Posted by Alf Norris (Conseal USB Lead Developer), 14 Feb 2011

The power of 256-bit AES encryption is *awesome*. To explain just how powerful it is takes numbers far larger than can really make sense to our brains... but it's worth a try.

The "256-bit" part of the name means that the key which provides access to the protected content is 256 bits in length - that is, it is one of 2^{256} possible combinations.

So imagine you have a a file encrypted using 256-bit AES, and that you can sit just trying combinations to crack it open.

Let's pick a crazy-high number: say you can try a million million million combinations every *milli*second. At that rate, it would take about 3 million million million million million million million million years to try every combination. That's older than your grandma; even older than Bruce Forsyth.

It's more combinations than there are atoms on the whole planet. About 70,000,000,000,000,000,000,000,000 times more to be precise.

For it to take "only" as long as the age of the universe to crack, you'd need to type in about 2.8 x 10^{59} combinations per *second *- that's 280,000 with 9 "millions" after it.

That's why AES is considered, for now, an unbeatable encryption. The NSA have approved it to protect information classified as "top secret" - and that is genuinely the top endorsement possible.

...To which the obvious response is: Unbeatable! Well that sounds like a challenge!

How can it be beaten? As we've seen, trying to get the encryption key by brute force is not clever. But can we get hold of it some other way? Surprisingly, this might not be so difficult.

Take a normal encrypted disk: you provide a password and the disk unlocks. Inside, this works in one of two ways:

- The encryption key is based on the password itself. So for example it could be the SHA-256 hash of the password, or any other way of mashing it around to generate a 256-bit number.
- The password you enter is used to release the encryption key. Note (and this is important) that this means the encryption key is stored on the disk.

Releasing the encryption key almost always works by the password itself being an encryption key which secures the actual key we're interested in.

In both of the above two cases, the password is the weak link. It no longer matters that we're using super-strength 256-bit AES encryption: just figure out the password and you've got the data.

In other words, we've reduced the complexity of the task from "decrypt 256-bit AES" to "crack a password".

As Tom has demonstrated previously, cracking a password is not always difficult, so long as you have the hash to compare it against (or you can do some processing to tell you whether it's the right password or not. Figuring out what processing is out of the scope of this post, but it need not be too complex).

So here's how to break unbreakable 256-bit encryption, on an encrypted disk:

- Get the hash of the password used to lock the disk (or figure out what processing you need to do)
- Run a dictionary attack against the hash to see if it's a known one.
- If not, try combinations one-by-one in an intelligent order, as the entropy of human-chosen passwords is low
- Use the password to get the encryption key
- Decrypt the disk's contents

...and that's it!

Don't actually do this of course, it's illegal.