AES Encryption Explained: How It Works and Why It Matters

What is AES Encryption?

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that has become the global standard for securing digital data. Adopted by the U.S. National Institute of Standards and Technology (NIST) in 2001, AES replaced the aging Data Encryption Standard (DES) after a rigorous five-year public competition. The winning algorithm, originally named Rijndael, was designed by Belgian cryptographers Joan Daemen and Vincent Rijmen.

As a symmetric encryption algorithm, AES uses the same secret key for both encryption and decryption. This is in contrast to asymmetric encryption (like RSA), where a public key encrypts and a separate private key decrypts. Symmetric encryption is significantly faster than asymmetric encryption, making AES the preferred choice for encrypting large volumes of data.

Today, AES is used everywhere — from securing your HTTPS connections and encrypting your smartphone's storage to protecting classified government communications. When someone says their data is "encrypted," there is a high probability that AES is the algorithm doing the work. Its combination of security, speed, and hardware support makes it the most widely deployed encryption algorithm in the world.

How AES Works

AES is a block cipher, meaning it encrypts data in fixed-size blocks. Each block is exactly 128 bits (16 bytes). If your plaintext is longer than 16 bytes, it is divided into multiple blocks, each encrypted individually (with the mode of operation governing how blocks relate to each other).

AES supports three key sizes: 128-bit, 192-bit, and 256-bit. The key size determines the number of transformation rounds the algorithm performs:

• AES-128: 10 rounds
• AES-192: 12 rounds
• AES-256: 14 rounds

Each round consists of four distinct operations applied to a 4×4 matrix of bytes called the state:

SubBytes

Each byte in the state is replaced with a corresponding byte from a fixed lookup table called the S-box(substitution box). This non-linear substitution provides confusion — it obscures the relationship between the plaintext and the ciphertext. The S-box is carefully designed to resist known cryptanalytic attacks such as differential and linear cryptanalysis.

ShiftRows

The rows of the state matrix are cyclically shifted to the left by different offsets. The first row is not shifted, the second row shifts by one position, the third by two, and the fourth by three. This step ensures that bytes from each column are spread across all columns, providing diffusion across the block.

MixColumns

Each column of the state is treated as a polynomial and multiplied with a fixed polynomial in the Galois field GF(2⁸). This operation mixes the bytes within each column, further spreading the influence of each input byte across the output. MixColumns is skipped in the final round.

AddRoundKey

The state is XORed with a round key derived from the original encryption key through a process called key expansion(or key schedule). Each round uses a different round key, ensuring that the encryption key's influence is distributed across all rounds. This is the only step that directly involves the secret key.

AES 암호화 과정 (각 라운드):
┌─────────────┐
│  Plaintext   │  (128비트 블록)
└──────┬──────┘
       ▼
┌─────────────┐
│ AddRoundKey  │  (초기 라운드 키 XOR)
└──────┬──────┘
       ▼
┌─────────────┐
│  SubBytes    │  (S-box 치환)
│  ShiftRows   │  (행 순환 이동)
│  MixColumns  │  (열 혼합)
│ AddRoundKey  │  (라운드 키 XOR)
└──────┬──────┘
       ▼
  (10/12/14 라운드 반복)
       ▼
┌─────────────┐
│  Ciphertext  │  (128비트 암호문)
└─────────────┘

AES Key Sizes Compared

Choosing the right key size depends on your security requirements, performance constraints, and compliance needs. All three AES key sizes are considered secure against brute-force attacks with current technology, but they differ in their security margins and computational cost.

AES Modes of Operation

AES by itself only encrypts a single 128-bit block. To encrypt data longer than 16 bytes, you need a mode of operationthat defines how multiple blocks are processed. The choice of mode is just as important as the choice of key size — a strong key with a weak mode can be catastrophically insecure.

ECB (Electronic Codebook) — Dangerous

ECB is the simplest mode: each block is encrypted independently with the same key. This means identical plaintext blocks produce identical ciphertext blocks, leaking patterns in the data. The famous "ECB Penguin" image demonstrates this flaw perfectly — encrypting a bitmap image with ECB mode reveals the outline of the original image in the ciphertext. Never use ECB mode for anything.

CBC (Cipher Block Chaining)

CBC XORs each plaintext block with the previous ciphertext block before encryption, using an initialization vector (IV) for the first block. This eliminates the pattern-leaking problem of ECB. CBC was the standard mode for decades and is still widely encountered in legacy systems. However, it requires padding (typically PKCS#7) and is vulnerable to padding oracle attacks if not implemented carefully.

CTR (Counter Mode)

CTR turns AES into a stream cipher by encrypting sequential counter values and XORing the result with the plaintext. It does not require padding, allows parallel encryption and random access to encrypted data. However, like CBC, CTR does not provide authentication— an attacker can flip bits in the ciphertext without detection.

GCM (Galois/Counter Mode) — Recommended

GCM combines CTR mode encryption with Galois field multiplication for authentication. It provides both confidentiality (encryption) and integrity/authenticity (authentication tag) in a single operation. This makes it an authenticated encryption with associated data (AEAD) scheme. GCM is fast, parallelizable, and has excellent hardware support via AES-NI instructions.

AES-GCM: The Recommended Mode

AES-GCM is the gold standard for symmetric encryption in modern applications. It is used in TLS 1.3, IPsec, SSH, and countless other protocols. Understanding its components is essential for implementing encryption correctly.

Authenticated Encryption

GCM provides authenticated encryption, meaning it simultaneously ensures that the data has not been read (confidentiality) and has not been tampered with (integrity/authenticity). After encryption, GCM produces an authentication tag (typically 128 bits) that is verified during decryption. If even a single bit of the ciphertext, the IV, or the associated data has been modified, decryption will fail with an authentication error rather than producing corrupted plaintext.

IV/Nonce: The Critical Parameter

GCM requires a unique initialization vector (IV), also called a nonce (number used once), for every encryption operation with the same key. The standard IV size for AES-GCM is 96 bits (12 bytes). Reusing an IV with the same key is catastrophic — it completely breaks both the confidentiality and authenticity guarantees of GCM. In practice, IVs are either generated randomly (using a cryptographically secure random number generator) or derived from a counter.

Key Derivation with PBKDF2

In many applications, the encryption key is derived from a human-readable password rather than being a raw 256-bit key. The standard approach is to use a key derivation function (KDF) like PBKDF2 (Password-Based Key Derivation Function 2). PBKDF2 takes the password, a random salt, and an iteration count, then produces a key of the desired length. The iteration count (typically 100,000 or more) makes brute-force password guessing computationally expensive.

// AES-256-GCM 암호화 흐름 (의사 코드)

// 1. 비밀번호에서 키 유도
salt = generateRandomBytes(16)         // 랜덤 솔트 생성
key = PBKDF2(password, salt, 100000, 256)  // 키 유도

// 2. 랜덤 IV 생성
iv = generateRandomBytes(12)           // 96비트 IV

// 3. AES-GCM으로 암호화
(ciphertext, tag) = AES_GCM_Encrypt(key, iv, plaintext)

// 4. 결과 조합: salt + iv + tag + ciphertext
output = salt || iv || tag || ciphertext

// 복호화 시: output에서 salt, iv, tag을 분리한 후 역순으로 처리

Real-World Applications of AES

AES is arguably the most deployed cryptographic algorithm in the world. Here are the key areas where it protects your data every day:

HTTPS and TLS

Every time you visit a website over HTTPS, your browser negotiates a TLS connection that typically uses AES-GCM for encrypting the data stream. TLS 1.3 mandates AES-128-GCM and AES-256-GCM as its two primary cipher suites. This means billions of AES encryption operations happen every second across the internet.

End-to-End Messaging Encryption

Messaging apps like WhatsApp, Signal, and iMessage use the Signal Protocol, which relies on AES-256-CBC (with HMAC) or AES-256-GCM for encrypting individual messages. The encryption keys are derived from a Diffie-Hellman key exchange, ensuring that only the sender and recipient can decrypt the messages — not even the service provider has access.

Full-Disk Encryption

Apple's FileVault (macOS), Microsoft's BitLocker (Windows), and Linux's LUKS all use AES (typically AES-256 with XTS mode) to encrypt entire disk volumes. When you enable full-disk encryption, every file written to disk is transparently encrypted with AES and decrypted when read. Modern CPUs include dedicated AES-NI instructions that make this process virtually transparent in terms of performance.

VPN Tunnels

VPN protocols like IPsec, WireGuard, and OpenVPN use AES to encrypt network traffic. IPsec commonly uses AES-256-GCM for both confidentiality and integrity. When you connect to a VPN, every packet sent between your device and the VPN server is encrypted with AES, preventing eavesdroppers from reading your traffic.

File and Archive Encryption

Tools like 7-Zip, WinRAR, and GPG use AES-256 to encrypt files and archives. Cloud storage services like Google Drive, Dropbox, and AWS S3 use AES-256 for server-side encryption of stored data. When you password-protect a ZIP file with strong encryption, it is AES doing the heavy lifting.

AES vs Other Encryption Algorithms

AES is not the only encryption algorithm, and understanding when to use each type is crucial for building secure systems. Here is how AES compares to other common algorithms:

In practice, these algorithms are often used together. A typical TLS handshake uses RSA or ECDH for key exchange, then switches to AES-GCM (or ChaCha20-Poly1305) for encrypting the actual data stream. RSA encrypts the symmetric key, and AES encrypts the data — this hybrid approach combines the key distribution advantages of asymmetric cryptography with the speed of symmetric encryption.

ChaCha20-Poly1305 is a notable alternative to AES-GCM. Designed by Daniel J. Bernstein, it is faster than AES on devices without hardware AES acceleration (like older smartphones and IoT devices). TLS 1.3 includes ChaCha20-Poly1305 as a mandatory cipher suite alongside AES-GCM, and Android devices default to it when AES-NI is not available.

Common Mistakes to Avoid

Even with a rock-solid algorithm like AES, implementation mistakes can completely undermine security. Here are the most dangerous pitfalls developers encounter:

Using ECB Mode

ECB mode encrypts each block independently, causing identical plaintext blocks to produce identical ciphertext blocks. This leaks patterns and structure from your data. Despite being the simplest mode, ECB should never be used for encrypting data larger than a single block. Unfortunately, it is often the default in many cryptographic libraries, which is why you should always explicitly specify your mode of operation.

Hardcoding Encryption Keys

Embedding encryption keys directly in source code is one of the most common and dangerous mistakes. Anyone with access to the binary can extract the key. Keys should be stored in environment variables, hardware security modules (HSMs), or dedicated secret management systems like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault. Use a password generator to create strong, random keys.

Reusing IVs/Nonces

Reusing the same IV (or nonce) with the same key is catastrophic for AES-GCM. It allows an attacker to XOR two ciphertexts together to eliminate the key stream, potentially recovering both plaintexts. For AES-GCM specifically, nonce reuse also completely breaks the authentication tag, allowing forgery of arbitrary messages. Always generate a fresh, random IV for every encryption operation, and never use a static or predictable IV.

Padding Oracle Attacks

When using CBC mode with PKCS#7 padding, if your application reveals whether a padding error occurred during decryption (through error messages, timing differences, or different HTTP status codes), an attacker can exploit this "oracle" to decrypt the entire ciphertext one byte at a time without knowing the key. The solution is either to use an authenticated mode like GCM (which detects any tampering) or to apply HMAC verification before attempting decryption.

Try AES Encryption with BeautiCode

Understanding AES encryption is much easier when you can experiment with it hands-on. BeautiCode provides a free, browser-based AES Encrypt/Decrypt tool that lets you encrypt and decrypt text using AES-256-GCM in real time. All processing happens entirely in your browser — no data is ever sent to a server.

• AES Encrypt/Decrypt — Encrypt and decrypt text with AES-256-GCM. Enter your plaintext and password to see the encryption process in action. Experiment with different inputs and verify that decryption correctly recovers the original text.
• Hash Generator — Compare AES encryption with hashing. While AES is reversible (with the key), hash functions like SHA-256 are one-way. Generate hashes to understand the difference between encryption and hashing.
• Password Generator — Generate strong, random passwords to use as encryption keys. A weak password undermines even the strongest encryption algorithm.
• Bcrypt Hash Generator — Explore password hashing with bcrypt, which is designed for securely storing passwords (unlike AES, which is designed for reversible encryption).

Frequently Asked Questions

Is AES-256 unbreakable?

No encryption algorithm can be proven "unbreakable" in an absolute sense, but AES-256 is the strongest symmetric cipher available today. A brute-force attack against a 256-bit key would require 2²⁵⁶operations — a number so large that it exceeds the estimated number of atoms in the observable universe. Even with all the computing power on Earth working together, it would take longer than the age of the universe to try all possible keys. Quantum computers running Grover's algorithm could theoretically halve the effective key length to 128 bits, which is still considered secure.

What is the difference between AES and RSA?

AES is a symmetric algorithm: the same key encrypts and decrypts. RSA is an asymmetricalgorithm: a public key encrypts and a private key decrypts (or vice versa for signatures). AES is roughly 1,000 times faster than RSA and is used for encrypting bulk data. RSA is used for key exchange, digital signatures, and encrypting small pieces of data (like AES keys). In practice, they are used together — RSA exchanges the AES key, and AES encrypts the actual data.

Should I use AES-128 or AES-256?

Both are secure for all practical purposes. AES-128 provides 128-bit security and is approximately 40% faster than AES-256. Choose AES-256 if your compliance requirements mandate it (many government and financial regulations require 256-bit keys), if you want extra margin against future quantum computing advances, or if performance is not a critical concern. For most web applications, APIs, and general-purpose encryption, AES-128 is perfectly adequate.

Why is AES-GCM preferred over AES-CBC?

AES-GCM provides authenticated encryption, meaning it verifies data integrity alongside encryption. AES-CBC only encrypts — it does not detect if the ciphertext has been tampered with. With CBC, you must separately add an HMAC for integrity, increasing complexity and the chance of implementation errors. GCM also does not require padding (eliminating padding oracle vulnerabilities), supports parallelization for better performance, and is the mandatory cipher for TLS 1.3.

Can AES encryption be used for password storage?

While technically possible, AES encryption is not recommendedfor password storage. Encryption is reversible — if an attacker obtains the encryption key, they can decrypt all passwords instantly. Instead, use a dedicated password hashing algorithm like bcrypt or Argon2, which are one-way functions specifically designed to be slow and resistant to brute-force attacks. Use AES when you need to retrieve the original data (like encrypting files or communications), and use hashing when you only need to verify data (like passwords).