7
.
In comparison, DES keys are 56 bits long, which means there are approximately 7.2 x
10
16
possible DES keys. Thus, there are on the order of 10
21
times more AES 128-bit
keys than DES 56-bit keys.
In the late 1990s, specialized "DES Cracker" machines were built that could recover a
DES key after a few hours. In other words, by trying possible key values, the hardware
could determine which key was used to encrypt a message. Assuming that one could
build a machine that could recover a DES key in a second (i.e., try 2
55
keys per second),
then it would take that machine approximately 149 thousand-billion (149 trillion) years to
crack a 128-bit AES key. To put that into perspective, the universe is believed to be less
than 20 billion years old.
3
Table 3 details the different methods of encryption and their
associated keys.
Table 3. Methods of Encryption and Their Associated Keys
4
Encryption
Bits in
Key
Number of Possible Keys
DES
56
2
56
= 72,057,594,037,927,900
AES
128
2
128
= 340,282,366,920,938,000,000,000,000,000,000,000,000
According to NIST, the Rijndael algorithm was chosen for the following reasons:
“When considered together, Rijndael's combination of security, performance,
efficiency, ease of implementation and flexibility make it an appropriate selection
for the AES.
Specifically, Rijndael appears to be consistently a very good performer in both
hardware and software across a wide range of computing environments regardless
of its use in feedback or non-feedback modes. Its key setup time is excellent, and
its key agility is good. Rijndael's very low memory requirements make it very
well suited for restricted-space environments, in which it also demonstrates
excellent performance. Rijndael's operations are among the easiest to defend
against power and timing attacks.
Additionally, it appears that some defense can be provided against such attacks
without significantly impacting Rijndael's performance. Rijndael is designed with
some flexibility in terms of block and key sizes, and the algorithm can
accommodate alterations in the number of rounds, although these features would
require further study and are not being considered at this time. Finally, Rijndael's
3
Advanced Encryption Standard Fact Sheet
, Computer Security Division, National Institute of Standards &
Technology, January 19, 2001.
4
Security Complete, Adapted from
Active Defense,
by Chris Brenton with Cameron Hunt.