First adopted by the US government to protect classified information, AES has long gained global acceptance and is used for securing sensitive data in various industries - most likely including yours. In this post, you'll learn about AES encryption and understand its vital role in securing sensitive files you send over the Internet.
What is AES encryption?
AES or Advanced Encryption Standard is a cipher, i.e., a method for encrypting and decrypting information. Whenever you transmit files over secure file transfer protocols like HTTPS, FTPS, SFTP, WebDAVS, OFTP, or AS2, there's a good chance your data will be encrypted by some flavor of AES - either AES 256, 192, or 128. We'll discuss more about these three shortly.
Different secure file transfer software may be equipped with varying selections of encryption algorithms. Some ciphers may be included in certain selections but absent in others. Not AES. AES will almost certainly be present in all but a few. Why is this so? It all started when the US government began looking for a new encryption algorithm that would be used to protect sensitive data.
How Rijndael became a standard
For about two decades since 1977, the US government used a cipher called DES (Data Encryption Standard) to protect sensitive, unclassified information. Unfortunately, that cipher was later on proven to be insecure, prompting the government to look for a replacement.
This led to a standardization process that attracted 15 competing encryption designs, which included - among others - MARS from IBM, RC6 from RSA Security, Serpent, Twofish, and Rijndeal. It was Rijndael, designed by two Belgian cryptographers (Joan Daemen and Vincent Rijmen), that eventually became the standard and henceforth acquired the title Advanced Encryption Standard or AES.
The selection process was very stringent, taking 5 years to complete. During that span, many experts from the cryptographic community carried out detailed tests and painstaking discussions to find vulnerabilities and weaknesses. The participation of different sectors, which showed the openness of the selection process, speaks volumes of how credible the process was.
Although the cipher's strength against various attacks was a major consideration in choosing the standard, other factors like speed, versatility, and computational requirements were likewise given importance. The government wanted an encryption standard that wasn't just strong, but also fast, reliable and easily implemented in both software and hardware - even those with limited CPU and memory.
Although the other encryption algorithms were also very good (Some of those ciphers are also widely used today but understandably don't enjoy the same level of acceptance as AES) the Rijndael cipher was ultimately selected and declared a Federal Information Processing Standards or FIPS standard by the NIST (National Institute of Standards and Technology) in 2001. It was approved by the Secretary of Commerce and then recognized as a federal government standard the following year.
Note: The official AES standard is specified in FIPS PUB 197.
The rise of AES didn't end there. In 2003, the government deemed it suitable for protecting classified information. In fact, up to this day, the NSA (National Security Agency) is using AES to encrypt even Top Secret Information.
That should explain why AES has gained the confidence of various industries. If it's good enough for the NSA, then it must be good enough for businesses.
Let's get a little bit more technical
AES belongs to a family of ciphers known as block ciphers. A block cipher is an algorithm that encrypts data on a per-block basis. The size of each block is usually measured in bits. AES, for example, is 128 bits long. Meaning, AES will operate on 128 bits of plaintext to produce 128 bits of ciphertext.
Like almost all modern encryption algorithms, AES requires the use of keys during the encryption and decryption processes. AES supports three keys with different lengths: 128-bit, 192-bit, and 256-bit keys. The longer the key, the stronger the encryption. So, AES 128 encryption is the least strong, while AES 256 encryption is the strongest.
In terms of performance though, shorter keys result in faster encryption times compared to longer keys. So 128 bit AES encryption is faster than AES 256 bit encryption.
The keys used in AES encryption are the same keys used in AES decryption. When the same keys are used during both encryption and decryption, the algorithm is said to be symmetric. Read the article Symmetric vs Asymmetric Encryption if you want to know the difference between the two.
How is the AES encryption algorithm used in secure file transfers?
As mentioned earlier, AES is implemented in secure file transfer protocols like FTPS, HTTPS, SFTP, AS2, WebDAVS, and OFTP. But what exactly is its role?
Because symmetric and asymmetric encryption algorithms each have their own strengths, modern secure file transfer protocols normally use a combination of the two. Asymmetric key ciphers a.k.a. public key encryption algorithms are great for key distribution and hence are used to encrypt the session key used for symmetric encryption.
Symmetric key ciphers like AES, on the other hand, are more suitable for encrypting the actual data (and commands) because they require less resources and are also much faster than asymmetric ciphers. The article Symmetric vs Asymmetric Encryption has a more thorough discussion regarding these two groups of ciphers.
Here's a simplified diagram illustrating the encryption process during a typical secure file transfer secured by SSL/TLS (e.g. HTTPS, FTPS, WebDAVS) or SSH (e.g. SFTP). AES encryption operates in step 3.
That's it. I hope you learned something useful today.
If you like reading posts like this, subscribe to this blog or connect with us.
Looking for a secure file transfer server that supports AES? Try JSCAPE MFT Server. It uses AES encryption on its FTPS, SFTP, HTTPS, WebDAVS, AS2, and OFTP services. Download a free, fully-functional evaluation edition now.