Symmetric Encryption: AES
The Advanced Encryption Standard (AES) is one of the most widely used symmetric encryption algorithms. Like all symmetric encryption algorithms, it uses the same key to encrypt and decrypt data.
Learning Objectives
You should be able to:
- Describe how the AES symmetric encryption algorithm was adopted
- Use AES to encrypt and decrypt files using the Gnu Privacy Guard (GPG)
Video Walkthrough
Use this video to follow along with the steps in this lab.
AES
The Data Encryption Standard (DES) was a symmetric encryption algorithm published in 1977. DES was endorsed by the United States government and widely used. Weaknesses in DES were discovered in the 1990s, and proof-of-concept attacks breaking DES encryption were demonstrated in the late 1990s. Clearly, there was a need for a better algorithm for encrypting data.
In 1997, The National Institute of Standards and Technology (NIST) issued an open call for cryptographers to create a successor to DES. Submissions were evaluated over the next several years. During that time, mathematicians, computer scientists, and cryptographers probed the algorithms for weaknesses. In 2001, NIST announced that the Advanced Encryption Standard (AES) would be the replacement for DES. Decades later, no significant weaknesses have been found in AES and it continues to be widely deployed. The websites you browsed today were likely encrypted and decrypted using AES.
NIST officially endorsed AES in the Federal Information Processing Standards 140 series (FIPS 140). These standards evolve as new algorithms are adopted and weaker algorithms are found unfit for use.
Use AES with the Gnu Privacy Guard (GPG)
Your computer uses AES frequently. In this exercise, you will use the Gnu Privacy Guard (GPG) to encrypt and decrypt individual files.
- Start your Linux virtual machine and connect to the terminal.
- Run the following command to ensure that you are in your home directory.
cd ~
- Make a new folder called
crypto.
mkdir crypto
- Change directories to the new
cryptodirectory.
cd crypto
- Create a file called
secrets.txt.
touch secrets.txt
- Edit the secrets.txt file with nano.
nano secrets.txt
- Type a secret message in the text file.
- Save the file with
control+o, then exit usingcontrol+x. - Run
ls -alto view the file details.
ls -al
The output should look similar to the following.
-rw-r--r-- 1 user user 33 Jun 28 13:45 secrets.txt
- My file is 33 bytes. (Your username might be different.)
- Encrypt the file using AES. By default, if you symmetrically encrypt data with the Gnu Privacy Guard, it will use AES for the encryption algorithm.
gpg --output encrypted-secret.gpg --symmetric secrets.txt
- If your system says that
gpgis not found, install it using the following commands.
sudo apt update
sudp apt install gpg
- If you get an error that says, "No such file or directory," then double-check that you 1) did not make a typo when creating
secrets.txt, and 2) did not make a typo when typingsecrets.txtinto thegpgcommand. - You will be prompted for a passphrase. This will become the key used to encrypt and decrypt the data.
- You do not need to save the password.
- The file should be encrypted quickly.
- List the files with
ls -al
ls -al
Some overhead was added to the plaintext file.
-rw-rw-r-- 1 user user 114 Jun 28 13:48 encrypted-secret.gpg
-rw-rw-r-- 1 user user 33 Jun 28 13:45 secrets.txt
- Display the contents of both files using
cat.
cat secrets.txt
Pineapple on pizza is excellent.
cat encrypted-secret.gpg
The output will not be human-readable. The terminal did its best to try to write out the text, but the content is really just a bunch of binary zeros and ones.
]@ ??)?W?3???au?ft?8?St-}??U]_?_a?i??r`?J??O
@r@D??U??Tc`s???z%?T?:?o4?W
- Delete your cleartext file with the
rmcommand.
rm secrets.txt
- Now, you are left with the encrypted file.
- This next step would typically only be done for testing. The Gnu Privacy Guard remembers that you just entered the passphrase, so it will not prompt you for it again when trying to decrypt. You can clear out this cache to simulate having just downloaded the file from the internet.
gpg-connect-agent reloadagent /bye
- Decrypt the file with the
gpgprogram. If you sent this file to a friend, your friend could use the same process for decrypting the file.
gpg --decrypt encrypted-secret.gpg
- You will be prompted for the passphrase. After confirming the passphrase, you should see the output in cleartext. But, the cleartext content will not be written to a file.
- To decrypt the file contents to a file use the
--outputoption.
gpg --output clear.txt --decrypt encrypted-secret.gpg
- Run
catto view the contents of clear.txt.
cat clear.txt
The original file will be restored.
-rw-r--r-- 1 user user 33 Jun 28 13:58 clear.txt
-rw-r--r-- 1 user user 114 Jun 28 13:48 encrypted-secret.gpg
Reflection
- Should the government be given a copy of all AES keys for safekeeping?
- Should encrypted communication be the default?
Key Terms
- DES (Data Encryption Standard): A symmetric-key algorithm for the encryption of digital data. Developed in the 1970s, it uses a 56-bit key and operates on 64-bit blocks of data. DES was widely used but is now considered insecure due to its relatively short key length, which makes it vulnerable to brute-force attacks.
- AES (Advanced Encryption Standard): A symmetric encryption algorithm established by the National Institute of Standards and Technology (NIST) in 2001. It supports key sizes of 128, 192, and 256 bits and operates on 128-bit blocks of data. AES is widely used and considered secure for most applications.
- NIST (National Institute of Standards and Technology): A U.S. federal agency that develops and promotes measurement standards, including cryptographic standards. NIST is responsible for establishing guidelines and standards for information security, such as AES and FIPS 140.
- FIPS 140 (Federal Information Processing Standard 140): A U.S. government standard that specifies security requirements for cryptographic modules. It ensures that cryptographic products meet certain security criteria and is widely used in government and industry to ensure the security of cryptographic implementations.
- gpg (GNU Privacy Guard): An open-source implementation of the OpenPGP standard, used for encrypting and signing data and communications. It provides a free alternative to proprietary encryption software and supports both symmetric and asymmetric encryption methods.