Are the AES legal key sizes really the limit?

StackOverflow https://stackoverflow.com/questions/23256642

Question

The AesCryptoServiceProvider.LegalKeySizes field shows you the allowed sizes in bits.

However what I don't understand is if those are true, how am I able to successfully utilise a 2048 bit key length (256 Bytes)?

I suppose my real question is, does my key get produced to the size requested (larger than max 32 Byte), but then only the first 32 Bytes (256 bits) are actually taken in the encryption/decryption process, rendering the larger key size a waste of space?

I don't know if there is a way of actually telling from what's exposed in the API...

Any thoughts? Maybe I'm looking at this in the wrong way?

Was it helpful?

Solution

AES can be used for 3 key sizes: 128, 192 and 256 bit keys. Basically if you are able to use larger keys than 256 bit, then the library is "lying to you" i.e. some bits of the larger key are discarded or compressed somehow. For instance PHP mcrypt simply cuts the size of the key down to the largest possible size.

Larger key "seeds" are rather common in the world of cryptography. For instance Diffie-Hellman - a key agreement algorithm - usually generates a secret larger than the key size required. So the question of extracting (concentrating) the amount of entropy in a key often arises. If bits are truncated then the entropy in those bits is discarded.

So what is actually used in modern cryptography is a KDF, a Key Derivation Function. If the input - the seed - is a password, you should utilize a PBKDF (Password Based KDF). Modern PBKDF's are PBKDF2, bcrypt, scrypt and Argon2.

If the input is already a key - data that is provides enough entropy (randomness) if taken together - you should utilize a KBKDF (Key Based KDF). A modern KBKDF is for instance HKDF. Note that these algorithms require additional input, so if no additional data is provided it is most likely that the extra key bits are simply ignored.

The cryptographic strength of AES-128 is and stays 128 bits of course. As long as these bits are indistinguishable from random by an attacker, AES-128 should provide enough security for practical needs. AES-256 could be used if you fear breakthroughs in Quantum Cryptography.

So for the answer: "Are AES legal key sizes really the limit?" the answer is a resounding yes. 2048 bit key sizes are more commonly found for asymmetric algorithms such as RSA / DSA. For RSA and DSA the key size is actually rather low, even though it should still be out of reach for practical attacks. Maybe the ciphertext was encrypted using hybrid encryption.

OTHER TIPS

You can use larger key sizes with Rijndael, the encryption algorithm on which AES is based, usually up to some library-defined limit. However, you can only use key sizes of 128, 192 or 256 bits with AES. Some implementations may use the first X bits (where is is the key size of 128, 192 or 256 bits) of a byte array or bit stream (usually C/C++ ones) but the .Net Base Class Library (BCL) implementations do not, as @Blorgbeard mentions in his comment.

Edit: To clarify the relationship between Rijndael and AES, AES is a specification created by the US National Institute of Standards and Technology (NIST) (FIPS 197 to be precise) that defines a subset of Rijndael. AES is included in FIPS 140-2, meaning it is approved for certain uses by US government departments.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top