Passportal Blog

Understanding AES 256 Encryption

[SECURITY | 7 MIN READ]  Encryption is fundamental to contemporary internet security. An encryption system scrambles sensitive data using mathematical calculations to turn data into code. The original data can only be revealed with the correct key, allowing it to remain secure from everyone but the authorized parties.

1907_AES 256 Encryption_720x356_v1_DH

Organizations of all sizes across all industries rely on encryption to protect their data. Passwords, personal identification information, and private messages all need to be hidden from nefarious parties. But the strongest encryption requirements come not from companies, but from the U.S. government. Whenever national security is involved, strong measures must be taken to ensure data is saved and transmitted in an uncrackable format. How can federal agencies like the National Security Agency (NSA) protect their top secret information?

This is where the Advanced Encryption Standard (AES) comes in. Originally adopted by the federal government, AES encryption has become the industry standard for data security. AES comes in 128-bit, 192-bit, and 256-bit implementations, with AES 256 being the most secure. In this article, we’ll explain how AES 256 encryption works and how it can be used to protect your data. 

What Is AES 256-Bit Encryption?

AES was developed in response to the needs of the U.S. government. In 1977, federal agencies relied on the Data Encryption Standard (DES) as their encryption algorithm. DES was created by IBM with a 56-bit symmetric-key block cipher design and was used successfully for close to 20 years. By the 1990s, it was clear that DES was no longer sufficiently secure. In one public demonstration, distributed.net and the Electronic Frontier Foundation showed that they could break a DES key in only 22 hours. Per Moore’s Law, increased computing power meant that a 56-bit system was woefully inadequate against brute force attacks. A more sophisticated encryption standard was urgently needed.  

In response, the government announced a public competition to find a replacement system. Over five years, 15 initial entries were narrowed down to five finalists before a final winner was chosen. The tech security community lauded the open nature of the process, which subjected each of the encryption algorithms to public security. By doing so, the government could be sure that no system had a backdoor, and the chances of identifying and fixing flaws were maximized. 

In the end, the Rijndael cipher emerged victorious. A symmetric-key block cipher similar to DES but much more sophisticated, Rijndael was developed by—and named after—two Belgian cryptographers, Vincent Rijmen and Joan Daemen. In 2002, it was renamed the Advanced Encryption Standard and published by the U.S. National Institute of Standards and Technology.

The AES algorithm was approved by the NSA for handling top secret information soon after, and the rest of the technology world took notice. AES has since become the industry standard for encryption. Its open nature means AES software can be used for both public and private, commercial and noncommercial implementations. 

Today AES is a trusted system with widespread adoption. AES libraries have been developed for programming languages including C, C++, Java, Javascript, and Python. AES is used by file compression programs including 7 Zip, WinZip, and RAR; disk encryption systems like BitLocker and FileVault; and file systems like NTFS. It’s an important tool in database encryption as well as in VPN systems like IPsec and SSL/TLS. Password managers like LastPass, KeePass, and 1Password use AES, as do messaging programs like WhatsApp and Facebook Messenger. An AES instruction set is integrated into all Intel and AMD processors. Even video games like Grand Theft Auto IV use AES to guard against hackers. 

How does AES 256 work?

AES is a symmetric key cipher. This means the same secret key is used for both encryption and decryption, and both the sender and receiver of the data need a copy of the key. By contrast, asymmetric key systems use a different key for each of the two processes. Asymmetric keys are best for external file transfers, whereas symmetric keys are better suited to internal encryption. The advantage of symmetric systems like AES is their speed. Because a symmetric key algorithm requires less computational power than an asymmetric one, it’s faster and more efficient to run. 

AES is also characterized as a block cipher. In this type of cipher, the information to be encrypted (known as plaintext) is divided into sections called blocks. AES uses a 128-bit block size, in which data is divided into a four-by-four array containing 16 bytes. Since there are eight bits per byte, the total in each block is 128 bits. The size of the encrypted data remains the same: 128 bits of plaintext yields 128 bits of ciphertext. 

How does AES work? The basic principle of all encryption is that each unit of data is replaced by a different one according to the security key. More specifically, AES was designed as a substitution-permutation network. AES brings additional security because it uses a key expansion process in which the initial key is used to come up with a series of new keys called round keys. These round keys are generated over multiple rounds of modification, each of which makes it harder to break the encryption. 

First, the initial key is added to the block using an XOR (“exclusive or”) cipher, which is an operation built into processor hardware. Then each byte of data is substituted with another, following a predetermined table. Next, the rows of the 4x4 array are shifted: bytes in the second row are moved one space to the left, bytes in the third row are moved two spaces, and bytes in the fourth are moved three. The columns are then mixed—a mathematical operation combines the four bytes in each column. Finally, the round key is added to the block (much like the initial key was), and the process is repeated for each round. This yields ciphertext that is radically different from the plaintext. For AES decryption, the same process is carried out in reverse. 

Each stage of the AES encryption algorithm serves an important function. Using a different key for each round provides a much more complex result. Byte substitution modifies the data in a nonlinear manner, obscuring the relationship between the original and encrypted content. Shifting the rows and mixing the columns diffuses the data, transposing bytes to further complicate the encryption. Shifting diffuses the data horizontally, while mixing does so vertically. The result is a tremendously sophisticated form of encryption. 

How secure is AES 256 encryption?

The National Institute of Standards and Technology selected three “flavors” of AES: 128-bit, 192-bit, and 256-bit. Each type uses 128-bit blocks. The difference lies in the length of the key. As the longest, the 256-bit key provides the strongest level of encryption. With a 256-bit key, a hacker would need to try 2256 different combinations to ensure the right one is included. This number is astronomically large, landing at 78 digits total. It is exponentially greater than the number of atoms in the observable universe. Understandably, the US government requires 128- or 256-bit encryption for sensitive data. 

The three AES varieties are also distinguished by the number of rounds of encryption. AES 128 uses 10 rounds, AES 192 uses 12 rounds, and AES 256 uses 14 rounds. The more rounds, the more complex the encryption, making AES 256 the most secure AES implementation. It should be noted that with a longer key and more rounds comes higher performance requirements. AES 256 uses 40% more system resources than AES 192, and is therefore best suited to high sensitivity environments where security is more important than speed. 

Is AES 256 crackable?

AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. 

Nevertheless, no encryption system is entirely secure. Researchers who have probed AES have found a few potential ways in. In 2009, they discovered a possible related-key attack. This type of cryptanalysis attempts to crack a cipher by observing how it operates using different keys. Fortunately, the related-key attack is only a threat to AES systems that are incorrectly configured. 

That same year, there was a known-key distinguishing attack against AES 128. The attack used a known-key to discern the structure of the encryption. However, the hack only targeted an eight-round version of AES 128—not the standard 10-round version—so it would not be a major threat.

Since the AES cipher itself is so secure, the main risk comes from side-channel attacks. These don’t attempt a brute-force assault, but rather try to pick up information the system is leaking. Hackers can listen in to sounds, electromagnetic signals, timing information, or power consumption to try to discover how the security algorithms work. Side-channel attacks can be prevented by removing information leaks or masking the leaked data (by generating extra electromagnetic signals or sounds) so it doesn’t yield any useful information. A careful implementation of AES will guard against these side-channel risks. 

Of course, even the strongest cryptographic systems are vulnerable if a hacker gains access to the key itself. That’s why utilizing strong passwords, multifactor authentication, firewalls, and antivirus software is critical to the larger security picture. It’s also essential to educate employees against social engineering and phishing attacks. Properly trained users are the first line of defense. 

Besides its advanced technology, the open nature of AES 256 makes it one of the most secure encryption protocols. Researchers are constantly studying AES to uncover any potential vulnerabilities. Whenever one is discovered, users can take action to address the issue. 

SolarWinds Passportal can help you manage risk, shorten incident resolution times, meet compliance for credential creation, usage, and storage. To find out more click here.

Originally published on the SolarWinds MSP blog.
29 July, 2019


SolarWinds adds Passportal suite to its MSP product portfolio. MSP security, simplified. Passportal's Ocular™ + docs is a SOC 2 certified, RAPID 7 tested, award winning platform.

 Audited Tested Awarded-01

Grow your business faster with the world's first unified platform for true password management and secure IT documentation. More than 2,000 best-in-class MSPs around the world are leveraging our security, automation, and rapid access client knowledge to out preform the competition.Passportal-SolarWinds_1200x190

SCHEDULE A DEMO

Topics: Passportal Insights MSP Wisdom Cybersecurity Tips