AES-256 encryption
explained simply
AES-256 is the standard used by governments, banks and services protecting the most sensitive data. Here's how it works, why it's unbreakable, and how Seecret.it uses it.
What is AES-256?
AES stands for Advanced Encryption Standard. It's a symmetric encryption algorithm standardized by the American NIST in 2001, after an international contest won by the Belgian algorithm Rijndael against 14 other candidates.
The 256 suffix indicates the key length in bits. AES exists in 128, 192 and 256 bits. The longer the key, the more resistant to brute-force attacks.
AES-256 is used by:
- The US government for its TOP SECRET classified data (since 2003)
- Nearly all banks and financial institutions
- iOS, Android and Windows for storage encryption
- HTTPS / TLS to secure the web
- Signal, WhatsApp, ProtonMail for encrypted messaging
- 1Password, Bitwarden, KeePass for password managers
How does AES-256 encryption work?
AES splits your message into 128-bit blocks (16 bytes), then applies on each block a series of mathematical transformations in 14 rounds.
SubBytes
Each byte is replaced by another via a substitution table (S-Box) designed to resist linear cryptanalysis.
ShiftRows
Bytes are rearranged in a 4×4 matrix to disperse their position in the block.
MixColumns
Matrix columns are arithmetically combined in the Galois field GF(2⁸).
AddRoundKey
Block XORed with a round key derived from the main key, different at each round.
Decryption applies the same operations in reverse, with the same key. It's called symmetric encryption.
Why is AES-256 unbreakable?
A 256-bit key means 2^256 possible combinations, approximately 1.15 × 10^77. For reference:
- Number of atoms in the observable universe ≈ 10⁸⁰
- With a supercomputer testing 1 billion billion keys/second: 3.6 × 10⁵¹ years
- The universe is 1.4 × 10¹⁰ years old — i.e. 40 billion times less than needed
Even with quantum computers theoretically, AES-256 remains resistant: Grover's algorithm halves the effective key length, bringing security to 128 effective bits, still well out of reach.
How Seecret.it uses AES-256
Seecret.it uses AES-256-CBC with the following parameters:
- 256-bit key randomly generated for each secret via WebCrypto
- 128-bit initialization vector (IV), random and unique
- CBC mode (Cipher Block Chaining)
- Client-side encryption, server never sees plaintext data
- Key embedded in the URL fragment (#) which is never transmitted to the server
Even if the Seecret.it database was entirely compromised, no secret could be read. It's the zero-knowledge model.
The magic of the URL fragment
When you create a secret, the generated link looks like:
https://seecret.it/abc123#7f8a9b2c4d5e6f1a2b3c4d5e6f7a8b9c The part before # is the secret identifier server-side. The part after # is the decryption key. The HTTP specification is very clear: the fragment part is never sent to the server.
When the recipient clicks the link:
- Their browser loads
seecret.it/abc123(without the key) - The server returns the encrypted content stored in DB
- Browser JavaScript retrieves the key in
window.location.hash - Content is decrypted locally in the browser
- Secret marked as viewed and deleted server-side
The server thus never knew the key.
AES-256 questions
Enjoy the power of AES-256 now
Free, no signup. Your secrets are encrypted before being sent.
Create my first encrypted link
