The AES-256 bit encryption algorithm is currently the most widely used encryption mechanism, almost everyone is using it. That is for the extremely high difficulty of cracking it. In fact it’s near impossible to crack as a supercomputer would require billions of years to cover all possible outcomes. Major security agencies deploy AES-256 encryption in their operations including the US Army, NSA, and CIA.
Encryption is perhaps the most vital aspect for businesses and individuals who deal with sensitive or proprietary information. The national vulnerabilities database (NVD) has recorded over 11,000 weaknesses in systems and software up until 2019. While some vulnerabilities are quickly patched. The issue is, according to NVD, 40% of vulnerabilities already had patches but they were not applied.
It is essential for businesses and individuals to encrypt their payment information and sensitive data. Even then, there is no guarantee that you won’t be attacked. However, you certainly don’t want to make yourself an easy target.
There are commercial products that utilize the AES-256 encryption algorithm. Most notably NordVPN, secure your data with NordVPN or learn more about the leading VPN provider in my full review here.
Encryption types
An encryption algorithm can either be symmetric or asymmetric, and the difference between the two is easy to understand.
Symmetric encryption: Uses 1 key to encrypt a message at the sender’s side, and the same key to decrypt a message on the receiver’s side.
Asymmetric encryption: On the other hand uses 1 public key to encrypt messages. While deploying a secret key (known only to the intended recipient) to decrypt messages.
An encryption technique can rely on either one of these algorithms, or a combination of both. In fact most companies Use both symmetric and asymmetric encryption to protect sensitive data.
The road to AES-256
Initially we didn’t start off with AES-256 bit encryption, there was an evolution process and a learning curve. The following timeline demonstrates the path through which we arrived at the AES-256 bit encryption algorithm.
- 1970: The US government creates the Data Encryption Standard (DES) as a means to encrypt sensitive government data.
- 1997: The National Institute of Standards and Technology (NIST) conducted a public competition to find the best DES replacement.
- 1999: The Electronic Frontier Foundation broke the DES encryption algorithm with their software in less than a day.
- 2001: NIST announced AES-256 as the winner of the competition to overtake DES.
- 2002: The NSA approves the AES-256 encryption algorithm.
- 2020: AES-256 has replaced DES entirely as the superior encryption algorithm.
How does AES-256 work?
AES-256 is a symmetric encryption algorithm that excels in both speed and security. Contrary to asymmetric algorithms, there is less need for computational resources because symmetric algorithms use only one key to encrypt and decrypt. It is more secure than it’s predecessors since it uses 256 bit blocks of cipher. In other words if you have 256 bits of text, that will result in 256 bits of cipher. The possibilities in which you can decode the cipher are enormous, which is specifically why the algorithm works.
AES-256 goes through multiple substitution and replacement phases known as rounds. Exactly 14 rounds in which the plain text is transformed into an encrypted message, with every round AES-256 deploys the following manipulation methods:
- Byte Substitution
- Shift Rows
- Mix Column
- Add Round Key
Byte substitution
This is a byte-by-byte substitution using the same rule throughout the encryption rounds. The substitution rule is inverted for the decryption chain, but also used for all the rounds.
16 Bytes are substituted byte by byte according to recalculated values in a non-linear fashion, resulting in an entirely different Byte arrangement. However the actual data encoded in the Bytes does not change.
The arrangement is calculated by assigning a different value for each character in a separate table and then matching the two tables based on the new values.
Shift rows
The rows of the matrix are shifted according to the following rules:
- First row is not shifted
- Second row is shifted one (byte) position to the left
- Third row is shifted two positions to the left
- Fourth row is shifted three positions to the left
Mix column
Columns are mixed to further spread the data resulting in a new table.
Add round key
The resulting table from the previous mixed columns is combined with the first round key to make a new table.
This finishes up round one. However, when using AES-256 this process is repeated 14 times.
AES-256 vs Brute force attacks
Brute force attacks is when an intruder attempts to decrypt a message without having the decryption key. The attacker tries several million possibilities until finding the combination that decrypts the message. However, the more complex the encryption algorithm is, the longer it would take to crack via a brute force attack. The AES-256 bit algorithm would take a supercomputer billions of years to go through all the possibilities.
Above all strong encryption and complex password are an excellent brute force attack deterrent.
Free AES-256 encryption and decryption tool
There are many online services that offer AES-256 encryption for free. In the example below I’m using an excellent tool from aesencryption.net
All you need to do to encrypt a message is follow a few simple steps:
- Go to the encryption tool webpage.
- Type your message in the input box.
- Select any encryption key you want.
- Select 256-bit from the dropdown menu.
- Click the encrypt button.
As for decrypting the message:
- Paste encrypted code in input box.
- Input the encryption key.
- Select 256-bit.
- Click on the decrypt button.
Combine AES-256 with additional encryption methods
While AES-256 is quite secure in itself, you can be combine it with other security features for additional protection. Specifically Hash functions, Digital Certificates, VPN protocols, SSL Certificates, and the HTTPS protocol complement your encryption by adding authenticity to the message and identity of the sender.
Hashing algorithms
A Hashing algorithm is used to confirm that data was not altered along the way or during encryption. It is a one way function that converts the message into a smaller standardized set called a hash value or digest, thus acting as a unique signature which the recipient can validate. A Hashing algorithm is added on top of encryption to ensure the authenticity of the data transferred.
Digital certificates
A digital certificate can be used to confirm the source and intended target of a message. A third party certificate authority will issue a digital certificate in your name upon request, then you can use that certificate to validate your identity online.
Your digital certificate would include the following information:
- Name
- Certificate authority’s name
- Unique certificate serial number
- Expiry date
- Unique private key
- Certificate authority’s digital signature
VPN protocols
A VPN protocol consists of a set of rules and features designed to provide a secure and encrypted tunnel through which it directs traffic. These are the 5 most commonly protocols across all platforms:
- PPTP: The Point-to-Point Tunneling Protocol (PPTP) was the very first VPN protocol created. It was developed by Microsoft around 1995, and consequently integrated into the Windows 95 operating system. Although It was designed specifically for dial-up connections, It is still used today in some applications. However, It lacks some of the important security and encryption features that modern protocols have. Yet that lack of extra security features gives it the capacity to deliver higher connection speeds. Therefore if you are not looking for high grade encryption, PPTP is a good protocol choice.
- L2TP/IPSec: Came out as the PPTP replacement. Although it does not come with any encryption by default, it is usually combined with the IPSec security protocol. Once paired together, L2TP/IPSec becomes very secure. In fact there are no known vulnerabilities in the protocol to this date.
- OpenVPN: Has grown in popularity as an open source protocol. OpenVPN uses AES-256 bit encryption with 2048-bit RSA authentication and a 160-bit SHA1 hash algorithm. In simple terms, OpenVPN is a security fortress, thus virtually unbreakable.
- SSTP: The Secure Socket Tunneling Protocol (SSTP) uses 2048-bit SSL/TLS certificates for authentication and 256-bit SSL keys for encryption. However, it’s popularity is due to it’s full integration with all Microsoft products since Windows Vista in 2006.
- IKEv2: The Internet Key Exchange version 2 (IKEv2) is similar to the L2TP protocol in that it is also combined with the IPSec security protocol. IPSec provides encryption and authentication while IKEv2 excels in re-establishing and switching between connections. Which is an advantage for mobile users as they regularly switch between WiFi and mobile data.
SSL certificates & HTTPS
A Secure Socket Layer (SSL) certificate creates and binds an encrypted key to domains on a webserver, thus providing a secure connection between the client browser and the webserver. Additionally, it activates the HTTPS protocol. As a rule of thumb, you should avoid websites that do not have an SSL certificate and consequently are not HTTPS capable.
Final words on AES-256 and future developments in encryption
Although now considered old technology, AES-256 is still the most secure encryption algorithm available for public use today. However, that does not mean that it will continue to be our best option for encryption.
There are many challenges facing AES-256 going forward. Specifically the advancements happening in the Quantum computing world. Which could render AES-256 and all other mathematically rooted encryption algorithms completely obsolete.
The future is Quantum
The University of Missouri-St. Louis describes Quantum computers as follows:
A quantum computer is a machine that performs calculations based on the laws of quantum mechanics, which is the behavior of particles at the sub-atomic level.
The Turing machine, developed by Alan Turing in the 1930s, is a theoretical device that consists of tape of unlimited length that is divided into little squares. Well in a quantum Turing machine, the difference is that the tape exists in a quantum state, as does the read-write head.
What this means is that the symbols on the tape can be either 0 or 1 or a superposition of 0 and 1. In other words the symbols are both 0 and 1 at the same time. While a normal Turing machine can only perform one calculation at a time, a Quantum Turing machine can perform many calculations at once.
Today’s computers, like a Turing machine, work by manipulating bits that exist in one of two states: a 0 or a 1. On the other hand Quantum computers aren’t limited to two states; they encode information as quantum bits, or qubits, which can exist in superposition.
Qubits represent atoms, ions, photons or electrons and their respective control devices that are working together to act as a computer memory and a processor. Since a quantum computer can contain these multiple states simultaneously, it has the potential to be millions of times more powerful than todays most powerful supercomputers.
University of Missouri-St. Louis Information Theory Projects
The superposition of qubits is what gives Quantum computers their inherent parallelism. According to physicists, this parallelism allows a quantum computer to work on a million computations at once, while your desktop pc works on one.
Quantum encryption
Algorithms based on computational complexity have no chance of surviving a Quantum computing future. Although it is a challenge moving forward, encryption algorithms can utilize Quantum computing techniques and Quantum physics rules to develop a strong encryption algorithm. One that holds up against the might Quantum processor.
