Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [aes]

AES (Advanced Encryption Standard) is a symmetrical block-cipher algorithm with a 128-bit block size, and key sizes of 128, 192 or 256 bits.

The AES (Advanced Encryption Standard) is a symmetrical block-cipher algorithm with a 128-bit block size, and key sizes of 128, 192 or 256 bits. It was developed for through an international competition, and standardised by NIST in 2001.

The original candidate that was to become the AES, Rijndael, was developed by Joan Daemen and Vincent Rijmen. It is built in the form of a Substitution-Permutation framework, and utilises MDS codes to achieve rapid diffusion characteristics.

One significant reason behind its selection was that it could be implemented in a number of different ways, making it very adaptable for use on different platforms.

Some notable cryptographers were worried that the simple algebraic structures used by its internal components may have lead to a catastrophic weakness, but at the time of writing this no such flaws have been found.

2704 questions
101
votes
1 answer

What is the difference between PKCS#5 padding and PKCS#7 padding

One runtime platform provides an API that supplies PKCS#5 padding for block cipher modes such as ECB and CBC. These modes have been defined for the triple DES, AES and Blowfish block ciphers. The other platform API only provides PKCS#7 padding. Are…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
92
votes
4 answers

What are the practical differences between 256-bit, 192-bit, and 128-bit AES encryption?

AES has several different variants: AES-128 AES-192 AES-256 But why would someone prefer use one over another?
foobarfuzzbizz
  • 3,256
  • 3
  • 24
  • 25
91
votes
5 answers

Is AES-256 weaker than 192 and 128 bit versions?

From a paper via Schneier on Security's Another AES Attack (emphasis mine): In the case of AES-128, there is no known attack which is faster than the 2128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be…
quantumSoup
  • 1,021
  • 1
  • 7
  • 6
88
votes
5 answers

How secure is AES-256?

The cipher AES-256 is used among other places in SSL/TLS across the Internet. It's considered among the top ciphers. In theory it's not crackable since the combinations of keys are massive. Although NSA has categorized this in Suite B, they have…
Gustav
  • 1,085
  • 1
  • 9
  • 7
82
votes
3 answers

What is safer: ZipCrypto or AES-256?

Like in title: which one of these encryption methods (ZipCrypto, AES-256) is more secure and why? I am asking about it because I'd like to know which should be preferred when compressing files with Zip.
alex
  • 931
  • 1
  • 9
  • 12
63
votes
6 answers

Why is AES resistant to known-plaintext attacks?

At least it's my understanding that AES isn't affected by known-plaintext. Is it immune to such an attack, or just resistant? Does this vary for chosen-plaintext?
Jeff Ferland
  • 835
  • 2
  • 7
  • 10
58
votes
5 answers

What are the chances that AES-256 encryption is cracked?

I'm currently building a web application and would like to encrypt all data on the back-end. I was thinking of using the AES-256 encryption but wasn't sure how safe it was. I did that math and felt safe. I took this model to a professor at my…
Jacob Henning
  • 699
  • 1
  • 7
  • 12
50
votes
2 answers

AES CBC mode or AES CTR mode recommended?

What are the benefits and disadvantages of CBC vs. CTR mode? Which one is more secure?
mary
  • 1,071
  • 3
  • 11
  • 13
50
votes
2 answers

AES-GCM recommended IV size: Why 12 bytes?

When using AES-GCM, a 96-bit IV is generally recommended. Most implementations I've seen also use 96-bit. However, I'm unsure on where this recommendation or convention comes from. Let's assume a shorter IV is bad. Assuming all other constraints for…
Hendrikvh
  • 603
  • 1
  • 5
  • 8
49
votes
1 answer

AES256-GCM - can someone explain how to use it securely (ruby)

I am looking into using AES256-GCM for encrypting some database fields. I know that for AES256-CBC, I need to generate a new IV for each encrypt, but I can use the same key. The IV can be openly stored alongside the ciphertext (ie, it can be…
breakingbreadmuffins
  • 491
  • 1
  • 5
  • 3
47
votes
2 answers

How to choose between AES-CCM and AES-GCM for storage volume encryption

We are using the encryption built into Solaris 11 ZFS, which offers the choice between CCM (CBC counter mode) and GCM (Galois counter mode). What are the pros and cons of choosing each of these cipher modes?
ruief
  • 662
  • 1
  • 5
  • 8
47
votes
2 answers

Is AES-128 quantum safe?

I've been reading lately some contradicting messages with regards to the quantum-safe resistance of AES128. First, there are blog posts by Ericsson people like these ones: Can quantum attackers break AES-128? No. NIST estimates that a quantum…
Jimakos
  • 795
  • 1
  • 5
  • 11
44
votes
1 answer

Ciphertext and tag size and IV transmission with AES in GCM mode

I am completely new to using AES in GCM mode of operation, and I have not a very large background in cryptography as well. I have been playing with OpenSSL trying to encrypt and decrypt some messages. From my simple experiments rise the following…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
43
votes
3 answers

Is AES-256 a post-quantum secure cipher or not?

We know Grover's algorithm speedup brute-force attacks two times faster in block ciphers (e.g brute-forcing 128-bit keys take $2^{64}$ operations, not $2^{128}$). That explains why we are using 256-bit keys to encrypt top secrets. But latest…
AES256
  • 447
  • 1
  • 4
  • 4
43
votes
3 answers

Why does nobody use (or break) the Camellia Cipher?

If Camellia is of equivalent security and speed to AES, concerns arise. First of all, assuming the above, why is Camellia so rarely used in practice? Why aren't there any breaks in Camellia? Does that mean that Camellia is currently more secure than…
Chris Smith
  • 1,202
  • 1
  • 11
  • 18
1
2 3
99 100