Are the AES legal key sizes really the limit?

Question

The AesCryptoServiceProvider.LegalKeySizes field shows you the allowed sizes in bits.

However what I don't understand is if those are true, how am I able to successfully utilise a 2048 bit key length (256 Bytes)?

I suppose my real question is, does my key get produced to the size requested (larger than max 32 Byte), but then only the first 32 Bytes (256 bits) are actually taken in the encryption/decryption process, rendering the larger key size a waste of space?

I don't know if there is a way of actually telling from what's exposed in the API...

Any thoughts? Maybe I'm looking at this in the wrong way?

Answer 1

AES can be used for 3 key sizes: 128, 192 and 256 bit keys. Basically if you are able to use larger keys than 256 bit, then the library is "lying to you" i.e. some bits of the larger key are discarded or compressed somehow. For instance PHP mcrypt simply cuts the size of the key down to the largest possible size.

Larger key "seeds" are rather common in the world of cryptography. For instance Diffie-Hellman - a key agreement algorithm - usually generates a secret larger than the key size required. So the question of extracting (concentrating) the amount of entropy in a key often arises. If bits are truncated then the entropy in those bits is discarded.

So what is actually used in modern cryptography is a KDF, a Key Derivation Function. If the input - the seed - is a password, you should utilize a PBKDF (Password Based KDF). Modern PBKDF's are PBKDF2, bcrypt, scrypt and Argon2.

If the input is already a key - data that is provides enough entropy (randomness) if taken together - you should utilize a KBKDF (Key Based KDF). A modern KBKDF is for instance HKDF. Note that these algorithms require additional input, so if no additional data is provided it is most likely that the extra key bits are simply ignored.

The cryptographic strength of AES-128 is and stays 128 bits of course. As long as these bits are indistinguishable from random by an attacker, AES-128 should provide enough security for practical needs. AES-256 could be used if you fear breakthroughs in Quantum Cryptography.

---

So for the answer: "Are AES legal key sizes really the limit?" the answer is a resounding yes. 2048 bit key sizes are more commonly found for asymmetric algorithms such as RSA / DSA. For RSA and DSA the key size is actually rather low, even though it should still be out of reach for practical attacks. Maybe the ciphertext was encrypted using hybrid encryption.