]

> with a chosen plaintext attack (very common scenario in networking and storage applications) any dumbass can decrypt it trivially.

No you can’t get decryption key using chosen plaintext attack with AES.

Read here: https://crypto.stackexchange.com/questions/1512/why-is-aes-r...

[oconnor663]

Parent said "decrypt", not "get the decryption key", and parent is correct. The attack looks kind of similar to a "padding oracle attack", where you work one byte at a time using a block boundary.

[dathinab]

Yes, like the video states.

This is what the talk is called because that is what the vendor advertised not because it is a standardized thing which makes sense.

Actually the vendor does a lot of not so grate things, from a very very bad password hashing to how they handled file encryption.

Interesting is that the talk about the security ends at 32min, after this is a talk from a private contractor hired by the the company which messed up the encryption. Still watching it but that's unusual and nice.

[crest]

The bullshit "AES-1024" is quoted from the product description and repeated in the title as clickbait.

[jupp0r]

The title is funny, they even intentionally put "military grade" in there to make the sarcasm even more apparent. This is different from click bait, which I see as an intentional dark pattern.

[dwringer]

I think it would be a far better headline if "military grade AES-1024" were put in scare quotes. Otherwise it just looks like clickbait and presumably keeps a lot of people from ever clicking on it.

[ozim]

I agree it is a click bait because I also thought - "huh AES-1024, military grade, let's see what it is" and only after clicking - "aww yeah military grade was just pouring gas over the joke"

[jupp0r]

I immediately understood the joke, maybe it’s a German humor thing.

[SAI_Peregrinus]

Yes, I merely want to reiterate as clearly as possible that there's no such algorithm endorsed by NIST. AES is a standard, AES-1024 isn't one of the variants of that standard. For good reason.

Symmetric key sizes larger than 256 bits are pretty much universally snake oil.

[a1369209993]

> Symmetric key sizes larger than 256 bits are pretty much universally snake oil.

512, actually - some symmetric applications are vulnerable to collision or collision-like attacks, and a cosmological-scale attacker can theoretically get up to about 2^308[0] bit operations at current-ish cosmic microwave background temperatures, so 2^256 bit operations is just about plausible in worst case scenario planning.

But 256-bit keys are probably sufficient for any practical application, and that doesn't excuse 1024 anyway.

0:

  You have: log2(1e80 amu c2 / k 3K ln(2)) 
  # (mass of observable universe / landauer limit)
  Definition: 307.99542

[Closi]

The company who wrote the software are in the presentation and explain this - 192 / 256 could not be used because of export restrictions, so AES-128 is actually what they used.

1024 is marketing fluff, which they justified by running 8 passes on the file encryption key (to paraphrase the presentation - ‘Regular consumers don’t understand encryption standards, but think bigger numbers = better and trust the term Military Grade’).

[denton-scratch]

No military buys "military-grade" anything. Militaries buy stuff that conforms to some specific military standard.

[dane-pgp]

Right, it's an unhelpful qualifier.

I'm reminded of the comments of chemistry experts about the UK government using the phrase "military-grade nerve agent"[0]. Firstly, no military would ever admit to owning the stuff (since even the permanent members of the UN security council are signatories of the Chemical Weapons Convention), but, more obviously, there's no such thing as a civilian-grade nerve agent.

I suppose what they meant was "no medical, industrial, or commercial uses", or "requires the resources of an entire country to create and manage", but those aren't attributes that you would want for your security software.

[0] The Financial Times, 2018 - https://archive.ph/0eZl8

[ethbr0]

> there's no such thing as a civilian-grade nerve agent

Paraoxon? Dichlorodiphenyltrichloroethane? Bifenthrin?

[Closi]

> Right, it's an unhelpful qualifier.

Depends who you are - If you are in marketing, it's a really helpful qualifier (i.e. it's something that the general public clearly put stock in, as mentioned in the presentation).

[_8j50]

I must disagree with the "proprietary junk" assertion you made. While Your statement about AES is correct, Rijndael cipher of which AES is a subset can have bigger keys and block sizes. For marketing reasons they interchange Rijndael with AES since many have never heard of it.

[tgsovlerkhgsel]

While it is possible to do that, companies that understand what they're doing will generally stick to well-proven, standardized versions and companies that don't tend to also do other dangerous mistakes.

It's not a 100% guarantee that it's proprietary junk, but it's a very good indicator.

[gray_charger]

Is AES-XTS a secure mode? Or is that something else?

[Nursie]

XTS is often used in disk encryption (or it was a few years ago when I worked on at-rest data encryption for a storage product at a major vendor).

It uses the sector number and block offset within the sector as input, a little like a counter mode. Its major advantage is zero overhead, so you don't lose disk capacity, or need to map blocks around, you can just sorta use it as a filter layer in your disk reads/writes.

It's not properly authenticated though, as data tampering can result in altered or scrambled plaintext rather than detectable errors, so you need other mechanisms for error detection, which then have to be secure against attacks.