0% found this document useful (0 votes)
69 views5 pages

AES Introduction PDF

Uploaded by

davbrat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
69 views5 pages

AES Introduction PDF

Uploaded by

davbrat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

91 0x450a0ad2

0x8c1a3291 0x56de57
0x5f8a153d
axd8c447ae 8820572
5228 0xf32 4856
0x19df c2fe97 0xd61b
White Paper 0x3fe63453 0xa3bdff8
2 0x30e571cf
6a 0x100daa87
0x36e0045b 0xad22db
255ba12 bdff8
0x48df 0x5ef8189b 0x
0xf08cde96

AES Encryption

AES Encryption and Related Concepts

THIS PAPER IS A NON-TECHNICAL INTRODUCTION to the Advanced


Encryption Standard (AES) and to important topics related to encryption
such as encryption key management, validation, common uses to protect
data, and compliance. You will find a resource guide at the end for further
research on this and related topics.

www.townsendsecurity.com

724 Columbia Street NW, Suite 400 • Olympia, WA 98501 • 360.359.4400 • 800.357.1019 • fax 360.357.9047 • www.townsendsecurity.com
Introduction to AES Encryption by Townsend Security

single block of data at a time. In the case of standard AES


What is AES? encryption the block is 128 bits, or 16 bytes, in length. The
term “rounds” refers to the way in which the encryption
The Advanced Encryption Standard (AES) is formal algorithm mixes the data re-encrypting it ten to fourteen
encryption method adopted by the National Institute of times depending on the length of the key.
Standards and Technology of the US Government, and
is accepted worldwide. This paper introduces AES and The AES algorithm itself is not a computer program or
key management, and discusses some important topics computer source code. It is a mathematical description
related to a good data security strategy. of a process of obscuring data. A number of people have
created source code implementations of AES encryption,
including the original authors.
A Brief History
In 1997 the National Institute of Standards and Encryption Keys
Technology (NIST), a branch of the US government,
started a process to identify a replacement for the Data AES encryption uses a single key as a part of the
Encryption Standard (DES). It was generally recognized encryption process. The key can be 128 bits (16 bytes),
that DES was not secure because of advances in 192 bits (24 bytes), or 256 bits (32 bytes) in length. The
computer processing power. The goal of NIST was to term 128-bit encryption refers to the use of a 128-bit
define a replacement for DES that could be used for encryption key. With AES both the encryption and the
non-military information security applications by US decryption are performed using the same key. This is
government agencies. Of course, it was recognized that called a symmetric encryption algorithm. Encryption
commercial and other non-government users would algorithms that use two different keys, a public and a
benefit from the work of NIST and that the work would private key, are called asymmetric encryption algorithms.
be generally adopted as a commercial standard.
An encryption key is simply a binary string of data used
The NIST invited cryptography and data security in the encryption process. Because the same encryption
specialists from around the world to participate in the key is used to encrypt and decrypt data, it is important
discussion and selection process. Five encryption to keep the encryption key a secret and to use keys that
algorithms were adopted for study. Through a process are hard to guess. Some keys are generated by software
of consensus the encryption algorithm proposed by used for this specific task. Another method is to derive a
the Belgium cryptographers Joan Daeman and Vincent key from a pass phrase. Good encryption systems never
Rijmen was selected. Prior to selection Daeman and use a pass phrase alone as an encryption key.
Rijmen used the name Rijndael (derived from their
names) for the algorithm. After adoption the encryption
algorithm was given the name Advanced Encryption
Standard (AES) which is in common use today.
Modes of Operation
In 2000 the NIST formally adopted the AES encryption There are different methods of using keys with the AES
algorithm and published it as a federal standard under encryption method. These different methods are called
the designation FIPS-197. The full FIPS-197 standard “modes of operation”. NIST defines a number of modes
is available on the NIST web site (see the Resources of operation for AES which include:
section below). As expected, many providers of
encryption software and hardware have incorporated • Electronic code book (ECB)
AES encryption into their products. • Cipher block chaining (CBC)
• Counter (CTR)
• Cipher feed back (CFB)
• Output feed back (OFB)
The AES Algorithm • Galois Counter Mode (GCM)

The AES encryption algorithm is a block cipher that uses Each mode uses AES in a different way. For example,
an encryption key and several rounds of encryption. A ECB encrypts each block of data independently. CTR
block cipher is an encryption algorithm that works on a mode encrypts a 128-bit counter and then adds that value

© 2016 Townsend Security Page 1


Introduction to AES Encryption by Townsend Security

to the data to encrypt it. CBC mode uses an initialization Key management systems provide a wide variety of
vector and adds the encrypted value of each block to the functions including:
data in the next block before encrypting it. Some modes
require you to only encrypt data that is a multiple of the • Key creation
16-byte block size; others allow you to truncate • Key rotation, or key change
unused data. • Key expiration
• Key import and export
It is important to note that you can use strong encryption • Key usage control
in a weak way resulting in poor security for your sensitive • Secure key storage
data. Using an inappropriate mode of encryption, or • Access controls
using a mode of encryption improperly, can leave • Key escrow, or archival
your data exposed to loss. Fully understanding the • Compliance logging
implications and management requirements of each
mode is a vital part of planning for encryption. A good key management system is crucial for a good
data security strategy.

NIST Testing & Validation


Encryption In Database Applications
Recognizing the need for a method of insuring the
quality and correctness of AES implementations, NIST Businesses with sensitive data in database applications
developed a set of tests and a testing protocol for the want to encrypt the data in order to secure it from loss.
algorithm. It chartered independent testing laboratories Protecting sensitive data increases customer trust and
to administer the tests and monitor the results. This set loyalty, reduces legal liability, and helps meet regulatory
of tests is referred to as AES Validation. To achieve NIST requirements for data security. Examples of databases
validation a data security vendor must pass hundreds that might contain sensitive information are Oracle
of different tests designed to validate that the vendor Database, IBM DB2, Microsoft SQL Server, MySQL,
is properly encrypting and decrypting data. Only when and Microsoft Access. Regardless of the disk or folder
all tests have been passed does the NIST issue AES encryption technology that might be used, the actual
Validation certificates. The list of vendors who have data should be encrypted to prevent loss.
passed these tests is located at this link: http://csrc.nist.
gov/groups/STM/cavp/documents/aes/aesval.html At the time this document was written most database
systems do not provide encryption support that meets
NIST standards. Additionally, most database systems
do not provide cross-platform support for encrypting
Key Management and decrypting sensitive data. This situation will surely
change in the future but, until database systems achieve
Many people think that encryption is all about secret NIST compliance for security, database users will need to
methods, or algorithms, for obscuring code. In reality provide encryption in their application programs.
the encryption methods are public and anyone can
read how encryption is done and obtain source code
for performing the encryption and decryption steps. The
secret part is the key used to perform encryption and
Best Practices
decryption. For this reason it is important to keep your
encryption keys secret, and use secure methods for Understanding the best practices for implementing
creating, distributing, and storing your keys. encryption in your business applications is important to
achieving good data security. Here are some key points:
Key management systems allow you to create keys and
keep them secret. Many security professionals believe • Never store pass phrases or encryption keys in your
that the most important part of their data security strategy application source code.
is the proper creation, management, and protection of
their encryption keys. • Use a key management system to secure encryption
keys and provide a way to securely back up your keys.

© 2016 Townsend Security Page 2


Introduction to AES Encryption by Townsend Security
• Use appropriate key generation methods to create Protection, and Nevada privacy protection which
encryption keys – never use passwords or pass require companies to notify customers or employees
phrases as keys. when sensitive data is lost. Other states have passed
even more stringent laws. The Sarbanes-Oxley Act
• Use the right mode of encryption for database (SOX) is a federal law that requires certain types of data
applications. Cipher Block Chaining (CBC) and Counter security. For banks the Gramm Leach Bliley Act (GLBA)
(CTR) modes are appropriate for database applications; requires that sensitive data be secured from loss. In the
Electronic Code Book (ECB) and Galois Counter Mode medical industry the federal Health Insurance Portability
(GCM) are not. and Accountability Act (HIPAA) requires that patient
information be secured from loss. Lastly, through their
• Adopt data security standards and guidelines for your written agreements with merchants, credit card vendors
application developers to follow when creating or such as Visa and Mastercard require that credit card
maintaining applications. numbers and related sensitive information be secured
from loss with strong encryption according to Payment
These are some basic areas of focus for best practices in Card Industry (PCI) rules.
data security. Be sure you understand the best ways to
implement data security before you start.
Alliance AES Data Encryption
Encryption in Cloud and VMware Products From Townsend Security
Environments The Alliance AES encryption solutions from Townsend
Security provide a complete implementation of the AES
Cloud and VMware users benefit from the many encryption algorithm and modes of operation for use in
operational, and cost efficiencies provided by these database applications, and have passed the rigorous
platforms. However, organizations need to choose tests of NIST AES Validation. Solutions are available for
encryption solutions within these platforms that are a variety of platforms including IBM i, IBM z, Microsoft
based on industry standards. While emerging encryption Windows, IBM AIX, Sun Solaris, and Linux on both 32-bit
technologies are available, it is important to only use and 64-bit systems. These solutions give the Enterprise
solutions that have been through NIST validation and are customer with the tools the need for a cross-platform
based on standards such as AES. approach to data security. Key management is provided
including support for third party solutions.

Choosing A Software Vendor For Resources


Data Encryption The National institute of Standards and Technology
publishes a list of AES validated applications here:
When you choose a software vendor for data encryption http://csrc.nist.gov/groups/STM/cavp/documents/aes/
be sure they are experts in data security and offer aesval.html
support across a broad spectrum of platforms. Your
vendor should be able to provide you with a coherent The official NIST FIPS-197 publication is available here
strategy and common encryption methods for securing (you will need the Adobe Acrobat reader):
data. You should be able to ask about encryption keys http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
and encryption modes and get an understandable
answer to your questions. The choice of a software The Wikipedia entry for AES encryption has a good non-
vendor for data security may be the single most mathematical description of the algorithm. Of course, the
important decision you make. mathematical references are also available:
http://en.wikipedia.org/wiki/AES_encryption

Data Security And The Law Payment card industry rules for credit card security can
be found here:
A number of federal and state laws have taken effect https://www.pcisecuritystandards.org/document_library
which require or encourage the encryption of sensitive
data. Some examples are the California Privacy
Notification law (SB1386), Massachusetts Privacy

© 2016 Townsend Security Page 3


Introduction to AES Encryption by Townsend Security

Townsend Security
We know that data gets out, and that it can and routinely
does fall into the wrong hands. When this happens, our
solutions for encryption, key management, and system
logging ensure that your Enterprise is compliant with
regulations and that your sensitive data is protected.
Our data security solutions work on a variety of server
platforms including IBM i, IBM z, Windows, and Linux.
Many of these solutions are currently used by leaders in
retail, health care, banking, and government.

You can contact Townsend Security for an initial


consultation at the following locations:

Web: www.townsendsecurity.com
Phone: (800) 357-1019 or (360) 359-4400
International: +1 360 359 4400
Email: [email protected]

A fully functional free trial is available for all Alliance


products. You can evaluate Alliance capabilities on your
own server systems.

© 2016 Townsend Security Page 4

You might also like