Also known as: AES, Rijndael
The Advanced Encryption Standard (AES) is a symmetric block cipher, standardized by NIST as FIPS-197, that encrypts 128-bit blocks under a 128-, 192-, or 256-bit key.1 It was selected from the Rijndael design of Daemen and Rijmen and is the dominant cipher for secure digital voice.
How it works
AES is a substitution-permutation network. Each round applies four steps to the 128-bit state arranged as a 4×4 byte matrix:
- SubBytes — a fixed S-box substitutes each byte (nonlinear confusion);
- ShiftRows and MixColumns — permute and mix bytes across the block (diffusion);
- AddRoundKey — XOR in a round key derived from the cipher key.
The number of rounds depends on key length: 10 for AES-128, 12 for AES-192, and 14 for AES-256. Decryption runs the inverse steps with the round keys in reverse order. As a symmetric cipher, the same key encrypts and decrypts, so a listener without the key cannot recover the plaintext. A bare block cipher only encrypts one block, so it is used with a mode of operation (CTR, OFB, CBC) to handle streams of data.
Relevance to SDR
AES is the encryption a scanner most often runs into and cannot defeat. P25 systems carry AES-256 (often alongside legacy DES) for secure voice, and DMR equipment offers AES options; in both, AES typically runs in a keystream mode so it behaves like a stream cipher over the audio. GopherTrunk can detect, follow, and log these encrypted calls — it sees the talkgroup, source, and that the traffic is encrypted — but it cannot decode the voice without the key, which is the entire point of the standard. This is the honest boundary of the project: clear and scrambled traffic decode, keyed AES traffic does not.
Sources
-
Advanced Encryption Standard — Wikipedia, for the FIPS-197 standard, Rijndael origin, round structure, and key sizes. ↩