New Attack on AES
There's a new cryptanalytic attack on AES that is better than brute force:
Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.
In an e-mail, the authors wrote:
We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2119 to about 2110.5 data and time.
We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.
Agreed. While this attack is better than brute force -- and some cryptographers will describe the algorithm as "broken" because of it -- it is still far, far beyond our capabilities of computation. The attack is, and probably forever will be, theoretical. But remember: attacks always get better, they never get worse. Others will continue to improve on these numbers. While there's no reason to panic, no reason to stop using AES, no reason to insist that NIST choose another encryption standard, this will certainly be a problem for some of the AES-based SHA-3 candidate hash functions.
OWASP ::
Feed!
Povezani zapisi:
09-01-2010 18:29
-- John Bambenek bambenek at gmail /dot/ com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC
08-31-2010 15:14
An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, web application vulnerabilities, and proof-of-concept exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed in the month.
According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced will be a collection of old and new ones, with Microsoft being a major target. The new vulnerabilities can be considered as zero-day flaws, and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time, until then users should use any suggested workarounds.
It is also believed that detailed information for recently released advisories will also be published. The chances are that the released information mayinclude proof of concept code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.
Any new information released during this time period will likely be exploited quickly, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the proof-of-concept code being announced. Portions of the many exploits already in the wild can be re-used in any new exploits, further hastening the process.
Enterprise users should note that server applications will be part of the applications that will have vulnerabilities exposed in September. These applications may take longer to patch, and in addition the potential for damage if one server is affected is greater than if one end-user system was affected.
Vendors will certainly rush out patches to fix any announced vulnerabilities, but hopefully the accelerated development will not cause complications. There have been cases in the past when vendors released patches that did not fix the vulnerabilities completely, resulting in re-issued patches.
For users, protecting themselves will prove to be difficult. No centralized update notification mechanism exists for third-party software, which means that ordinary users may not be aware that certain applications need to be updated. Many applications now integrate some form of auto-update, but this will still impose an unneeded burden on users who just want their computer to work.
Users should be on guard for any popular applications that have vulnerabilities revealed in September, as exploits for these are likely to spread even faster than usual. Applying patches and/or workarounds for vulnerable software that are released in September is highly recommended.
While patching of computers remains essential, Trend Micro also offers several free tools that can help prevent computer compromise – you can download them here.
Post from: TrendLabs | Malware Blog - by Trend Micro
New Zero-Day Vulnerabilities Imminent
trendmicro
08-31-2010 0:26
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC
08-27-2010 9:52
I have been exploring further the possible response actions an application might make once it has detected a suspected or actual attack, as a contribution to the OWASP AppSensor project. There is now a draft document describing response actions, discussed and announced last week.
The draft document AppSensor - Response Actions describes thirteen response actions, provides examples of each, and discusses how they might be categorised in order to help with selection of appropriate responses.
It is still a working document. If you have any suggestions or comments on the draft document, please send them to the AppSensor project's mailing list, or perhaps add them below. In particular, I'd like to discuss whether there are any other responses which aren't covered by the ones already included.
There is additional background information and links relating to web application intrusion detection and the OWASP AppSensor project in my posts about presentations in Newcastle and London, but I hope to present again later in the year.
Automated Attack Responses by Web Applications
Feed!
