|
Az első olyan támadások amelyek megszerzik a titkosító kulcsot, Andrey Bogdanov, Dmitry Khovratovich, és Christian Rechbergertől származnak és 2011-ben jelentek meg.<ref>{{cite web |url=http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf |title=Biclique Cryptanalysis of the Full AES |author=Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger |year=2011}}</ref>
=== Side-channel attacks ===<!-- possibly out of date? -->
[[Side-channel attacks]] do not attack the underlying cipher thus don't relate to how security is described here, but rather attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.
In April 2005, [[Daniel J. Bernstein|D.J. Bernstein]] announced a cache-timing attack that he used to break a custom server that used [[OpenSSL]]'s AES encryption.<ref name="bernstein_timing">{{cite web|url=http://cr.yp.to/papers.html#cachetiming |title=Index of formal scientific papers |publisher=Cr.yp.to |date= |accessdate=2008-11-02}}</ref> The attack required over 200 million chosen plaintexts.<ref>{{cite web | url = http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html | title = AES Timing Attack | author = Bruce Schneier | accessdate = 2007-03-17| archiveurl= http://web.archive.org/web/20070212015727/http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html| archivedate= 12 February 2007 <!--DASHBot-->| deadurl= no}}</ref> The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation); however, as Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from the server's responses, does not stop the attack: the client simply uses round-trip timings based on its local clock, and compensates for the increased noise by averaging over a larger number of samples." <ref name="bernstein_timing" />
In October 2005, Dag Arne Osvik, [[Adi Shamir]] and Eran Tromer presented a paper demonstrating several cache-timing attacks against AES.<ref>{{cite journal|url=http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf |title=Cache Attacks and Countermeasures: the Case of AES |format=PDF |date=2005-11-20 |author=Dag Arne Osvik1|coauthors =Adi Shamir2 and Eran Tromer2 |accessdate=2008-11-02}}</ref> One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.
In December 2009 an attack on some hardware implementations was published that used [[differential fault analysis]] and allows recovery of a key with a complexity of 2<sup>32</sup>.<ref>{{cite journal|url=http://eprint.iacr.org/2009/581.pdf |title=A Diagonal Fault Attack on the Advanced Encryption Standard |author=Dhiman Saha, Debdeep Mukhopadhyay, Dipanwita RoyChowdhury |format=PDF |accessdate=2009-12-08| archiveurl= http://web.archive.org/web/20091222070135/http://eprint.iacr.org/2009/581.pdf| archivedate= 22 December 2009 <!--DASHBot-->| deadurl= no}}</ref>
In November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use compression tables, such as OpenSSL.<ref>{{cite web |url=http://eprint.iacr.org/2010/594.pdf |title=Cache Games – Bringing Access-Based Cache Attacks on AES to Practice |author=Endre Bangerter, David Gullasch and Stephan Krenn |year=2010}}</ref> Like some earlier attacks this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.<ref>{{cite web|url=http://news.ycombinator.com/item?id=1937902 |title=Breaking AES-128 in realtime, no ciphertext required | Hacker News |publisher=News.ycombinator.com |date= |accessdate=2012-12-23}}</ref>
== NIST/CSEC validation ==
| 