AES, or Advanced Encryption Standards, is a cryptographic cipher that is responsible for a large amount of the information security that you enjoy on a daily basis.
Applied by everyone from the NSA to Microsoft to Apple, AES is one of the most important cryptographic algorithms being used in 2107.
What exactly is AES? How does it work? And can “non-techie” people like you and me apply it to be more secure in our daily lives?
That’s exactly what we will be discussing in this guide.
- What is AES
- AES vs. DES (Background story)
- Common uses of AES
- What is AES Cipher
- Symmetric vs. Asymmetric Ciphers
- Cyber Attacks Related to AES
What is AES?
AES or Advanced Encryption Standards (also known as Rijndael) is one of the most widely used methods for encrypting and decrypting sensitive information in 2017.
This encryption method uses what is known as a block cipher algorithm (which I will explain later) to ensure that data can be stored securely.
And while I will dive into the technical nuances and plenty of fun cryptography jargon in a moment, in order to fully appreciate AES we must first backtrack for a brief history lesson.
AES vs. DES (Background story)
Before diving into AES in all of its encrypted glory, I want to discuss how AES achieved standardization and briefly talk about its predecessor DES or Data Encryption Standards.
Basing their development on a prototype algorithm designed by Horst Feistel, IBM developed the initial DES algorithm in the early 1970’s.
The encryption was then submitted to the National Bureau of Standards who, in a later collaboration with the NSA, modified the original algorithm and later published it as a Federal Information Processing Standard in 1977.
DES became the standard algorithm used by the United States government for over two decades, until, in January of 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in under 24 hours.
They successfully concluded their efforts after only 22 hours and 15 minutes, bringing the algorithms weakness into the spotlight for all to see.
However, the powers at be were aware of the algorithms flaws and were already conducting a rigorous standardization process to find a more suitable algorithm for purposes of national security.
Over 5-years, the National Institute of Standards and Technology stringently evaluated cipher designs from 15 competing parties including, MARS from IBM, RC6 from RSA Security, Serpent, Twofish, and Rijndael, among many others.
Their decision was not made lightly, and throughout the 5-year process the entire cryptographic community banded together to execute detailed tests, discussions, and mock attacks in order to find potential weaknesses and vulnerabilities that could compromise each cipher’s security.
While the strength of the competing cipher’s was obviously of paramount importance, it was not the only factor assessed by the various panels. Speed, versatility, and computational requirements were also reviewed as the government needed an encryption that was easy to implement, reliable, and fast.
And while there were many other algorithms that performed admirably (in fact many of them are still widely used today), the Rijndael cipher ultimately took home the trophy and was declared a federal standard.
Upon its victory, the Rijndael cipher, designed by two Belgian cryptographers (Joan Daemen and Vincent Rijmen) was renamed Advanced Encryption Standard.
But this cipher’s success didn’t end with its standardization.
In fact, after the standardization of AES, the cipher continued to rise through the ranks, and in 2003 it was deemed suitable by the NSA for guarding Top Secret Information.
So why exactly am I telling you all of this?
Well, in recent years, AES has been the subject of much controversy as many cryptographers and hackers questions its suitability for continued use. And while I am not posing as an industry expert, I want you to understand the process required to develop the algorithm and the tremendous amount of confidence that even the most secretive agencies place in the Rijndael cipher.
Common Uses of AES in 2017
Before I dive into some of the more technical details about how AES works, let’s first discuss how it’s being used in 2017.
It should be noted that AES is free for any public, private, commercial, or non-commercial use. (Although you should proceed with caution when implementing AES in software since the algorithm was designed on a big-endian system and the majority of personal computers run on little-endian systems.)
Archive and Compression Tools
If any of you have ever downloaded a file off the internet and then gone to open that file only to notice that the file was compressed, (meaning that the original file size was reduced to minimize its affect on your hard drive) then you have likely installed software that relies on an AES encryption.
If you’re already familiar with the concept of cryptography and have taken extra measures to ensure the security of your personal data, the disk/partition encryption software that you use likely uses an AES algorithm.
BitLocker, FileVault, and CipherShed are all encryption softwares that run on AES to keep your information private.
The AES algorithm is also commonly applied to VPNs, or Virtual Private Networks.
For those of you who are unfamiliar with the term, a VPN is a tool that allows you to use a public internet connection in order to connect to a more secure network.
VPNs work by creating a “tunnel” between your public network connection and an encrypted network on a server operated by the VPN provider.
For example, if you regularly do work from your local coffee shop, you are probably aware that the public connection is incredibly insecure and leaves you vulnerable to all types of hacking.
With a VPN, you can easily solve this problem by connecting to a private network that will mask your online activities and keep your data secure.
Or, let’s say that you are travelling to a country with stringent censorship laws and you notice that all of your favorite sites are restricted.
Once again, with a simple VPN setup, you can quickly regain access to these websites by connecting to a private network in your home country.
It should be noted, however, that not all VPNs are created equally.
While the best VPNs (like ExpressVPN, PIA, and Buffered) rely on an AES-256 encryption, there are a number of outdated services that still rely on PPTP and Blowfish (a long since obsolete 64-bit encryption), so be sure to do your research before selecting a provider.
Other Mainstream Applications
In addition to the above applications, AES is used in a plethora of different softwares and applications with which you are undoubtedly familiar.
Have you ever played Grand Theft Auto? Well, the folks over at Rockstar developed a game engine that uses AES in order to prevent multiplayer hacking.
Oh, and let’s not forget, any of you who like to send messages over WhatsApp or Facebook Messenger… You guessed it! AES in action.
Hopefully, you are now beginning to realize just how integral AES in running the entire framework of modern society.
And now that you understand what it is and how it’s used, it’s time to get into the fun stuff. How this bad boy works.
The AES Cipher
The AES cipher is part of a family known as block ciphers, which are algorithms that encrypt data on a per-block basis.
These “blocks” which are measured in bits determine the input of plaintext and output of ciphertext. So for example, since AES is 128 bits long, for every 128 bits of plaintext, 128 bits of ciphertext are produced.
Like nearly all encryption algorithms, AES relies on the use of keys during the encryption and decryption process. Since the AES algorithm is symmetric, the same key is used for both encryption and decryption (I will talk more about what this means in a moment).
AES operates on what is known as a 4 x 4 column major order matrix of bytes. If that seems like too much of a mouthful to you, the cryptography community agrees and termed this process the state.
The key size used for this cipher specifies the number of repetitions or “rounds” required to put the plaintext through the cipher and convert it into ciphertext.
Here’s how the cycles break down.
- 10 rounds are required for a 128-bit key
- 12 Rounds are required for a 192-bit key
- 14 Rounds are required for a 256-bit key
While longer keys provide the users with stronger encryptions, the strength comes at the cost of performance, meaning that they will take longer to encrypt.
Conversely, while the shorter keys aren’t as strong as the longer ones, they provide much faster encryption times for the user.
Aren’t Symmetric Ciphers Easier to Break than Asymmetric?
Now before we move on, I want to briefly touch on a topic that has sparked a significant amount of controversy within the cryptographic community.
As I noted earlier, AES relies on a symmetric algorithm, meaning that they key used to encrypt information is the same one used to decrypt it. When compared to an asymmetric algorithm, which relies on a private key for decryption and a separate public key for file encryption, symmetric algorithms are often said to be less secure.
And while it is true that asymmetric encryptions do have an added layer of security because they do not require the distribution of your private key, this does not necessarily mean that they are better in every scenario.
Symmetric algorithms do not require the same computational power as asymmetric keys, making them significantly faster than their counterparts.
However, where symmetric keys fall short is within the realm of file transferring. Because they rely on the same key for encryption and decryption, symmetric algorithms require you to find a secure method of transferring the key to the desired recipient.
With asymmetric algorithms, you can safely distribute your public key to anyone and everyone without worry, because only your private key can decrypt encrypted files.
So while asymmetric algorithms are certainly better for file transfers, I wanted to point out that AES is not necessarily less secure because it relies on symmetric cryptography, it is simply limited in its application.
Attacks and Security Breaches Related to AES
AES has yet to be broken in the same way that DES was back in 1999, and the largest successful brute-force attack against any block cipher was only against a 64-bit encryption (at least to public knowledge).
The majority of cryptographers agree that, with current hardware, successfully attacking the AES algorithm, even on a 128-bit key would take billions of years and is, therefore, highly improbable.
At the present moment, there isn’t a single known method that would allow someone to attack and decrypt data encrypted by AES so long as the algorithm was properly implemented.
However, many of the documents leaked by Edward Snowden show that the NSA is researching whether or not something known as the tau statistic could be used to break AES.
Side Channel Attacks
Despite all of the evidence pointing to the impracticality of an AES attack with current hardware, this doesn’t mean that AES is completely secure.
Side channel attacks, which are an attack based on information gained from the physical implementation of a cryptosystem, can still be exploited to attack a system encrypted with AES. These attacks are not based on weaknesses in the algorithm, but rather physical indications of a potential weakness that can be exploited to breach the system.
Here are a few common examples.
- Timing Attack: These attacks are based on attackers measuring how much time various computations need to perform.
- Power-monitoring Attack: These attacks rely on the variability of power consumption by hardware during computation
- Electromagnetic Attacks: These attacks, which are based on leaked electromagnetic radiation, can directly provide attackers with plaintext and other information. This information can be used to surmise the cryptographic keys by using methods similar to those used by the NSA with TEMPEST.
The Anthem Hacking: How AES Could Have Saved 80 Million People’s Personal Data
During February of 2015, the database for the Anthem insurance company was hacked, compromising the personal data of over 80 million Americans.
The personal data in question included everything from the names, addresses, and social security numbers of the victims.
And while the CEO of Anthem reassured the public by stating the credit card information of their clients was not compromised, any hacker worth his salt can easily commit financial fraud with the stolen information.
While the company’s spokesperson claimed that the attack was unpreventable and that they had taken every measure to ensure the security of their client’s information, nearly every major data security company in the world disputed this claim, pointing out that the breach was, in fact, completely preventable.
While Anthem encrypted data in transit, they did not encrypt that same data while it was at rest. Meaning that their entire database.
So even though the attack itself might have been unpreventable, by applying a simple AES encryption to the data at rest, Anthem could have prevented the hackers from viewing their customer’s data.
With the increasing prevalence of cyber-attacks and the growing concerns surrounding information security, it is more important now than ever before to have a strong understanding of the systems that keep you and your personal information safe.
And hopefully, this guide has helped you gain a general understanding of one of the most important security algorithms currently in use today.
AES is here to stay and understanding not only how it works, but how you can make it work for you will help you to maximize your digital security and mitigate your vulnerability to online attacks.
If you really want to dig into AES, I consider watching the video below by Christof Paar (it goes in-depth and it’s interesting, too):
If you have any further questions about AES or any insights that you have gained from cryptography-related research, please feel free to comment below and I will do my best to get back to you.