Imagine a perfect world. In this perfect world, governments and corporations would implement all the security controls necessary for their operation, use all of the security best practices, adhere to all compliance regulations, purchase the most sophisticated data protection tools, and as a result, maintain information systems with sensitive data that is 100% secure. Unfortunately, 100% security is a utopia, but using properly implemented encryption will certainly assist your organization in mitigating risks associated with unencrypted data.
What does encryption do for us?
Encryption is not only a security best practice, but it is the industry standard for protecting data at rest and data transmitted over the Internet. It protects data from unauthorized access, modification, disclosure and theft. You’ve likely used a service that offers data encryption. For example, when you send messages over WhatsApp or Signal, these are encrypted from end-to-end to prevent malevolent actors from eavesdropping your private conversations.
What exactly does encryption do? Encryption converts plaintext data to an unintelligible form called ciphertext. When data is decrypted, the ciphertext is converted back to plaintext. Encrypting data prevents unauthorized individuals from viewing sensitive information that is transmitted over the Internet. There are three interesting things you should know about encryption:
- There is more than one type of encryption (symmetric v asymmetric)
- Asymmetric encryption algorithms will become obsolete in a quantum computing future
- Advanced Encryption Standard (AES) is currently the most secure encryption algorithm
What is AES encryption and how does it work?
AES, introduced in 2001, is an encryption standard used by the United States government to protect data in federal information systems. It is also used by nongovernmental organizations to protect sensitive data. The AES algorithm uses “symmetric” key encryption and three block ciphers. Symmetric key encryption uses the same key to encrypt and decrypt data. Sometimes the same key is described as a secret key. It is critical that the secret key is only available to authorized users to prevent anyone else from accessing the key and accessing the data for nefarious reasons.
Encryption and decryption occur in data blocks of 128 bits. The block length is 128 bits. Each of the following cipher keys, which vary in length, are associated with the number of rounds required to transform plain text into ciphertext. For simplicity, consider this transformation a type of processing or operation that takes place for encryption to occur.
- AES-128-bit key, 10 rounds
- AES-192-bit key, 12 rounds
- AES-256-bit key, 14 rounds
The longer the key length, the more rounds of processing that occurs to encrypt the data. While AES encryption is secure, AES-256-bit key encryption is stronger (and more secure) than AES 128-bit key because there are many more possible character combinations in the 256-bit key than the 128-bit key. Essentially, it would take a cybercriminal longer to try all of the possible combinations to crack AES 256-key bit encryption than it would take them to attempt to crack AES-128-bit encryption.
AES strength and other considerations
The strength is in the key length. The longer the key length, the more difficult it is for a cybercriminal to break the encryption or crack the secret code (i.e., decryption key). For this reason, a bad actor (or actors) will have to work that much harder to break 256-bit key encryption than 128-bit key encryption.
Organizations using AES encryption give stakeholders (e.g., corporate executives, consumers and end-users) a high level of confidence in secure electronic data transmissions; however, this confidence may be weakened by the following:
- Poorly implemented encryption (e.g., systems that are incorrectly configured)
- Poor key management (e.g., not using industry best practices for encryption key management)
Encryption keys must be securely managed and protected from unauthorized disclosure or modification. AES encryption is most effective when no one other than the intended recipient has the secret key. What about when AES encryption is properly implemented and encryption keys are managed in accordance with best practices—does this resolve all potential threats? Not quite. AES may also be threatened by side-channel attacks. Side-channel attacks rely on information that is acquired based on the implementation of security controls rather than the failure to implement a security control, such as encryption. Such an attack has the potential to reveal encryption keys. Organizations may mitigate risks associated with side-channel attacks by reducing the ways in which data leaks from a system.
AES and quantum computing
There is a global effort to prepare secure information systems to resist quantum computing. It is expected that cryptographic algorithms that use public keys (i.e., asymmetric encryption) will not be a secure encryption method once we enter the era of large-scale quantum computing, which is likely still many years away. In contrast, AES encryption, which uses a symmetric key, is believed to be reasonably secure in a quantum computing world due to its key length. And while the impact of quantum computing on AES will require a longer key length, the encryption method is so sophisticated that it is considered quantum resistant.
AES encryption offers the strongest and most secure cryptographic algorithm. As such, it is the industry standard for encrypting sensitive data. The full power of AES encryption, however, is realized when it is implemented by experts and encryption keys are managed in accordance with secure key management best practices. Lastly, organizations can safely implement AES encryption in a quantum computing world. While AES-128-bit key will remain secure for decades to come, AES-256-bit key will protect against threats from quantum computers for a very long time.