# When 128 bits are not enough to protect your passwords

May 01, 2007Clipperz online password manager is a cryptographic system designed and built to achieve a **128-bit security level**. This could be an obscure statement and I will try to clarify it.

The concept of security level is approximate, but I think that Bruce Schneier definition is a sensible one: he says that a security system that requires 2^{n} “steps” of some kind of work to be successfully attacked has a security level of *n* bits. It’s a vague definition since each step could be as simple as a table lookup or as complex as performing an involved computation task. But it’s good enough to design and evaluate cryptographic systems.

Does a 128-bit security level mean that symmetric encryption should be performed using 128 bits keys? No, it doesn’t! There is not a one-to-one relationship between the security level and the main parameter of a cryptographic primitive (key size for ciphers, output size for hash functions, …).

AES is a very good example to better understand this quite common error.
Several cryptographic systems (and all **password managers**!) choose a 128-bit key for their AES implementations ignoring the risks of birthday and meet-in-the-middle attacks. Even if these attacks are not yet practical, they are possible and the theoretical security level cannot be claimed to be higher than 64 bits.

This potential weakness is probably the one that made the NSA draw a line between “secret” and “top secret” documents in their recent recommendations.

“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths.”

Moreover AES has recently faced a new kind of attacks dubbed XSL attacks, based on the idea of recovering the AES key by solving a system of multivariate quadratic equations that algebraically describes the encryption algorithm.

We know that all these attacks are possible and someone could find a clever way to exploit them, but there is no need to panic because, even in that case, they can only, at most, halves the search space.

Since Clipperz aims to provide security to your passwords and confidential data for at least the next **50 years**, we had to guarantee a 128-bit security level. **Therefore Clipperz adopted AES in CTR mode with a 256-bit key size.**

Even if the above attacks are successful they will still require an exhaustive search over 2^{128} elements, hence Clipperz will still have a 128-bit security level.

AES is much slower for 256-bit keys than for 128-bit keys, but security, as most good things in life, does not come for free. Luckily with Clipperz the only price you have to pay is waiting a bit longer!

**Now sit back and relax until 2057!**