Using AES-128 with only 64-bit uniform random is not secure. There are many entities around that can break this easily by searching the $2^{64}$- space.
| Machines |
in a second |
in an hour |
in a day |
in a year |
| Summit on SHA-1 |
$\approx 2^{49.7} $ |
$ \approx 2^{61.5}$ |
$\approx 2^{66.1}$ |
$\approx 2^{74.6}$ |
| Titan on SHA-1 |
$\approx 2^{49.1} $ |
$\approx 2^{61.0}$ |
$ \approx 2^{65.5}$ |
$\approx 2^{74.1}$ |
| Bitcoin Miner on SHA-256D |
$\approx 2^{67.1}$ |
$\approx 2^{78.9}$ |
$\approx 2^{83.5}$ |
$\approx 2^{92.09}$ |
See the details here*;
Only possible additional complexity that you can put is using Key Derivation Functions that has iteration count/ memory-cache hardness, and parallelization hardness. However, this will not be enough to save you, because;
- you need around $2^{64}$-iteration (to reach $2^{128}$) to reduce the attack speed of the brute force ( assuming that you crippled the ASIC/FPGA with memory hardness, and crippled the parallelization, too) so that they will need to execute $2^{64}$ steps to derive the key from one of the $2^{64}$ candidate keys. Well, this is not meaningful for you.
As, a conclusion, you are safe as much as further you can iterate and you can correctly use the KDFs;
Scrypt, Balloon, Argon2, or better bScrypt ( has cache hardness )
Reaching $2^{64}$ for a single entity is very hard, for you, too. And, NIST requires at least 112-bit security from lightweight crypto, this should mean something to us. Even for reaching 112 bits of security, you may need days, months, on your key generation to encrypt or decrypt to access your files.
Note: The Grover's machine was not considered on the above, it may break(!) the AES-128 if the problems are solved.
I am using AES in counter mode, so does that increase / decrease the effort required by the attacker?
Not much, CTR mode enables random access, that's all here.
* The table was calculated for SHA-1 and SHA-2, and should gives us some information about publicly available computing powers.
