AES, from the English acronym, Advanced Encryption Standard. It is the most widely used encryption standard in the world, adopted by the US government and most modern security systems. It is a symmetric block cipher, which means it uses the same key to encrypt and decrypt data. It processes 128-bit blocks and can use different key lengths, which determine its level of security and performance.
It was assimilated in 2001, when the US National Institute of Standards and Technology (NIST) selected the Rijndael algorithm as the official encryption standard to replace the old standard (DES). This algorithm was created by Vincent Rijmen and Joan Daemen.
It is the algorithm used by default around the digital world, present in websites (with https), SSH connections, WiFi (WPA2/WPA3), among others. It is a symmetric character cipher, since it uses the same key to encrypt and decrypt. Each data block consists of 128 bits.
Among the key sizes in AES, there are currently 3 types: AES-128, AES-192 and AES-256, which consist of 10, 12 and 14 rounds respectively.
Rounds or Iterations in AES
Rounds are internal iterations that the algorithm uses to transform a plain text into a secure encrypted text. The algorithm, through each iteration, executes operations that include: SubBytes, Shifts, MixColumns, AddRoundKey.
| Operation | Description |
| SubBytes | Non-linear replacement of each byte using an S-Box table. |
| ShiftRows | Shifting the rows of the data matrix to mix the information. |
| MixColumns | Mathematical mixing of the columns (not applied in the last round). |
| AddRoundKey | Combination with a subkey derived from the main key. |
The certificates we offer at MOX consist of all these operations to run from Hosting with SSL certificates to VPN with encryption using AES-256 ciphers.
AES-128 encryption
- Key length: 128 bits.
- Security: Considered extremely secure; no known practical attack has broken it.
- Performance: Very fast and efficient, especially on hardware with AES-NI support (CPU instructions to accelerate encryption).
- Typical use in VPN: Preferred in environments where speed is crucial (mobile phones, routers).
AES-192 encryption
- Key length: 192 bits.
- Security: More secure than AES-128, although in practice AES-128 is already strong enough.
- Performance: Slightly slower than AES-128.
- Typical VPN use: Uncommon; Used primarily in very strict security configurations.
AES-256 Encryption
- Key Length: 256 bits.
- Security: Maximum level of security approved by the NSA for data classified as "Top Secret".
- Performance: Slightly slower than AES-128 due to more rounds of encryption.
- Typical Use in VPN: Ideal for maximum security, widely used in commercial and government VPNs.
What types of VPNs use AES?
OpenVPN
Uses AES-128 or AES-256 in CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode). GCM is preferred because it includes authentication and is more efficient.
IKEv2/IPSec
Supports AES-128, AES-192, and AES-256, usually in GCM mode. Popular on mobile devices (iOS, Android) and corporate environments.
WireGuard
By default it does not use AES, but ChaCha20 (more efficient on mobile).
However, it can operate with AES in some forks or hybrid implementations.
L2TP/IPSec
Almost always implemented with AES-128 or AES-256 for data encryption.
MOX VPN
Through connection generation available for L2TP, OpenVPN using AES-256 to maximize security and also available for WireGuard via Chacha20