The only successful attacks against AES data encryption have been side-channel attacks, which don't attack the actual AES cipher, rather its implementation. For example, in 2005, without brute force, a hacker captured inadvertently leaked time-caching data and broke a custom server that used OpenSSL's AES encryption. Encryption algorithms themselves are usually not the weak point in an encryption product or service. Usually, there are implementation flaws or key management errors, which is why the implementation of AES in products intended to protect national security systems and information has to be reviewed and certified by the NSA prior to their use.
Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls and sanctions administered by the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR) and the Commerce Control List (CCL). Most commercial encryption products have a license exception assigned to them by the BIS. The exception allows them to be exported to specified destinations without having to obtain a separate license each time from the Commerce Department. None of these license exceptions, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
The control of the export of encryption tools is taken seriously by the U.S. government and by vendors. In data encryption provider PGP Corp.'s license agreements, for example, customers must represent that they will not export to a prohibited country or to a restricted type of user. Even the release of technology or source code to a foreign national in the United States is subject to the EAR and is deemed to be an export to the home country of the foreign national. Although export regulations have been relaxed, they are still quite complex, so I suggest you contact a lawyer for further advice.
This was first published in August 2009