In part two of this series, we looked at how digital communications meant we needed to add further complexity to the ways in which we secured our information. In this short blog we'll look at the algorithm that is used across the globe to protect data today while at rest and in transit across the internet.

We can do better than that

In 2001 the National Institute of Standards and Technology (NIST) threw a gauntlet to the security community to develop a successor to 3DES. I think that deep down they saw that using the DES algorithm three times in a row a bit of a cop-out, and wanted something fresh. Fifteen different algorithms were evaluated and an algorithm called Rijndael was finally selected.

Rijndael was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and was finally standardised as AES (The Advanced Encryption Algorithm) in 2002.

Where DES and 3DES have fixed length keys (64bit and 192bit respectively), the AES algorithm has three accepted standard length keys (128-bit, 192-bit and 256-bit) which alter the number of cycles that the algorithm uses (10, 12 and 14 respectively). 

Also AES takes a slightly different approach to keys and plaintext. Rather than laying the plaintext out in a single row (as computer scientists have traditionally done since time immemorial) it makes a 4x4 two-dimensional matrix out of the data, and manipulates it in that way.

AES makes use of four basic functions during its processing:

1. AddRoundKey - This is an XOR of the current ciphertext state with the current round key.

2. SubBytes - This is a rather contrived substitution function; but is basically equivalent to S-box in DES.

3. ShiftRows - Since the bytes are ordered in a 4x4 matrix rather than in a row, in this function, each row is shifted left by n-1 bytes, where n is the row number, making this a transposition step.

4. MixColumns - This is another transposition step, but uses a matrix multiplication function to shift the columns of the matrix all about.

So the running order for AES goes like this:

1. Rijndael has its own key schedule where keys are constructed for each round from the master key, so we generate these here, in the first step.

2. Initial Round

a) AddRoundKey

3. Rounds (repeated 10,12 or 14 times depending on key size)

a) SubBytes

b) ShiftRows

c) MixColumns

d) AddRoundKey

4. Final Round (same as any other round, except we don't MixColumns)

a) SubBytes

b) ShiftRows

c) AddRoundKey

And that's it! AES is by far and away the best algorithm we currently have for encrypting data both at rest and in transit right now. It is estimated that to brute-force AES-128 it would take approximately 1 billion billion years (That's a 1 with 18 zeros), and for AES-256 it would take roughly 3 septillion septillion years (That's 3 with 56 zeros). There are always people trying to find shortcuts to brute-forcing the key, or invent new ciphers. But right now AES is the best and most standard approach we have to do bulk encryption of data.

AES is used to encrypt the blocks of data that represent your information on government systems and banks, as well as encrypting data you exchange with secured websites. It's everywhere!

This is all very well, but all symmetric key cryptographic is reliant on the key that is used to encrypt and decrypt, remaining secret. In this digital world, how can we transmit the symmetric key over an insecure medium (i.e. the internet)? We could invest in flocks of pigeons to transport the keys to everybody… Everyone would have to have a single key to use with every other person. In a room with 50 people, that would mean there would be 1225 keys we'd need to manage… or we could use asymmetric key cryptography.

Next Time

Having now seen how symmetric key cryptography can be used to secure data using a single key, we'll next look at the unusual world of asymmetric key cryptography where more than one key is in use. Sharpen your pencils and recharge your calculator; examples are ahead!

Security