AES is a symmetric key encryption cipher, and it is generally regarded as the “gold standard” for encrypting data.
AES is NIST-certified and is used by the US government for protecting “secure” data, which has led to more general adoption of AES as the standard symmetric key cipher of choice by just about everyone.
An introduction to AES encryption
The same key used to encrypt the data is used to decrypt it. This does create a problem: how do you send the key in a secure way?
Asymmetric encryption systems solve this problem by securing data using a public key which is made available to everyone. It can only be decrypted by an intended recipient who holds the correct private key.
This makes asymmetric encryption much better at securing data in transit as the sender does not need to know the recipient’s private key. A good example is RSA encryption, which is used to secure the TLS key exchanges required when connecting to a secure HTTPS website.
Symmetric ciphers like AES are therefore much better at securing data while at rest – such as when it is stored on your hard drive. For this purpose, they are superior to asymmetric ciphers because:
- They require much less computational power. This makes encrypting and decrying data with symmetric encryption much faster than with asymmetric encryption. For perspective, symmetric ciphers are generally quoted as being around “1000 times faster” than asymmetric ones.
- And because they are faster, symmetric ciphers are much more useful for bulk encrypting large amounts of data. Asymmetric ciphers such as RSA are only really used for encrypting small amounts of data, such as the keys used to secure symmetric key encryption.
Of course, in today’s connected world, data that just sits on your hard drive is of limited use. Fortunately, it can be safely transferred over the internet in conjunction with asymmetric encryption, which used to handle the remote key exchanges required to securely connect to a remote server.
OpenVPN, for example, secures the raw data with an asymmetric cipher – usually AES these days. In order to transfer the encrypted data securely between your PC and the VPN server, it uses an asymmetric TLS key exchange to negotiate a secure connection to the server.
Is AES encryption the best type of encryption?
AES is widely regarded as the most secure symmetric key encryption cipher yet invented. Other symmetric key ciphers that are considered to be highly secure also exist, such as Twofish, which was co-invented by renowned cryptographer Bruce Schneier.
Such ciphers have not been battle-tested in the way that AES has, though. And hey, if the US government thinks AES is the best cipher to protect its “secure” data, who’s arguing? There are some, however, who see this as a problem. Please see the section on NIST below.
Widespread adoption has benefited AES in other ways. Most CPU manufacturers have now integrated the AES instruction set into their processors. The hardware boost improves AES performance on many devices as well as improving their resistance to side-channel attacks.
Can 128-bit AES encryption be broken?
AES itself is unbreakable when implemented properly.
In 2011 the fastest supercomputer in the word was the Fujitsu K. Based on calculations, it would take Fujitsu K around one billion billion (one quintillion) - years to crack a 128-bit AES key by force.
The most powerful supercomputer in the world in 2017 was the Sunway TaihuLight in China. This computer world would still take some 885 quadrillion years to brute force a 128-bit AES key.
The number of operations required to brute force a 256-bit cipher is 3.31 x 10^56. This is roughly equal to the number of atoms in the universe!
Back in 2011, cryptography researchers identified a weakness in AES that allowed them to crack the algorithm four times faster than was possible previously, but as one of the researchers noted at the time:
“To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”
In response to this attack, an additional four rounds (see later) were added to the AES-128 encryption process to increase its safety margin.
AES Encryption Passwords
AES encryption is only as secure as its key. These keys are invariable themselves secured using passwords, and we all know how terrible us humans are at using secure passwords. Keyloggers introduced by viruses, social engineering attacks, and suchlike, can also be effective ways to compromise the passwords which secure AES keys.
Use of password managers greatly mitigates against this problem, as does use of two-way firewalls, a good antivirus software, and greater education about security issues.
What is DES encryption
The Data Encryption Standard (DES) was created in the mid-1970s to secure US government communications. It became the first modern, public, freely available encryption algorithm, and as such almost single-handedly created the modern discipline of cryptography.
Although developed by IBM, DES was the brainchild of National Bureau of Standards (NBS, which later became NIST).
Despite concerns about meddling by the NSA, DES was adopted by the US government in 1976 for "sensitive but unclassified" traffic. This included things like personal, financial and logistical information.
Since there was nothing else like it at the time, it quickly became widely adopted by commercial companies who required encryption to secure their data. As such, DES (which used 56-bit keys) became the default workhorse encryption standard for almost two decades.
This almost ubiquitous adoption was greatly helped by DES being awarded Federal Information Processing Standards (FIPS) status. All US non-military government agencies and civilian government contractors are required to use FIPS standards only.
By the mid-1990s, however, DES beginning to show its age. At this time it was widely believed that the NSA could brute-force crack DES, a point proved in 1998 when a $220,000 machine built by the Electronic Frontier Foundation (EFF) successfully brute-forced DES in just two days. It was clearly time for a new standard.
How AES came about
In 1997 the National Institute of Standards and Technology of the United States (NIST) announced that was looking for a replacement to DES. In November 2001 it announced that the winner: AES, formerly known as Rijndael after one of its co-creators.
On NIST’s recommendation, the new cipher was formally adopted by the US federal government and came into effective use in May 2002. Like DES before it, AES was awarded FIPS status. The US government considers all AES key sizes to be sufficient for classified information up to the "Secret" level, with "Top Secret" information requiring AES-192 or AES-256.
AES has now entirely replaced DES worldwide as the default workhorse symmetric encryption standard.
How does AES encryption work?
The AES encryption algorithm encrypts and decrypts data in blocks of 128 bits. It can do this using 128-bit, 192-bit, or 256-bit keys. AES using 128-bit keys is often referred to as AES-128, and so on.
The following diagram provides a simplified overview of the AES process…
This is the sensitive data that you wish to encrypt.
This is a 128-bit, 192-bit, or 256-bit variable created by an algorithm.
The actual AES cipher then performs a series of mathematic transformations using the plaintext and the secret key as a starting point. In order, these are:
- Key expansion. This uses the original secret key to derive a series of new “round keys” using the Rijndael’s key schedule algorithm.
- Mixing. Each round key is combined with the plaintext using the additive XOR algorithm.
- Rise and repeat. The process is repeated a number of times, with each repeat known as a round. Each round is re-encrypted using one of the round keys generated during key expansion (step 1).
The number of rounds performed depends on the key length used. AES-128 uses ten rounds, AES-192 uses twelve rounds, and AES-256 uses fourteen rounds.
Each added round reduces the chance of a shortcut attack of the kind that was used to attack AES-128 back 2011. As already noted as a consequence of this attack an additional four rounds were added to AES-128 in order to improve its safety margins.
This is the encrypted output from the cipher after it has passed through the specified number of rounds.
How to Decrypt AES encryption
Decrypting AES is simple – just reverse all the above steps, starting with the inverse round key. Of course, you need to have the original secret key in order to reverse the process using each inverse round key.
Does encrypting a file make it larger?
Yes. Usually. AES uses a fixed block size of 16-bytes. If a file is not a multiple of a block size, then AES uses padding to complete the block.
In theory, this does not necessarily mean an increase in the size of encrypted data (see ciphertext stealing), but simply adding data to pad out the block is usually much easier. Which increases the amount of data which is encrypted.
Anecdotal evidence suggests that files larger than 1 MB encrypted with AES tend to be around 35% larger than before encryption.
How important are key sizes in AES encryption?
The crudest way to measure the strength of a cipher is by the size of its key. The larger the key the more possible combinations there are.
AES is can be used with 126-bit, 192-bit, or 256-bit key sizes. The original Rijndael cipher was designed to accept additional key lengths, but these were not adopted into AES.
AES and OpenVPN
VPN users, in particular, however, should be careful. Most VPN services use AES-256 to secure data transmitted by the OpenVPN protocol, but this is one of the various mechanisms used by OpenVPN to keep data secure.
A TLS connection secures transfer of the encryption keys used by AES to secure data when using OpenVPN. So if the OpenVPN TLS (control channel) settings are weak, then the data can become compromised despite being encrypted using AES-256. Please see our Ultimate Guide to VPN Encryption for more details.
AES-CBC vs AES-GCM
Until recently the only AES cipher that you were likely to encounter in the VPN world was AES-CBC (Cipher Block Chaining). This refers to the block cipher mode, a complex subject that is not really worth going into here.
Although CBC may theoretically have some vulnerabilities, the consensus is that CBC is secure. CBC is, indeed, recommended in the OpenVPN manual.
OpenVPN now also supports AES-GCM (Galios/Counter Mode). GCM provides authentication, removing the need for an HMAC SHA hashing function. It is also slightly faster than CBC because it uses hardware acceleration (by threading to multiple processor cores).
AES-CBC remains the most common mode in general use, but AES-GCM is increasing in popularity. Given the advantages of GCM, this trend is only likely to continue. From a cryptographic perspective, though, both AES-CBC and AES-GCM are highly secure.
Image credit: xkcd.com/538.