How secure is AES in a critical situation?

Question

So this one is a tinfoil-hat question. It is 99 % theoretical.

So we assume that I am someone who stores highly confidential information. Maybe super secret stolen goverment stuff. And I get caught by the authorities. The information is store in an AES256-XTS: Sha512 volume. The attacker has unlimited money and power. Maybe a data-center. So how long would it take to crack this and what would he attacks? The hash or the block cipher ?

PS: I know that AES was not chosen as standard because it is so secure, but because it has the best performance / hardware implementation / security balance. So maybe there are some AES backdoors in the implementation of some encryption-tools. So would it be better to use another algorithm in the case of highly sensitive data?

Answer 1

In practice, because they will target the easiest/weakest/least expensive link in the chain, they would attack you.

It is infinitely easier to threaten to crack someone's kneecaps to obtain their password then to crack an AES key.

Supposing they wanted to attack the cryptography specifically, for practice or fun, they would probably extract the key via a timing attack. This is not technically an attack on AES, it technically is an attack against a simple/common/fast implementation of AES. This is one of the few arguments I can think of for using an algorithm other then AES. Either that, or ensure that you utilize a constant time implementation of AES.

If your data is that confidential, then it is probably wise to utilize an algorithm that is not as vulnerable to leakage of information via side channels. Additionally, it's probably not safe to trust just software anymore: You would want a hardware security module.

Then, you need to become concerned with attacks against the hardware. You might opt for an algorithm that has been design with advanced counter-measures in mind, such as one based on the Keccak permutation.