Encryption Strength

Got into a discussion today where I was asked to compare various forms of encryption against each other. This is pretty much the long-form verbatim reply, which was interesting enough to post:

First off, there are two main categories of encryption algorithms; symmetric and asymmetric. A symmetric algorithm is like a decoder ring; both people have the same key. Taking the postal service as the example, the sender uses a key to lock a package, the package is sent to the receiver, and the receiver uses a copy of the same exact key to re-open the box.

An asymmetric algorithm is a bit of magic; the sender has a public key, and the receiver has a completely different private key. The classic example is that the reciever first sends the sender a lock in the mail, then the sender will lock the package before sending it back. Said another way, the receiver creates both of the keys, and only gives out the public one, which allows encryption, but does not allow decryption. Asymmetric algorithms are also called "public key" cryptography, since they have a public key that may be freely distributed.

Both have advantages and disadvantages. Symmetric encryption can have much smaller key sizes, and because of that, it runs more quickly. Asymmetric encryption runs slowly, and requires large keys, but gives one more layer of security: the private key, required to decrypt any message, has never been sent to any other computer other than the receiver's. In symmetric encryption, if someone gets the key, you need to change the locks; if they get the key and had previously made a copy of your encrypted data, they have your data.

Skipping a bit of the technical details, for symmetric encryption, the US Government uses the AES algorithm, which offers 128, 192, and 256-bit key strengths. Smaller keys are quicker to build and can encrypt/decrypt data faster. Larger keys are exponentially harder to break. AES128 is expected to last at least through 2030; AES192 or AES256 are required by the government for Top Secret information. If the data is going to be important for more than 20 years, consider going with one of the larger key sizes.

RSA is one of the most popular asymmetric algorithms; DSA is another. Digging into a NIST recommendation from 2007, 2048-bit RSA keys will be breakable around 20 years from now, and 3072-bit RSA keys are believed to be equivalent to 128-bit symmetric keys; 15360-bit RSA is both *huge*, and roughly equivalent to a 256-bit symmetric key. From my understanding, RSA and DSA are roughly equivalent in this regard.

Anyways, my knowledge runs down a little bit where the rubber hits the road on this one. My understanding is that Apache's mod_ssl is effectively maxed-out at a 1024-bit RSA key, since not all versions of Internet Explorer will accept a larger key. That's equivalent to - give or take - an 80-bit symmetric key, which will be broken in the next few years; certainly in the next 20. As an important caveat, "broken" means that that particular key was broken; not all keys of that strength. It takes a few million years of CPU-time to break a 1024-bit key, but modestly-sized malware botnets could be utilized to break those keys in days with today's technology.

The (layman's) takeaway: SSL in browsers isn't strongly secure, and other forms of encryption should probably be used for secure data that needs to travel outside of a single corporate network, or that needs to remain secure for more than twenty years.

As a new variant, there are also "elliptic curve" asymmetric algorithms that use far fewer bits, and are used for securely hashing and signing documents; SHA-256 and SHA-384 seem to be about equivalent to AES-128 and AES-192.


佩吳璇佩吳璇 said...


Jimmy Jarred said...

I enjoyed reading the discussion you have posted about the strength of encryption algorithms. Both these types are well known and useful techniques. But asymmetric scheme is widely used in security applications.
e signatures