| |
 Articles |
| |
| |
|
|
Cryptographic strength is expressed in key length or bit length. Keys come in a variety of lengths (e.g. 40-bit, 56-bit and 128-bit). Assuming an inherent strength in the encryption algorithm, a longer key/bit length will make it harder to crack an encrypted message. We refer to bit length as this specifies the number of bits required to write the number of possible keys in binary. Key lengths have increase over time to counteract advances in computing power which make the cracking of encrypted messages easier.
|
|
| Key Lenght |
Approximate Number of Keys |
| 40-bits |
1,099,511,627,776 |
| 56-bits |
72,057,594,037,927,900 |
| 128-bits |
340,282,366,920,938,000,000,000,000,000,000,000,000 |
|
|
| Consumers and e-commerce vendors often view encryption as too complex for the average hacker to exploit. Surely any sort of encryption provides enough security to do online banking and shopping, right? Unfortunately, the answer is no. Low-level encryption, using 56 bits or less, is universally deemed too weak for safe financial transactions.
|
|
| With the computing power available today, it’s not cost prohibitive for hackers to attack 56-bit encryption using brute force, which involves trying every possible key combination until they find the one that converts cipher text into plaintext.
|
|
| The difference in security between 40 bit, 56 bit and 128 bit is significant. The progress made in computing technology means that weaker encryption using 40-bit or 56-bit keys can be attacked by brute force and broken in a matter of hours using an average-speed PC. As recently as 1997, the same exercise would have taken days and required the effort of multiple computers and people.
|
|
|
At current computing speeds, 128-bit encryption will take more than a trillion years to attack using brute force, an obstacle that would deter any financially motivated attacker. By contrast, breaking shorter 40-bit or 56-bit encrypted sessions is a relatively small investment for attackers harvesting personal information.
|
|
| There is a common misconception that digital certificates determine the strength of encryption and this is reinforced by many Certification Authorities that refer to 40-bit or 128-bit certificates. It is important to understand that encryption strength is normally determined by negotiation between the browser, operating system and a web server before a secure session is established. Only digital certificates enabled with SGC technology are capable of influencing the encryption strength of a session beyond what is agreed between the browser, operating system and server
|
|
| Back to Top |
| |
|
|
| Back to Top |
| |
|
|
|
|
