What is AES encryption?

Graphic showing a digital padlock overlaid above information that has been encrypted

Since Roman times, encryption has been essential in keeping communications between parties private and secure. Today, it forms the backbone of online security, helping to keep purchases and banking safe form cyber criminals.

There are several forms of encryption that can be used to secure data, whether its messages sent over the open web through email, secure chats, or messaging apps like WhatsApp, or data stored in the cloud, in an on-premise data centre, on a device, or on a removable drive. However, most of these use one of five types of algorithm:

  • RSA – a public key algorithm that comprises protocols such as PGP, SSL/TLS, and SSH
  • Data Encryption Standard (DES) – a protocol originally created for the US government and once thought of as unbreakable. Modern computing power now means it can be compromised and so isn't appropriate for the most sensitive data
  • TripleDES – a more secure and up to date version of DES that was also developed by the US government but has the drawback of being quite slow
  • Twofish – developed in response to a National Institute of Standards and Technology (NIST) call for a new, more secure encryption standard at the turn of the millennium. While it's thought of as very fast and secure, it lost out in NIST's Advanced Encryption Standard competition to the final algorithm on our list
  • Advanced Encryption Standard (AES) – originally known as Rijndael, a combination of the names of the Belgian developers who created it

How and why was AES developed?

A padlock on a circuit board to represent encryption

Between the years 1977 and 1999, the principal encryption method used was DES. First developed by IBM and widely used by the US government, the 56-bit DES algorithm was considered to be uncrackable – that was until advancements in computer technology in the late 90s proved this to be false.

In 1997, during a challenge hosted by RSA Security that pitted teams against each other to be the first to crack the DES protocol, it would be the DESCHALL Project that would ultimately demonstrate that the DES could be bypassed using an enormous amount of computing power. This was followed by The Deep Crack Project, spearheaded by the Electronic Frontier Foundation (EFF), which in July 1998 broke DES encryption in only 56 hours. Further collaborative efforts between the EFF and distributed.net six months later slashed this time to 22hrs 15mins.

The US National Institute for Standards and Technology (NIST) subsequently realised that DES needed a drastic overhaul, having seen that encryption-breaking was becoming far more feasible. Work, therefore, began on developing the successor to DES.

NIST launched an open competition in September 1997 calling for entries to explore how to protect data, both now and in the future. Dubbed the Advanced Encryption Standard process, the competition attracted 15 encryption designs. Three years later, a project known as Rijndael, developed by two Belgian cryptographers Vincent Rijmen and Joan Daemen, was chosen as the standard for AES encryption that’s still in use today.

By November 2000, the AES standard was certified for use by the US government, as a direct replacement for DES.

How does AES work?

Simply put, AES takes a block of plain text and applies alternating rounds of substitution and permutation boxes to the passage. This form of encryption is known as a substitution permutation network (SPN) block cipher algorithm, and the size of the boxes alternate between 128, 192 or 256 bits, depending on the strength of encryption. The standard strength for encryption is 128, with 256 reserved for as and when the strongest levels of protection are required.

During this substitution-permutation process, an encryption key is generated, which can then be used to decipher and read the protected information as was originally intended. Without this decryption key, the data is completely illegible and totally scrambled, meaning it’s useless to third parties who intercept traffic in the hope of stumbling on data they can steal.

Where is AES used?

The logo of the National Security Agency in front of the US flag

(Image credit: Shutterstock)

While AES started life as a tool for the US government, including the NSA, it's been adopted by businesses and other organisations worldwide and is now one of the most widely used encryption algorithms around.

It's used in all sorts of file and transfer scenarios. For example, when you transmit files over an HTTPS connection, the chances are AES is keeping your data secure from any man-in-the-middle type attacks.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.