When national security is involved, strong encryption measures are taken to protect data. The Advanced Encryption Standard (AES), originally adopted by the U.S. federal government, has evolved to become an industry standard for securing data and needs to be part of every organization’s integrated risk management strategy. AES comes in 128-bit, 192-bit, and 256-bit implementations, with the 256-bit implementation being the most secure. This glossary page explains what AES-256 encryption entails, how it works, and how secure it is.
What Is AES-256 Encryption?
The Advanced Encryption Standard (AES) is a symmetric block cipher that the U.S. government selects to protect classified data. AES-256 encryption uses the 256-bit key length to encrypt as well as decrypt a block of messages. There are 14 rounds of 256-bit keys, with each round consisting of processing steps that entail substitution, transposition, and mixing plaintext to transform it into ciphertext.
The National Institute of Standards & Technology (NIST) started to develop AES in 1997 when the need arose to create an alternative standard to the Data Encryption Standard (DES). DES had started to become vulnerable to brute-force attacks.
The AES encryption standard was approved by the National Security Agency (NSA) to protect both secret and top-secret government information. It has since become an industry standard for encrypting information. It is an open standard, which means it can be used for public, private, commercial, and non-commercial implementations.
What Are the Encryption Features of AES?
AES consists of several main features:
Substitution-permutation (SP) Network
AES-256 encryption is based on a substitution-permutation network, also known as an SP network. The encryption works on an SP network structure rather than a Feistel cipher structure that uses the same basic algorithm for both encryption and decryption.
The algorithm takes a single key up during the first stage. This is later expanded to multiple keys used in each round.
The AES encryption algorithm operates on byte data instead of bit data. This means that it treats the 128-bit block size as 16 bytes during the encryption process.
The number of rounds of encryption to be carried out depends on the key length being used to encrypt data. The 256-bit key size has 14 rounds.
How Does AES-256 Encryption Work?
Since AES is a symmetric key cipher, it uses the same secret key for both encryption and decryption. This means that both the sender and receiver of the data in question need a copy of the secret key. Symmetric keys are better suited for internal transfers, unlike asymmetric keys, which are best for external transfers. Symmetric key ciphers, such as AES, are faster and more efficient to run since they require less computational power than asymmetric key algorithms.
Additionally, AES uses block ciphers, where the plaintext is divided into sections called blocks. AES uses a 128-bit block size, whereby data is divided into 4-by-4 arrays that contain 16 bytes. Each byte contains 8 bits, with the total bits in every block being 128. In AES, the size of encrypted data remains the same. This means that 128 bits of plaintext yield 128 bits of ciphertext.
In all encryption, each unit of data is replaced by a different unit according to the security key used. AES is a substitution-permutation network that uses a key expansion process where the initial key is used to come up with new keys called round keys. The round keys are generated over multiple rounds of modification. Each round makes it harder to break the encryption. The AES-256 encryption uses 14 such rounds.
AES works by having the initial key added to a block using an exclusive or (XOR) cipher. This is an operation that is built into processor hardware. In the block, each byte of data is substituted with another, following a predetermined table. The rows of the 4-by-4 array are shifted, with the bytes in the second row being moved one space to the left. Bytes in the third row are moved two spaces, and the ones in the fourth row moved three spaces. The columns are then mixed, combining the four bytes in each column, and the round key is added to the block. The process is repeated for each round, yielding a ciphertext that is completely different from the plaintext.
This encryption algorithm features the following advantages:
- Using a different key for every round yields a much more complex result
- Byte substitution modifies the data in a nonlinear way, thus hiding the relationship between plaintext and ciphertext.
- Shifting rows and mixing columns diffuses data, thus transposing bytes. This further complicates the encryption.
The result of these processes is secure data exchange. The same process is repeated in reverse for the decryption process.
AES-256 Decryption Process
AES ciphertexts can be restored to the initial state by the help of inverse encryption. As we have seen above, the AES uses symmetric encryption, meaning that the secret key used for encryption is the same one used for decryption.
In the case of AES-256 decryption, the process begins with the inverse round key. The algorithm then reverses every action, namely: shifting rows, byte substitution, and column mixing, until it deciphers the original message.
Is AES-256 Encryption Impenetrable?
AES-256 encryption is virtually uncrackable using any brute-force method. It would take millions of years to break it using the current computing technology and capabilities.
However, no encryption standard or system is completely secure. In 2009, a cryptanalysis discovered a possible related-key attack. In such an attack, attackers try to crack a cipher by observing how it operates by using different keys. Luckily, experts have since concluded that such a threat can only happen in AES systems that are not configured correctly.
Since it is almost impossible to crack the AES cipher using a brute-force method, the main risk to this standard is side-channel attacks. In these attacks, attackers try to pick up information leaking from a system to discover how the encryption algorithms work. However, this can only happen in non-secure systems. A sound AES-256 implementation safeguards a system from side-channel attacks.
Much as the AES-256 standard is very secure, a vulnerable system can lead to an attacker gaining the secret key itself. A zero-trust security approach ensures that organizations trust and verify digital communications that exchange data. Further, organizations must take a defense-in-depth approach to security that employs multi-factor authentication, hardened infrastructure, and proactive and integrated incident response. Incoming sensitive content communications must be verified using data loss prevention, antivirus, and anti-malware capabilities, while outbound sensitive content communications should also leverage data loss prevention. These capabilities should be involved in any cyber risk management approach.
The open nature of the AES-256 standard makes it one of the most secure encryption standards. Cybersecurity experts are on the constant lookout for potential vulnerabilities, and when a vulnerability is discovered, users are notified and action is taken to address the issue.
Examples of Where AES-256 Encryption Is Currently Being Used
Following are some of the use cases for AES-256 encryption:
- U.S. government entities such as the NSA, the military, and many other entities use AES encryption for secure communication and storage of data.
- Many devices, applications, and networks today use AES-256 encryption to protect data at rest and in transit. Many SSDs employ AES encryption algorithms.
- All data stored in the Google Cloud is encrypted using the AES-256 standard by default.
- AWS, Oracle, and IBM also use the AES-256 encryption standard.
- WhatsApp messages are encrypted using the AES-256 encryption standard.
AES-256 for Sensitive Content Communications
Organizations must protect and keep data private when it is at rest and in motion. Encryption must be employed in both instances. For data at rest, AES-256 encryption is often the best option, whereas transport layer security (TLS) encryption creates secure sockets layer (SSL) tunnels to protect private content. Private data that requires encryption includes personally identifiable information (PII), protected health information (PHI), financial records, and corporate strategic product, marketing, and sales plans.
Kiteworks encrypts each piece of content with a unique, strong key at the file level and with a different strong key at the disk-level volume. This ensures that each file is double encrypted. Further, file keys, volume keys, and other intermediate keys are encrypted when stored.
Kiteworks uses a passphrase entered by an administrator to generate a super key it uses in the encryption of all stored keys. Thus, when an administrator rotates the passphrase on a regular basis, as recommended, the process is quick and efficient because only the keys need to be re-encrypted and not all content.
Those wanting more detail about Kiteworks’ key encryption approach across different sensitive content communication channels—email, file sharing, managed file transfer, web forms, and application programming interfaces (APIs)—can schedule a custom demo tailored to their environment.
Get email updates with our latest blogs news