Posted by Alf Norris (Conseal USB Lead Developer), 14 Feb 2011
The power of 256-bit AES encryption is awesome. To explain just how powerful it is takes numbers far larger than can really make sense to our brains... but it's worth a try.
The "256-bit" part of the name means that the key which provides access to the protected content is 256 bits in length - that is, it is one of 2256 possible combinations.
So imagine you have a a file encrypted using 256-bit AES, and that you can sit just trying combinations to crack it open.
Let's pick a crazy-high number: say you can try a million million million combinations every millisecond. At that rate, it would take about 3 million million million million million million million million years to try every combination. That's older than your grandma; even older than Bruce Forsyth.
It's more combinations than there are atoms on the whole planet. About 70,000,000,000,000,000,000,000,000 times more to be precise.
For it to take "only" as long as the age of the universe to crack, you'd need to type in about 2.8 x 1059 combinations per second - that's 280,000 with 9 "millions" after it.
That's why AES is considered, for now, an unbeatable encryption. The NSA have approved it to protect information classified as "top secret" - and that is genuinely the top endorsement possible.
...To which the obvious response is: Unbeatable! Well that sounds like a challenge!
How can it be beaten? As we've seen, trying to get the encryption key by brute force is not clever. But can we get hold of it some other way? Surprisingly, this might not be so difficult.
Take a normal encrypted disk: you provide a password and the disk unlocks. Inside, this works in one of two ways:
In both of the above two cases, the password is the weak link. It no longer matters that we're using super-strength 256-bit AES encryption: just figure out the password and you've got the data.
In other words, we've reduced the complexity of the task from "decrypt 256-bit AES" to "crack a password".
As Tom has demonstrated previously, cracking a password is not always difficult, so long as you have the hash to compare it against (or you can do some processing to tell you whether it's the right password or not. Figuring out what processing is out of the scope of this post, but it need not be too complex).
So here's how to break unbreakable 256-bit encryption, on an encrypted disk:
...and that's it!
Don't actually do this of course, it's illegal.