AES can use keys of size 128, 192 and 256bits. The longer the key (the larger the number of bits) the stronger protection it provides. The AES implementation I was up against used 128bit keys. So I was trying to brute force the weakest form of AES. Every bit in the key can be either a 0 or a 1 which means there are 2 possible values for every bit. A 128 bit key then has 2128 possible key values. That is 2 to the power of 128, or 2 multiplied by itself 128 times. Just how large this number is will be explained in more detail below. The next step was to write the program to perform the bruteforcing. I had a small amount of encrypted data and the decrypted equivalent. The bruteforcer program continually attempts to decrypt the encrypted data using different key values. If the result is the same as the decrypted data I knew, then the correct key had been found. Once completed, the bruteforcer program was able to test 2 million possible keys every second! This seemed to me to be a huge amount of keys being tested, so surely it would only be a matter of time before it found the correct key. Before I wrote the bruteforcer program I had no idea how many keys would be able to be bruteforce tested in a second. Now that I had an actual figure I could let my bruteforcer run while I did some math to work out how long before I would have my key. The maximum number of seconds it would take to find the key: 2128 keys 2,000,000 keys/second = 1.7e+32 secondsFor those not fluent in calculator speak 1.7e+32 means 1.7 x 1032, which means you move the decimal point to the right 32 times. So then the number is 17 followed by 31 zeros. This seems like a lot of seconds, but it is hard to gauge time in large numbers of seconds. So for the benefit of the humans here, lets use years instead of seconds for our measurements of time. First we need to work out how many seconds there are in a year. We will approximate to simplify the math: 365 days x 24 hours x 60 minutes x 60 seconds = 31,536,000 seconds in a year Now we can work out how many keys the bruteforcer can test in a year: 2,000,000 keys/second x 31,536,000 seconds = 63,072,000,000,000 keys/year Finally we can work out the maximum number of years it would take to find our key: 2128 keys 63,072,000,000,000 keys/year = 5,395,141,535,403,007,094,485,264 years Now we actually get a number that is small enough to to display on the calculator without requiring calculator speak Another way of writing these numbers is: 5,395,141,535,403,007,094 million years5,395,141,535,403,007 billion yearsBeing that the current age of the universe is estimated to be 15 billion years old I think it is fair to say that it is impossible to work out an AES key by bruteforce. But what if? But what if you were to optimise your bruteforcer? And what about increases in computing power every year? What if you created a distributed bruteforcer program that everyone around the world can run? What if you were to randomly guess keys instead of trying all keys incrementally? Assuming I could optimise my bruteforcer to be 1,000,000 times faster, and that computers suddenly became 1,000 times more powerful and that every single person in the world (7,000,000,000) owned one of these new computers then: 5,395,141,535,403,007,094,485,264 years (1,000,000 x 1,000 x 7,000,000,000)= 770734 yearsOr if it were to use random guesses, then every year that passes there would be a 1 in 770734 chance that someone somewhere guessed the right number.