Security Encryption

AES

A widely used symmetric encrytption algorithm utilizing a single key.

Advanced Encryption Standard

  • Symmetric encryption algorithm adopted by the U.S. government in 2001 as the replacement for DES (Data Encryption Standard)
  • Uses the same key for both encryption and decryption (hence “symmetric”)
  • Block cipher that processes data in fixed 128-bit blocks regardless of key size
  • Considered the gold standard for symmetric encryption due to its security strength and efficiency

Key Characteristics

  • Block Size: Always 128 bits (16 bytes)
  • Key Sizes: 128-bit, 192-bit, or 256-bit keys
  • Rounds: Number of encryption rounds depends on key size (more rounds = more security)
  • Algorithm: Based on Rijndael cipher developed by Belgian cryptographers
Key Size Rounds Security Level Common Use Cases
AES-128 10 High WiFi WPA2/WPA3, VPNs, general encryption
AES-192 12 Very High Government applications, high-security networks
AES-256 14 Extremely High Top Secret data, military, financial institutions

AES Modes of Operation

  • Electronic Codebook (ECB): Simplest but least secure (identical blocks produce identical ciphertext)
  • Cipher Block Chaining (CBC): Each block depends on previous block (more secure than ECB)
  • Counter (CTR): Converts block cipher into stream cipher (allows parallel processing)
  • Galois/Counter Mode (GCM): Provides both encryption and authentication (preferred for network protocols)

Network Implementation Examples

  • WiFi Security: WPA2 uses AES-128 in CCMP (Counter Mode with CBC-MAC Protocol)
  • IPSec VPNs: Commonly uses AES-256 for tunnel encryption
  • HTTPS/TLS: AES is the primary symmetric cipher for web traffic encryption
  • SSH: Uses AES for secure remote access sessions

Performance Considerations

  • Hardware acceleration available on most modern processors (AES-NI instruction set)
  • AES-128 provides excellent security-to-performance ratio for most network applications
  • AES-256 offers maximum security but requires ~40% more processing power than AES-128
  • Block cipher nature requires padding for data not exactly 128-bit aligned

Vocabulary

Symmetric Encryption: Uses the same key for encryption and decryption (contrast with asymmetric/public key encryption)

Block Cipher: Encrypts data in fixed-size blocks rather than bit-by-bit or byte-by-byte

Cipher Suite: Complete specification including encryption algorithm, key exchange method, and authentication method

Initialization Vector (IV): Random value used with certain modes to ensure identical plaintext produces different ciphertext

Notes

  • AES replaced DES because DES’s 56-bit key became too weak against modern computing power
  • When configuring network devices, AES-128 is usually sufficient unless compliance requires AES-256
  • Never use ECB mode in production - it reveals patterns in encrypted data
  • For Cisco devices, use crypto ipsec transform-set commands to specify AES encryption for VPN tunnels
  • AES keys must be securely distributed since compromise of the key compromises all encrypted data
  • Key management is often the weakest link in AES implementations, not the algorithm itself
  • AES-GCM is preferred for network protocols because it provides both confidentiality and integrity in one operation