AES Encryption: A Closer Look at Advanced Encryption Standards

What if anyone could access your passwords, bank details and confidential emails?

The online world would literally resemble a Wild West shootout. Complete and utter chaos.

Today, businesses cannot afford to deal with such chaos, especially when 80 percent of them already use at least one SaaS application.

Encryption is the sheriff that prevents a Wild West-type scenario from ever happening. It gives businesses complete assurance that their data will be protected, and no one does it better than AES encryption.

What is AES Encryption? 

AES Encryption stands for Advanced Encryption Standard (also known as Rijndael) and follows a symmetric encryption algorithm, i.e., the same key is used to encrypt and decrypt the data. AES supports block lengths of 128, 192 and 256 bits, and its algorithm was developed by the Belgian cryptographers Joan Daemen and Vincent Rijmen.

The following characteristics make AES encryption extremely software and hardware friendly:

  • Immune to all known attacks
  • Speed and compatibility of source code on various computing platforms
  • Simplicity of design

AES encryption is the gold standard of encryption. Period. You see it with messaging apps like WhatsApp, organizations dealing with highly sensitive data like NASA, tech giants like Microsoft and numerous small businesses around the world.

A stone shield with AES written on it.

History of AES

The 1970’s – Birth of DES. The U.S. National Bureau of Standards (NBS) needed a stealthy algorithm to encrypt sensitive government information. Their search led them to a symmetric key algorithm: Data Encryption Standard (DES). Over the next couple of decades, DES was the indisputable champion in the world of cryptography.

1997 – The fall of DES. The mid-nineties saw a rise in improved computing power, due to which the 56-bit key algorithm became vulnerable to brute-force attacks. The National Institute of Standards and Technology (NIST) announced a public competition to find a DES replacement.

1999 – DES broken. The Electronic Frontier Foundation built a DES cracker that successfully brute-forced the algorithm in just 22 hours and 15 minutes (less than a day).

2001 – AES for the win. NIST announced AES as the winner of the competition. The new algorithm worked on a similar symmetric-key block cipher as DES, but way more advanced.

2002 – AES in action. The U.S. federal government formally adopted AES-192 and AES-256 to secure classified information on the recommendation of NIST. The algorithm was approved by the NSA as well, and soon after, the rest of the technology community started taking notice.

Present – The gold standard. AES encryption has completely replaced DES worldwide as the default symmetric encryption cipher used for public and commercial purposes.

How Does AES Encryption Work?

AES encryption is known for speed and security.

Speed comes from the fact that AES is a symmetric-key cipher and requires less computational power as compared to an asymmetric one.

Security is the direct result of a sophisticated block cipher algorithm. Data is encrypted on a per-block basis, which is measured in bits. For instance, 128 bits of plain text will produce 128 bits of ciphertext.

The cipher involves substitution and permutation, meaning replacing inputs with specific outputs and then shuffling those outputs, aka rounds. These rounds make up the difference between the various key lengths. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys.

Key Expansion is carried out before each round. The initial key is used to derive a series of ‘new round keys’ to ensure the same keys are not used in each round.

Each round of AES involves:

  • Byte Substitution
  • Shift Rows
  • Mix Column
  • Add Round Key

Byte Substitution 

The 16 input bytes (128-bit) are substituted based on a predetermined table. The result is a matrix of four rows and four columns where the data is altered in a non-linear way to add confusion.

73 df id ks
hb hq h2 tg
9f st 7f 14
s5 2h 30 h9

The algorithm looks up the table where the value of each character is equated with another character. You get a matrix with new values but the same data.

jb n3 kf n2
9f jj 1h js
74 wh 0d 18
hs 17 d6 px

Shift Rows 

The data is moved from its original position to create diffusion.

Shift Row is carried out in four parts:

  • First row is not shifted
  • Second row is shifted one (byte) position to the left
  • Third row is shifted two positions to the left
  • Fourth row is shifted three positions to the left

In the end, a new matrix is formed based on the same 16 bytes.

jb n3 kf n2
jj 1h js 9f
0d 18 74 wh
px hs 17 d6

Mix Column*

Each round key is combined with the plaintext using the additive XOR algorithm to further diffuse the data. The result is another new matrix consisting of 16 new bytes.

1s j4 2n ma
83 28 ke 9f
9w xm 31 m4
5b a9 ci ps

*Note: Mix column does not occur in the final round.

Add Round Key 

The result from the mixed column is added to the first round key. After this, it goes back to the byte substitution step and the entire process (round) starts again. That means, if you’re using 256-bit key encryption, you will go through this round 14 times.

h3 jd zu 7s
s8 7d 26 2n
dj 4b 9d 9c
74 el 2h hg

Once the data has gone through this gruesome process, your plaintext will come out looking like ‘we238adjkjloncvty’ (for example) as a result of different mathematical operations being applied to it again and again.


Although the same key is used for both encryption and decryption, the algorithms need to be separately implemented. The decryption process is similar to the encryption process but in reverse order.

Here’s the sequence for AES decryption:

  • Add Round Key
  • Mix Columns
  • Shift Rows
  • Byte Substitution

Watch how AES encryption works.

How Secure Is AES 256?

If AES is the gold standard, 256-bit encryption is its poster child. With the longest rounds, the 256-bit key provides the strongest level of encryption.

It is near impossible to crack it even if brute force is applied – trying every combination of numbers possible until the correct key is found. The longer the key size, the more attempts are needed.

A hacker trying to crack a 256-bit key would need 2 to the power of 256 attempts to find the right key. Even if hackers use Tianhe-2 (MilkyWay-2), the fastest supercomputer in the world, it will take them a few million lifetimes to crack a 256-bit AES encryption.

The bottom line is, entities that face threats from all directions, like the U.S. Military or your Office 365 that stores business-critical information, need AES 256-bit protection.

Securing Your Data With AES Encryption

To ensure your SaaS data is safe, check if your backup vendor uses AES 256 encryption. If not, chances are they are using service accounts, which means your data is at risk.

Service accounts store your most sensitive data in spreadsheets or shared document format. They are easy to hack and fail to fulfill many compliance requirements.

Spanning protects your Google Workspace, Office 365 and Salesforce data with 256-bit AES object-level encryption with unique, randomly generated encryption keys for every single object and a rotating master key protecting the unique keys. In addition, Transport Layer Security (TLS) encryption is used to protect all data in transit.

Peace of mind, guaranteed!

Learn More