ToolActToolAct

AES Encryption & Decryption Tool

Professional AES symmetric encryption with 6 modes and 5 padding options

Encryption Configuration

Input
Characters: 0
Bytes: 0
Output
Characters: 0
Bytes: 0

What is AES Encryption?

AES (Advanced Encryption Standard) is the most widely used symmetric encryption algorithm worldwide, approved by the NSA for protecting TOP SECRET information. AES evolved from the Rijndael cipher designed by Belgian cryptographers Joan Daemen and Vincent Rijmen, and was officially published by NIST in 2001 as a replacement for the aging DES algorithm. AES uses block encryption with a fixed block size of 128 bits (16 bytes) and supports three key lengths: 128, 192, and 256 bits, corresponding to AES-128, AES-192, and AES-256 security levels. Longer keys provide higher security but slightly slower performance. As a symmetric encryption algorithm, AES uses the same key for both encryption and decryption, making it far more efficient than asymmetric encryption. AES has extensive applications: in network security, TLS/SSL protocols use AES to protect web browsing and email transmission; in storage security, tools like BitLocker and FileVault use AES to encrypt user data; in database security, many systems support AES column-level encryption; in IoT, AES is widely used for secure device-to-device communication. This tool supports all 6 AES encryption modes (ECB, CBC, CFB, OFB, CTR, GCM) and 5 padding schemes to meet various encryption needs.

How to Use

How to use

  1. Select encryption mode (GCM recommended for encryption + integrity verification)
  2. Select padding scheme (GCM/CFB/OFB/CTR modes use no padding automatically)
  3. Select key length (256-bit for highest security, 128-bit for best performance)
  4. Enter key or click 'Generate Random Key' to create one automatically
  5. For modes requiring IV, enter or generate an initialization vector
  6. Enter plaintext (for encryption) or ciphertext (for decryption) in the left panel
  7. Results appear automatically in the right panel
  8. Click 'Copy' to copy results, or 'Swap' to exchange input and output

Encryption Modes

  • GCMGalois/Counter Mode, recommended. Provides encryption and authentication, no padding needed, supports parallel processing, ideal for network transmission and TLS
  • CBCCipher Block Chaining, classic mode. XORs each plaintext block with previous ciphertext block before encryption, requires padding and IV, good security but no parallel support
  • CFBCipher Feedback, stream cipher mode. Converts block cipher to stream cipher, no padding needed, suitable for streaming data, supports real-time encryption
  • OFBOutput Feedback, similar to CFB but errors don't propagate, suitable for noisy channels, no padding needed
  • CTRCounter mode. Uses incrementing counter to generate keystream, no padding needed, supports full parallel encryption, excellent performance
  • ECBElectronic Codebook, NOT recommended. Same plaintext produces same ciphertext, leaks data patterns, only suitable for encrypting single data blocks

Padding Schemes

  • PKCS7PKCS#7 padding, most common and recommended. Auto-pads N bytes with value N, can be accurately removed during decryption, unambiguous
  • ZeroPaddingZero padding. Pads with 0x00 bytes, simple but may cause ambiguity when data naturally ends with zero bytes
  • NoPaddingNo padding. Requires data length to be exact multiple of 16 bytes, suitable for stream modes or known-length data
  • ISO7859ISO/IEC 7816-4 padding. First padding byte is 0x80 followed by 0x00 bytes, widely used in smart cards and financial industry
  • ANSIX923ANSI X.923 padding. Padding bytes are all 0x00, last byte indicates padding length, commonly used in financial data exchange

Usage Tips

  • Keys should be generated using cryptographically secure random numbers, avoid guessable strings
  • Use a different random IV for each encryption, never reuse IVs
  • GCM mode recommends 12-byte (96-bit) IVs for optimal performance and security
  • CTR and GCM modes support parallel processing for faster encryption of large data
  • Keys and IVs can be entered in hexadecimal, text, or Base64 format
  • Hex key lengths: 128-bit = 32 chars, 192-bit = 48 chars, 256-bit = 64 chars

Use Cases

Reproduce an AES integration exactlyUse the page when another system specifies a precise combination such as AES-256-CBC with PKCS#7, a hex key, a Base64 IV, and Base64 ciphertext. The separate key, IV, input, and output format controls make it possible to match that contract without rewriting a test harness. Every operation - SubBytes, ShiftRows, MixColumns, AddRoundKey - runs locally in the browser through the aes-js implementation, so the ciphertext never crosses a network boundary and the key never leaves the tab.
Compare modes and padding before choosing oneSwitch between ECB, CBC, CFB, OFB, CTR, and GCM, then try PKCS#7, ZeroPadding, NoPadding, ISO/IEC 7816-4, or ANSI X.923 where padding applies. It makes the padding and mode tradeoffs visible, including why stream-like modes (CFB, OFB, CTR) do not need padding and why ECB leaks patterns. The 16-byte IV requirement for CBC and the recommended 12-byte IV for GCM can both be exercised on the same plaintext.
Generate safe sample material for documentationCreate random keys and IVs in the current display format, encrypt a harmless plaintext, and copy the result as hex or Base64 for README examples, API tickets, or cross-language test vectors. Because the key and plaintext stay inside the browser tab, sample snippets can be built from realistic-looking material without sending production-shaped payloads through a remote encoder.
Diagnose a mismatch with another library's outputWhen Node's crypto, Python's pycryptodome, or Java's javax.crypto produces ciphertext that does not decrypt on the page, switch mode and padding to match the spec, then verify that the IV length, key length, and input encoding line up before changing application code. Common culprits include AES-CBC with PKCS#7 vs. ZeroPadding, or AES-GCM where the receiving service expects the 16-byte auth tag to be appended after the IV+ciphertext rather than separated.
Demonstrate GCM authentication tag handlingEncrypt with GCM, capture the 16-byte auth tag that the page appends after the ciphertext, and confirm the receiving service rejects ciphertext when the tag is truncated or reordered. Tag handling errors usually surface as silent decryption rather than an exception, so exercising the AEAD behavior here catches them before they reach the integration.

Technical Principle

AES (Advanced Encryption Standard) was published by NIST as FIPS 197 in November 2001 after a five-year public competition that started in 1997 with 15 candidates. The winner was Rijndael, designed by Belgian cryptographers Joan Daemen and Vincent Rijmen, beating finalists including Twofish, Serpent, RC6, and Mars. AES replaced DES (FIPS 46, withdrawn in 2005) and is now the world's most widely deployed symmetric block cipher: it sits inside TLS 1.2/1.3, IPsec, BitLocker, FileVault, OpenSSL's default `aes-256-gcm`, the Linux kernel's dm-crypt, Apple's CryptoKit, and Android's Keystore. NSA approved AES-256 for TOP SECRET in 2003 (suite A), making AES the first publicly available cipher cleared for the highest US classification. Block size is fixed at 128 bits (16 bytes); key sizes are 128, 192, or 256 bits, mapped to 10, 12, or 14 rounds. A round (except the last) runs four operations on a 4x4 byte state: SubBytes applies a fixed 16x16 S-Box (0x63 = 01100011 sits at row 6 col 3 — the S-Box is constructed as the multiplicative inverse in GF(2^8) plus an affine transform to break algebraic structure); ShiftRows rotates row 0 by 0, row 1 by 1, row 2 by 2, row 3 by 3 bytes; MixColumns multiplies each column by a fixed circulant MDS matrix over GF(2^8) (the polynomial 0x03 * x in matrix form); AddRoundKey XORs with the round subkey. The final round skips MixColumns. The round keys come from the Rijndael key schedule: 11/13/15 round keys of 128 bits each, generated via RotWord (rotate left by 1 byte), SubWord (apply S-Box), and XOR with Rcon[i] = [0x01, 0x02, 0x04, ..., 0x80, 0x1b, 0x36] *2^(i-1) over GF(2^8). The page's `aes-js` library performs all four steps in pure JavaScript and is byte-compatible with OpenSSL's libcrypto. Five block modes are exposed. ECB encrypts each 16-byte block independently: identical plaintext blocks produce identical ciphertext blocks, leaking structure (the famous ECB-penguin image survives encryption because the pixel pattern survives). CBC XORs each plaintext block with the previous ciphertext block before encryption; the first block XORs with an IV. CTR turns AES into a stream cipher by encrypting an incrementing counter (nonce || counter, both 64-bit halves of a 128-bit block) and XORing the keystream with the plaintext — supports random access and parallel encryption. GCM is CTR plus GHASH (a universal-hash authenticator over GF(2^128)), producing a 16-byte authentication tag appended after the ciphertext. GCM is the default AEAD in TLS 1.3 (RFC 8446) and in most modern APIs (Node `crypto.createCipheriv('aes-256-gcm', ...)`). CFB and OFB are older stream-cipher modes retained for compatibility. The IV pitfall is the most common production bug. GCM with a 96-bit (12-byte) IV is the NIST-recommended configuration (RFC 5288, NIST SP 800-38D §5.2.1.1): the 12-byte IV is treated as a counter, and GHASH is computed over J0 = IV || 0x00000001. Reusing an IV under the same key in CTR mode leaks the plaintext XOR (C1 XOR C2 = P1 XOR P2 — a single chosen-plaintext attack recovers both messages). Reusing an IV in GCM is worse: an attacker can recover the authentication subkey H and forge tags for arbitrary messages (the attack is in Joux 2006 and is the reason NIST banned random 96-bit IVs without strict uniqueness). The page generates 12-byte IVs with `crypto.getRandomValues(new Uint8Array(12))` for GCM and 16-byte IVs for CBC/CFB/OFB, and the random-key button uses the same CSPRNG so every encryption starts with fresh material. This tool runs AES encryption and decryption entirely in the browser using aes-js, a pure-JavaScript AES implementation. There is no Web Crypto / SubtleCrypto fallback path — all operations go through aes-js regardless of payload size.

  • AES is FIPS 197 (2001), selected via an open NIST competition that drew 15 candidates; Rijndael beat Twofish, Serpent, RC6, and Mars. Block size is always 128 bits; key sizes 128/192/256 bits run 10/12/14 rounds. The page supports all three via aes-js's AES_128, AES_192, and AES_256 constructors.
  • The four-step round function: SubBytes (a 256-byte S-Box that is the GF(2^8) inverse plus affine), ShiftRows (rows shifted by 0/1/2/3 bytes), MixColumns (MDS matrix multiplication over GF(2^8) with the 0x03 polynomial), AddRoundKey (XOR with round key). Final round skips MixColumns. Same algorithm, same key = same ciphertext — AES is deterministic.
  • ECB is unsafe because identical plaintext blocks produce identical ciphertext blocks (the famous 'ECB penguin' image preserves its silhouette). CBC is the safe classic; CTR adds parallelism; GCM adds authentication and is the TLS 1.3 default (RFC 8446). CFB and OFB are stream-cipher modes kept for legacy compatibility.
  • PKCS#7 padding: 1 byte short → 15 bytes of 0x0f + 1 byte of 0x10; 2 bytes short → 14 of 0x0e + 2 of 0x0f, etc. The last byte's value is the padding length, so unpadding is unambiguous. Stream modes (CTR/CFB/OFB/GCM) skip padding entirely. ZeroPadding is ambiguous when data ends with 0x00 — do not use it.
  • GCM is AEAD: ciphertext plus a 16-byte authentication tag, computed via GHASH over GF(2^128) using H = AES_K(0^128). AAD (additional authenticated data) covers headers without encrypting them. The 96-bit IV (RFC 5288) is treated as a counter; 128-bit IVs go through a GHASH to derive J0 — same security, slightly slower.
  • IV reuse is catastrophic. CTR IV reuse leaks P1 XOR P2 (two-time pad). GCM IV reuse (Joux 2006) lets an attacker recover H and forge tags. The page generates IVs with `crypto.getRandomValues` (a CSPRNG), never reuses them within a session, and prepends the IV to the ciphertext so the decryption side can recover it without out-of-band state.
  • AES key generation: this tool uses `crypto.getRandomValues` (a CSPRNG provided by the browser) when you click the random-key button. AES round computation runs through aes-js, a pure-JavaScript implementation that is byte-compatible with OpenSSL's libcrypto on the same key, IV, and padding settings.
  • Side-channel reality: pure-JS AES is not constant-time (indexing into the S-Box array leaks timing). Web Crypto's AES runs in native code and is constant-time. For high-stakes workloads (HSM, server-side KDFs) prefer the native path; for an in-browser learning tool, aes-js is fine because the input is already in the page's memory. Migration path: SHA-1 → SHA-256 for hashes, DES → AES for ciphers, ECB → GCM for modes.

Examples

AES-128-CBC Encryption

Plaintext: Hello, World!
Key:       0123456789abcdef0123456789abcdef (32 hex = 128 bit)
IV:        fedcba9876543210fedcba9876543210 (32 hex = 128 bit)
Mode:      CBC / PKCS#7 / 128-bit

The page produces the ciphertext (Base64 and Hex) in the output
panel. Click 'Copy' to capture the value, or 'Swap' to decrypt
it back. The PKCS#7 padding appends 3 bytes (0x03 0x03 0x03) so
the padded plaintext fills one AES block.

FIPS: FIPS 197 defines AES; NIST SP 800-38A defines CBC mode

AES-256-GCM Authenticated Encryption

Plaintext: sensitive data payload
Key:       6f8a3b2c1d9e7f5a4b8c0d2e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5e7f9a (64 hex = 256 bit)
IV:        1a2b3c4d5e6f708192a3b4c5 (24 hex = 12 bytes, GCM recommended length)
Mode:      GCM / NoPadding / 256-bit / AAD empty

Output format: IV (12B) || Ciphertext || AuthTag (16B)

FIPS: NIST SP 800-38D defines GCM mode; the 96-bit IV is treated as a counter

AES-128-ECB (FIPS 197 Appendix B test vector)

Key:       2b7e151628aed2a6abf7158809cf4f3c (128 bit)
Plaintext: 3243f6a8885a308d313198a2e0370734
Ciphertext (Hex): 3925841d02dc09fbdc118597196a0b32

Mode:      ECB / 128-bit

Note: ECB encrypts each 16-byte block independently. Identical
plaintext blocks always produce identical ciphertext blocks.
FIPS: FIPS 197 Appendix B provides this canonical test vector

Security comparison of AES modes

ECB:  No IV, deterministic, leaks patterns - NEVER use in production
CBC:  Random IV, parallel decryption only, needs HMAC for integrity
CTR:  Counter IV, parallel encryption/decryption, needs MAC
GCM:  Random IV, parallelizable, built-in authentication tag

For new systems, prefer AES-256-GCM:
- 256-bit key resists quantum attacks (Grover's algorithm)
- GCM provides both confidentiality and integrity in one operation
- TLS 1.3 mandates AEAD ciphers like AES-GCM

NIST: NIST SP 800-38A/D documents all these modes

FAQ

What is AES and which key sizes are supported?

AES (Advanced Encryption Standard, FIPS 197) is the symmetric cipher that secures most modern HTTPS, Wi-Fi WPA2, and disk encryption. The page supports 128, 192, and 256-bit keys. AES-128 is fast and secure for almost all uses; pick AES-256 only when you need long-term resistance against future quantum cryptanalysis.

Which mode should I use - ECB, CBC, CFB, OFB, CTR, or GCM?

ECB is insecure for anything but single-block test vectors (it leaks pattern data). CBC and CTR are confidentiality-only and need a separate MAC. GCM is the modern default - it authenticates the ciphertext as well as encrypting it, and it's what HTTPS uses. Pick GCM unless interoperating with a legacy system.

What padding should I use?

PKCS#7 (also called PKCS#5) is the standard padding for ECB and CBC mode. CTR, CFB, OFB, and GCM are stream-style modes that need no padding - the page enforces 'NoPadding' there. If decryption fails with 'bad padding', the most common cause is a mismatched key, IV, or padding setting between the two ends.

Why does the same text encrypt to different ciphertext each time?

Modes other than ECB use an IV (initialization vector) that should be random for each encryption. Same plaintext + same key + different IV → different ciphertext. The IV is not secret - prepend it to the ciphertext - but reusing an IV with the same key in CTR or GCM mode is catastrophic and breaks the encryption.

Is AES quantum-safe?

AES-128 effective security drops to roughly 64 bits against Grover's algorithm on a sufficiently large quantum computer; AES-256 drops to 128 bits. AES-256 is therefore the conservative choice for data that must remain secret for decades. Symmetric AES is much less affected by quantum than RSA/ECC.

Is the encryption done in my browser?

Yes. The page uses the aes-js library (a pure-JavaScript AES implementation) running locally in your browser. Plaintext, keys, and IVs never leave the device. You can confirm with the Network tab.

How do I share a key safely?

Never paste a real production key into any web page, including this one. Treat this tool as a learning aid and a way to validate test vectors. For real key exchange use an asymmetric scheme (RSA-OAEP, ECDH/X25519), a password-derived key with PBKDF2/Argon2 plus salt, or a managed KMS - not 'send the key over chat.'