In earlier posts I discussed what’s wrong with WPA and why its always a bad idea to base a standard around a single method of encryption, even AES. Bruce Schneier posted to his blog today regarding a new attack against AES. In short, the paper he references identifies how to dramatically reduce the number of guesses required to retrieve a key. While its not practical today for a basement hack to perform the attack, its still nasty stuff.

The attack in question is what is referred to as a related key attack. This requires the attacker to have some level of knowledge of the plain text secured by multiple related keys. In other words, we need to already know a bit of what is being protected and where to look for it.

This is a serious problem when you are talking about VPNs or wireless, because we are using it to secure IP traffic. IP uses some pretty consistent values:

• Byte 0 contains the IP version (usually 4) and the size of the IP header (usually 20 bytes)
• Byte 1 contains the type of service field (usually not used so set to 0)
• Bytes 2 & 3 contain the total length field (a consistent value for traffic like ARP packets if you know the OS)
• Byte 8 contains the TTL (a consistent value on a per OS basis)
• Bytes 12-15 contain the source IP address (a consistent value for each specific system)

And that’s just the IP header…

So when we protect traffic on the wire, related key attacks can be particularly evil because there are many repetitive values to work with.

So what should you do? I’ll fall back on the same advice I gave in those earlier posts I referenced above. Make sure you have more options than just a single encryption algorithm, just in case things get a whole lot worse.