AES (Advanced Encryption Standard)
A symmetric block cipher algorithm adopted by the U.S. government as the standard for encrypting electronic data, replacing the older DES standard. AES operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits, with AES-256 being the strongest. It uses substitution-permutation network rounds (10, 12, or 14 rounds depending on key size) and is considered computationally secure against brute-force attacks. AES is used in TLS/HTTPS, disk encryption (BitLocker, FileVault), VPNs, and Wi-Fi security (WPA2/WPA3). It is the most widely tested symmetric algorithm in CISSP and Security+ exams.
Why It Matters
In practice, AES is critical because it is the global standard for symmetric encryption used to protect everything from classified government data to personal device storage and internet communications. Organizations that fail to implement AES correctly face vulnerabilities from weak modes of operation like ECB, which leaks patterns in encrypted data, rather than secure modes like GCM or CBC with proper initialization vectors. Choosing between AES-128 and AES-256 involves trade-offs between performance and security margin, with AES-256 recommended for protecting data against future quantum computing threats. Hardware acceleration (AES-NI) in modern processors makes AES extremely fast. On certification exams such as CISSP, Security+, and CCSP, expect questions about AES key sizes and round counts, comparing AES with DES and 3DES, understanding block cipher modes of operation, and evaluating AES in the context of post-quantum cryptography preparedness.
Practice this topic
Test your knowledge of AES (Advanced Encryption Standard) concepts with exam-style practice questions.
Related Cryptography terms
Encryption
The process of converting plaintext data into an unreadable format (ciphertext) using a cryptographic algorithm and key, ensuring that only authorized parties can access the original information. Encryption can be symmetric (same key for encryption and decryption, e.g., AES) or asymmetric (public/private key pair, e.g., RSA). Data can be encrypted at rest (stored data), in transit (network communication via TLS), or in use (homomorphic encryption). Encryption is mandated by regulations like GDPR, HIPAA, and PCI DSS for protecting sensitive data. It is a fundamental topic across all cybersecurity certifications.
Hashing
A one-way function that converts input data of any size into a fixed-length string of characters (hash value or digest), used primarily for data integrity verification and password storage. Unlike encryption, hashing is irreversible — you cannot recover the original data from the hash. Common algorithms include SHA-256, SHA-3, and bcrypt (for passwords). Hashing is used in digital signatures, file integrity monitoring, blockchain, and password authentication. Collision resistance (ensuring two different inputs don't produce the same hash) is a critical property tested in CISSP and Security+ cryptography domains.
Public Key Infrastructure (PKI)
A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and public keys. PKI enables secure electronic communication through certificate authorities (CAs) that issue and validate certificates, registration authorities (RAs), and certificate revocation lists (CRLs) or OCSP responders. PKI underpins HTTPS/TLS, email encryption (S/MIME), VPNs, code signing, and digital signatures. Understanding PKI hierarchy (root CA, intermediate CA, end-entity certificates) is essential for CISSP, Security+, and CCSP certifications.
Digital Certificate
An electronic document issued by a Certificate Authority (CA) that binds a public key to an entity's identity, enabling encrypted communication and identity verification. Certificates follow the X.509 standard and contain the subject's name, public key, issuer, validity period, and digital signature. Types include SSL/TLS certificates (for websites), code signing certificates, email certificates (S/MIME), and client certificates. Certificate validation involves checking the chain of trust, expiration date, and revocation status. Digital certificates are a core component of PKI and are tested in CISSP, Security+, and CCSP exams.
TLS (Transport Layer Security)
A cryptographic protocol designed to provide secure communication over a computer network by encrypting data in transit between two parties (e.g., a web browser and server). TLS replaced its predecessor SSL and operates through a handshake process that negotiates cipher suites, authenticates the server (and optionally the client) via certificates, and establishes session keys. TLS 1.3 (the latest version) improved performance by reducing handshake round trips and removing insecure cipher suites. HTTPS is simply HTTP over TLS. Understanding TLS versions, cipher suites, and certificate validation is essential for Security+, CISSP, and web security certifications.
Digital Signature
A cryptographic technique that uses asymmetric encryption to verify the authenticity, integrity, and non-repudiation of digital messages or documents. The sender creates a signature by hashing the message and encrypting the hash with their private key; the recipient verifies it using the sender's public key. If the message has been altered, the hash will not match, detecting tampering. Digital signatures are legally binding in many jurisdictions and are used in code signing, email authentication (DKIM), software distribution, and electronic contracts. They are a key topic in CISSP cryptography and Security+ certification exams.