Are 128 and 256bit AES encryption considered weak?

Solution 1:

A recent AES-256 break described by Bruce Schneier in his July 30, 2009 posting,
Another New AES Attack

There are three reasons not to panic:

  1. The attack exploits the fact that the key schedule for 256-bit version
    is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend
    to AES with a 128-bit key.
    • It's a related-key attack, which requires the cryptanalyst to have access to
      plaintexts encrypted with multiple keys that are related in a specific way.
    • The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.

Not much comfort there, I agree. But it's what we have. Cryptography is all about safety margins. If you can break n rounds of a cipher, you design it with 2n or 3n rounds. What we're learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NIST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don't want to be revising the standard again and again.

And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.

The paper I have is still a draft. It is being circulated among cryptographers, and should be online in a couple of days. I will post the link as soon as I have it (paper ref).

The quote above has highlights relevant to the question and
mild typographical changes I made.
Schneier was probably typing slower then he thinks...
The original reference is linked for the purists.


Finally, if you want to look at what some Stackoverflow users want to say about,
Is it possible to reverse engineer AES256?

Solution 2:

Short answer: no. For the moment at least.

There was a published attack against AES128 that if I remember rightly knocked a bit or so off the effective strength of the algorithm and key size combination used.

The more recent attack vectors identified against AES256 are potentially more serious as they could theoretically push the effective strength below that of AES-128 but only in certain very very specific circumstances. IIRC these attack vectors are not practical in the real world. They are being taken seriously by the crypto community though, as the existence of an impractical-but-possible attack method may lead to the discovery/development of a more real-world practical one.

Solution 3:

Bruce Schneier discussed this on his blog on 2009-07-30. Superficially, it appears that AES-192 and AES-256 may be less strong than AES-128. Although the algorithms are secure for the time being, as David Spillet says in his answer, there are questions being raised now, and (as Bruce Schneier says in the linked blog entry) "This again proves the cryptographer's adage: attacks always get better, they never get worse".