Home / Cryptography / Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is the latest encryption standard adopted by NIST in 2001 for the symmetric encryption of messages. The AES algorithm was selected as part of a contest to find a replacement for the Data Encryption Standard (DES). This algorithm was based on the Rijndael cipher developed by two Belgian mathematicians, Joan Daemen and Vincent Rijmen.

As part of the NIST standard, AES uses a block size of 128 bits and supports three key lengths: 128, 192, and 256 bits.

If you are developing a new system and you are required to encrypt data, then you should definitely use the AES as your encryption algorithm. At the time of writing, AES is still considered the recommended standard. You should use a key size of 256 bits (32 bytes).

AesManaged or AesCryptoServiceProvider

.NET offers two implementations of the AES encryption algorithm, AesManaged and AesCryptoServiceProvider, but which one should you use? They both provide the same functionality in that they both implement the AES encryption specification. But the primary distinction is that AesManaged is a .NET – specific implementation whereas AesCryptoServiceProvider uses the underlying cryptography libraries in Windows, which are FIPS-certified.

Note that NIST issued the FIPS 140-2 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that will be satisfied by a cryptographic module.

Then AesCryptoServiceProvider may be the implementation you will wish to use, particularly if you have to interoperate with methods which are also certified with FIPS 140-2 and you want to make sure you’re encrypting information with AES using a certified execution. The following examples are all based around AesCryptoServiceProvider.

class Example

{

static void Main(string[] args)

{

var AES = new AesEncryption();

var key = Random.GenerateRandomNumber(32);

var initV = Random.GenerateRandomNumber(16);

var text = “Encrypt this”;

var encrypted = AES.Encrypt(Encoding.UTF8.GetBytes(text), key, initV);

var decrypted = AES.Decrypt(encrypted, key, initV);

var decryptedMessage = Encoding.UTF8.GetString(decrypted);

Console.WriteLine(“AES Encryption Demonstration in .NET”);

Console.WriteLine(“––––––––––––”);

Console.WriteLine();

Console.WriteLine(“Original Text = ” + text);

Console.WriteLine(“Encrypted Text = ” + Convert.ToBase64String(encrypted));

Console.WriteLine(“Decrypted Text = ” + decryptedMessage);

Console.ReadLine();

}

}

To encrypt some data, you first construct the AesCryptoServiceProvider object and wrap it in a using statement so that it is properly disposed of. Then, the Mode and Padding is explicitly set. They are set to the defaults in this example, but it doesn’t hurt to do this explicitly to state your intention when configuring the algorithm. Next, the Key and IVs are set. These are passed into the Encrypt and Decrypt methods. The key and IVs have to be the same for both the encrypt and decrypt operations.

The key has to be secret but the IV doesn’t have to be. After that, a new MemoryStream is constructed and passed into a new instance of the CryptoStream object along with the result of the CreateEncryptor() or CreateDecryptor() method and the CryptoStreamMode.Write enumeration. AesEncryption.CreateEncryptor() or AesEncryption.CreateDecryptor() creates a symmetric encryptor or decryptor object with the current Key property and IV.

Once the CryptoStream object has been created, you then call the Write() method by passing in the data to encrypt or decrypt and the data length. Then, a call to FlushFinalBlock() is made to update the underlying data with the current state of the buffer and then clear the buffer. Next, you call ToArray() on the initial MemoryStream to convert the final result into a byte array to pass back to the calling object.

In the following code sample, you can see an example in which the AesEncryption class is used to encrypt and decrypt some data.

public class AESEncryption

{

public byte[] GenRanNumr(int length)

{

using (var rNumGen = new RNGCryptoServiceProvider())

{

var rNum = new byte[length];

rNumGen.GetBytes(rNum);

return rNum;

}

}

public byte[] Encrypt(byte[] data, byte[] key, byte[] initV)

{

using (var AES = new AesCryptoServiceProvider())

{

AES.Mode = CipherMode.CBC;

AES.Padding = PaddingMode.PKCS7;

AES.Key = key;

AES.IV = initV;

using (var memStream = new MemoryStream())

{

var cryptoStream = new CryptoStream(memStream, AES.CreateEncryptor(),

CryptoStreamMode.Write);

cryptoStream.Write(data, 0, data.Length);

cryptoStream.FlushFinalBlock();

return memStream.ToArray();

}

}

}

public byte[] Decrypt(byte[] data, byte[] key, byte[] initV)

{

using (var AES= new AesCryptoServiceProvider())

{

AES.Mode = CipherMode.CBC;

AES.Padding = PaddingMode.PKCS7;

AES.Key = key;

AES.IV = initV;

using (var memStream= new MemoryStream())

{

var cryptoStream = new CryptoStream(memStream, AES.CreateDecryptor(),

CryptoStreamMode.Write);

cryptoStream.Write(data, 0, data.Length);

cryptoStream.FlushFinalBlock();

var decryptBytes = memStream.ToArray();

return decryptBytes;

}

}

}

}

AES internally uses a 128, 192, or 256-bit key. In the previous example, we are using a 256-bit (32 bytes) key. The IV is set to 16 bytes (128 bits). This is used to initialize the first block in the encryption process. As previously stated, the IV does not have to be kept secret and can be sent in the clear along with the encrypted message. You should not reuse the same IV for subsequent messages. You should generate a new IV either by using the RNGCryptoServiceProvider or the GenerateIV() method in the AesCryptoServiceProvider class.

Check Also

digital signature

Digital Signature

An essential purpose of cryptography would be  to ensure nonrepudiation of a delivered message. This …

Leave a Reply

Your email address will not be published. Required fields are marked *