What is AES

AES (Advanced Encryption Standard) is a symmetric block cipher adopted by NIST in 2001 after a public competition. It encrypts data in 128-bit blocks using keys of 128, 192, or 256 bits. AES is the algorithm that actually protects your data in TLS connections, disk encryption (BitLocker, FileVault, LUKS), file encryption, database encryption, and virtually every other system that encrypts data. When a TLS connection is established, the handshake negotiates keys — AES does the actual encryption of every byte that flows after.

Why it matters

• Universal standard — AES is mandated by NIST, NSA (for classified data at AES-256), PCI DSS, HIPAA, and virtually every compliance framework. It’s the default choice for symmetric encryption worldwide.
• Hardware acceleration — Intel AES-NI, ARM AES extensions, and other CPU instruction sets perform AES operations in hardware. AES-256-GCM on modern hardware encrypts at 5-10 GB/s — faster than most storage and network I/O.
• TLS data encryption — after the handshake derives session keys, AES-GCM encrypts all application data. Every HTTPS page load, API call, and file transfer uses AES.
• No known practical attacks — after 25 years of cryptanalysis, no practical attack against full AES exists. Theoretical attacks (biclique) reduce the security margin slightly but remain computationally infeasible.
• Quantum-resistant (mostly) — Grover’s algorithm halves the effective key length against quantum computers. AES-256 becomes 128-bit security post-quantum — still sufficient. AES-128 drops to 64-bit — potentially vulnerable. Use AES-256 for long-term security.

How it works

1. Key expansion — the cipher key (128/192/256 bits) is expanded into a key schedule of round keys (10/12/14 rounds respectively).
2. Initial round — plaintext block XORed with the first round key (AddRoundKey).
3. Main rounds (9/11/13 rounds):
   • SubBytes — each byte substituted via a fixed S-box (non-linear transformation)
   • ShiftRows — rows of the state matrix shifted cyclically
   • MixColumns — columns mixed using matrix multiplication in GF(2⁸)
   • AddRoundKey — state XORed with the round key
4. Final round — SubBytes, ShiftRows, AddRoundKey (no MixColumns).
5. Output — 128-bit ciphertext block.

Modes of operation (how blocks are chained):

• GCM (Galois/Counter Mode) — authenticated encryption. Provides confidentiality + integrity + authentication. Standard for TLS.
• CBC (Cipher Block Chaining) — each block XORed with previous ciphertext. Vulnerable to padding oracle attacks. Legacy.
• CTR (Counter Mode) — turns block cipher into stream cipher. Fast, parallelizable. No authentication without separate MAC.
• ECB (Electronic Codebook) — each block encrypted independently. Patterns in plaintext visible in ciphertext. Never use for real data.

In real systems

TLS cipher suites using AES:

TLS_AES_256_GCM_SHA384         # TLS 1.3 — AES-256-GCM
TLS_AES_128_GCM_SHA256         # TLS 1.3 — AES-128-GCM
TLS_CHACHA20_POLY1305_SHA256   # TLS 1.3 — alternative for non-AES-NI hardware
ECDHE-RSA-AES256-GCM-SHA384    # TLS 1.2 — AES-256-GCM with ECDHE

Disk encryption:

# Linux LUKS (full disk encryption)
cryptsetup luksFormat /dev/sda2 --cipher aes-xts-plain64 --key-size 512
# AES-XTS with 512-bit key (256-bit for AES + 256-bit for XTS tweak)

# Verify encryption
cryptsetup luksDump /dev/sda2 | grep cipher
# cipher: aes-xts-plain64

OpenSSL file encryption:

# Encrypt a file with AES-256-GCM
openssl enc -aes-256-gcm -in secret.pdf -out secret.enc -k "passphrase"

# Decrypt
openssl enc -d -aes-256-gcm -in secret.enc -out secret.pdf -k "passphrase"

Checking AES-NI support:

# Linux — check CPU flags
grep -o aes /proc/cpuinfo | head -1
# Output: aes (means AES-NI is available)

# OpenSSL speed test with/without hardware acceleration
openssl speed -evp aes-256-gcm
# Typical output: ~5 GB/s with AES-NI, ~500 MB/s without

Where it breaks

ECB mode leaks patterns — ECB encrypts each 128-bit block independently with the same key. Identical plaintext blocks produce identical ciphertext blocks. The famous “ECB penguin” demonstrates this: encrypting a bitmap image with ECB preserves the visual pattern. Never use ECB for anything except single-block encryption (like encrypting a single AES key).

Nonce reuse in GCM — AES-GCM requires a unique nonce (IV) for every encryption operation with the same key. Reusing a nonce with the same key completely breaks both confidentiality and authentication — an attacker can recover the authentication key and forge messages. At scale (billions of encryptions), random 96-bit nonces have a non-negligible collision probability. Use deterministic nonce construction (counter-based) or AES-GCM-SIV (nonce-misuse resistant) for high-volume systems.

CBC padding oracle — AES-CBC requires padding to fill the last block. If a server reveals whether decryption padding is valid (through error messages or timing), an attacker can decrypt the entire ciphertext one byte at a time. This powered the BEAST, POODLE, and Lucky13 attacks against TLS. AES-GCM has no padding — it’s a stream mode. This is why TLS 1.3 only allows AEAD ciphers (GCM, ChaCha20-Poly1305).

Operational insight

The choice between AES-128 and AES-256 is less about security and more about compliance and future-proofing. Both are unbreakable with current technology. AES-128 provides 128-bit security (sufficient against classical computers). AES-256 provides 256-bit security classically and 128-bit security against quantum computers (Grover’s algorithm). If your data needs to remain confidential for 20+ years (government, healthcare, financial records), use AES-256 — it survives the quantum transition without re-encryption. For short-lived data (session encryption, ephemeral communications), AES-128 is perfectly adequate and marginally faster (though with AES-NI, the difference is negligible).

Related topics

• What is Symmetric Encryption
• What are Cipher Suites
• TLS 1.3 vs TLS 1.2
• What is a TLS Handshake
• PQC Fundamentals