How to explain just how secure AES is in layman terms?

Question

I have a rather particular classmate who wholeheartedly believes that there isn't such a thing as reasonably secure cryptography and that most people can steal encrypted data. I have attempted to explain (with must frustration) the security of AES. I often attempt to make points about how certain implementations and stream ciphers can result in data leaks, but AES in practice with proper implementations is feasibly unbreakable.

I am trying to find a way to present that AES is secure when everything is done correctly by developers. Any help to explain this to someone who is not cryptographically inclined would be a great help.

I have attempted to explain the math and just how large the keyspace is; the amount of energy required to bruteforce a key; econmical impacts of cracking the cipher, and with no avail.

Answer 1

Some audiences react positively to this line of arguments:

• Mathematical attack are unlikely: the AES block cipher as a mathematical construction has been scrutinized for 15 years by many bright brains, yet what they published leaves trying all the keys as the best attack within a small factor (less than 4 for the weakest AES-128), assuming random and secret keys. Anyone with a better attack would gain high social status by revealing it. And there is positive mathematical proof that attacks against mode of operations (AES-CTR..) are impossible without attack on the block cipher. We can conclude that it is unlikely that there exists a good mathematical attack; and even more unlikely that a particular attacker knows about it.
• Brute force attacks are impossible with our current knowledge: there simply are too much keys to look among. Using all the money (easily, hundreds million USD) and energy that was ever used for bitcoin mining, we could perhaps break a 95-bit key. Breaking a 128-bit key requires $2^{33}$ times more effort; that's well over the ratio of cost of manufacturing all the cars now on earth, to the marginal cost of manufacturing one.
• Remaining attacks are those on usage or implementation: the key can leak from its holder, or be poorly chosen, or be derived from a weak password, or be poorly derived from a fair passphrase; the key can leak thru compromise of the machine on which it is stored or used, or side channels including timing; there might be implementation goofs, including in random generator, and mode of operation. These are very real threats, and practitioners know that humans are bad at keeping secrets (they often let it leak or/and vanish), programmers often goof or make poor choices (especially when it comes to transformation of password/passphrase to key), and it is extremely hard to be highly confident that an implementation is fully immune against attacks by an adversary that is physically close to the machine, or had physical or logical access to it (including software, design of the hardware).

An honest, knowledgeable and prudent practitioner can tell that hardware AES implementations (including those with AES-NI) are verifiably immune from timing attacks, which is the only known side channel that can be exploited from a large distance, assuming the implementation is not intentionally rigged; thus s/he's confident that save for a compromise of the key, the machine or its software, a machine using such hardware AES implementation is safe from any kind of attack from distant adversaries.

Note: I have found that admitting flatly that attacks on usage and implementation are possible, and happen, helps convince that mathematical and brute force attacks do not, and that a particular implementation is safe enough.

Answer 2

Rather than getting into the complexities of AES and complexity-theoretic security, it may be easier to convince your classmate that there is such a thing as "reasonably secure cryptography" if you show him/her the one-time pad and walk through the proof of unconditional/perfect security for it. In laymen terms, a uniformly random key of sufficient size and used only once makes every plaintext (of equal length to the ciphertext) equally likely. And if every plaintext is equally likely then -no matter how clever the attacker is or how much computer power the attacker has- the attacker gains no more information about the plaintext upon seeing the ciphertext than if you had simply told them the length of the ciphertext and let them try to guess the plaintext from that.

Answer 3

You might frame the discussion in terms of AES's goals:

• Resistance to differential attacks. One of the design goals was resistance to differential attacks, roughly meaning you look for non-uniform behavior through the transformations and rounds of the algorithm. The AES S-box and "shift row" step in a round accomplish this.

• Byte diffusion. You want your input plaintext to be "scattered" in a uniform way. In the "mix column" layer, changing an input byte will change all four output bytes.

• Partial key recovery is difficult. The "key schedule" layer uses the S-box, which is very nonlinear. Even if the opponent knows some bits of the key, this makes it hard to learn about the rest of it.

• After a few rounds, brute force is your best option. Your classmate may not be convinced that any crypto is worthy, since you can try to brute-force anything. After about seven or eight rounds, brute force is the best you can do.

So you have a system that, when implemented correctly, 1) makes guessing the key extremely difficult even if part of it is known, 2) emits ciphertext that depends nonlinearly on all the input bits, and 3) tracing non-random behavior through the algorithm is very difficult. Also, toss in the fact that encryption and decryption are different prevents it from some of having "weak keys" like DES.

Only you know how best to reach this particular classmate, but you may want to flip it back and ask, "What would even convince you? What more would you want?"

Also, for your part, you should be aware of what attacks AES is vulnerable to, regardless of whether they are practical or theoretical.