MFT Resource Center

AES

The Advanced Encryption Standard, or AES, is a symmetric key block cipher. The US National Institute of Standards and Technology (NIST) established AES in 2001 to replace the Data Encryption Standard (DES) and 3DES, which had been in effect since 1977 and had become more vulnerable to compromise, particularly using brute force attacks.

Overview

AES encryption has become the industry standard for data security.

AES is open source and free to use by any person or entity for both commercial and non-commercial uses. AES is the first and only publicly-available cipher approved by the National Security Agency (NSA) for handling top-secret government information and intelligence data.

AES impacts a great number of everyday functions for both IT professionals and consumers who rely on data privacy safeguards. Major programming languages rely on AES security, for instance: C, C++, Java, Javascript, and Python.

AES is used for file compression programs as well as messaging applications like Facebook Messenger. All Intel and AMD processors include an AES instruction set to protect against hacking. Even video games like the Grand Theft Auto franchise rely on AES.

How AES Encrypts Data

Since AES is a symmetric key encryption cipher, the same key is used to encrypt and decrypt data. The AES algorithm encrypts and decrypts data in 128, 192, or 256-bit blocks (referred to as AES-128, AES-192, AES-256). AES-256 is the most secure.

AES is a block cipher, meaning data is initially sectioned into blocks before encryption. In the case of AES-128, 128-bit blocks are used to split data into a 4x4 array containing 16 bytes. Each block, then, is 128 bits (8 bits per byte), which yields an equal 128 bits of encrypted data.

AES is a substitution-permutation network (SPN), which is a series of operations linked together into two sets of “boxes" (S and P-boxes) that transform input bits into output bits.

While AES is not the only SPN, its exclusive use of “round" keys adds additional security. These keys are created when the initial key is expanded over several rounds of modification to increase the security of the encrypted data. The round key process makes it much more challenging to break the encryption because the possible key combinations exponentially increase throughout the process.

AES Encryption Process

The AES encryption process can be broken into several high-level steps.

  1. The first key is added to the block using an XOR (“exclusive") cipher.
  2. Each byte is substituted with another byte, based on a predetermined table.
  3. The 4x4 array shifts in a specific pattern. Bytes in row 2 move one space to the left, row 3 bytes move two spaces, and row 4 bytes move four spaces.
  4. The columns are mixed via a mathematical operation that combines the four bytes in each block.
  5. The round key is added to the block in the same way the initial key was introduced.
  6. This process is repeated for each round.

As the data moves through these phases, the relationship between the original and encrypted content becomes increasingly obscured. The result is a highly complex encryption output that differs vastly from the initial plaintext.

For AES decryption, this process is carried out in reverse.

AES is unbreakable when it is properly implemented. In fact, in order to complete a successful brute force attack on a 256-bit cipher, it would take an almost unthinkable number of operations. Even the most powerful supercomputer in the world would need quadrillions of years just to break a 128-bit AES key.

AES is most effective when it is securing stored data. The nature of symmetric encryption means that it can encrypt and decrypt data much quicker than an asymmetric process can. This is especially helpful for bulk encryption tasks involving large quantities of data.

AES Encryption Precautions

Since the same key is used for both encryption and decryption, sharing the key securely is a vital step in any data transfer or data sharing transaction. AES-encrypted data is only as secure as its key. When keys are not stored securely, data is left vulnerable.

Password managers can help mitigate issues unintentionally created by employees. It is therefore vital that networks are secured with robust antivirus protection and safeguards like two-way firewalls. These networks must also be managed by capable SecOps professionals.