Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
The longer the length of the key, the better, but only up to a certain point. So the longer the key is, the more processing power is needed to operate it while spending more resources.
Longer keys are more difficult to crack its right, most of the today’s symmetric keys are 100 to 300 bit long, due to current encryption key 100 to 300 is enough for today’s hardware capabilities or system performance.
if consider fastest computer available in current situation in market is also failure to crack 100bit encryption key within few min hours or day. if think about what computer available in public or hackers then they required very long time to crack 100-300 bit encryption key.
To crack any type of encryption keys commonly used brute-force attack, it fully work on combination of all available character in key to possibilities of successful attack,
2^256=115792089237316195423570985008687907853269984665640564039457584007913129639936
That’s a very big number to crack this encryption to computer generally available for public usage, in future when computer capabilities increases to crack this type of key in short period then surely key sizes will increase but today it’s enough for protect from any stronger system available in world.
If encryption is increase 1000 bit or more long they can effect on communication process, bigger key means straight forward longer decryption means slower communication, this is specially for communication of internet web browser establish communication after the authenticate required key and send information. Communication will be vary so whenever 300 bit crackable that time computer hardware capability of enough for use strong encryption keys for hander 1000 bit or more size keys.
It’s great that you brought it up the communication process importance. The trade off between speed in process and security level is a good example why we don’t want to go over 300 bits. It will be interesting to see the future capacity of computers that can crack more than 300 bits fast enough.
Hi Mohammed,
I completely agree with you on your detailed analysis on symmetric keys and couldn’t agree more. In spite of this, one might cynically argue that by using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key that the sender and recipient both use could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG.
I agree that the longer the length of the key is the better (up to a certain point). I think this is an important distinction to make, so organizations can properly navigate how and when to allocate resources towards upgrading their systems if they want to.
Hello Zijan, I would rather say the longer the length of the key, the more complicated the algorithm, and the more work time required for an intending attacker to compromise the algorithm. A longer key length may not necessarily be better based on the issue at hand because it requires more processing power from the CPU, which may, in turn, harm other functionalities within the system. Processing power not efficiently allocated may result in system slow or shut down.
Modern systems currently do not employ 1,000-bit symmetric keys due to the excessive computer processing power it would take to encrypt and decrypt the symmetric key session. While a 1,000-bit key would be more secure, in theory so would disconnecting a computer entirely from the internet; but this would render the device useless for daily tasks. To that end, we must balance security functions such as cryptography with other processes (internet access) competing for the computer’s processing power like RAM.
Hi Kelly,
I really like your comparison between the 1000 bit encryption key and disconnecting a computer from the entire internet. When using a system, it is important to evaluate the type of encryption needed based on the value of the information. Like you said, there needs to be balance between security controls and the critical primary storage running the machine.
I agree with your point. It makes sense for a system to use a minimum key length for a given threat. 1,000 bit keys require more processing power for a computer to handle, but it is not possible to break this encryption quickly in a short period of time. The longer the key, the more processing power and RAM is needed to run it. Although 1,000-bit keys may seem like a large number and more secure, the longer it takes to encrypt and decrypt them. Too many keys can make the device unusable for everyday tasks.
An extremely succinct explanation of cost/benefit of an action. If it takes too long to encrypt (and conversely decrypt), then people won’t use the function!
It’s interesting because attackers make processing and encryption counter-intuitive. As technology advances; so do attackers and so do the defenders. Ultimately an organization would decide how much impact would their devices have and whether or not how much availability will they want to sacrifice in terms of encryption. Because the more secure the bit-key; the more availability you must sacrifice.
The reason most keys do not use 1000 bit or more keys is due to RAM and processing speed. The longer the symmetric key the longer it will take to encrypt/decrypt and most computers would not be able to process keys longer than 300 bits due to the processor and the allocated RAM. For this reason, it is best to go with 256 bit as it is the minimum amount that is most secure and does not greatly impact processing time.
I appreciate the detail of your post. It helps to illustrate the the resource trade-offs that come with larger keys. I am curious to see how the availability of quantum computing affects this and how feasible it will be for individuals to access this technology.
I am also curious about quantum computing in regards to encryption. Theoretically we could have individuals capturing encrypted data that hold it until there reaches a point that the standards we have today can be cracked. This really presents us with the problem of how do you ensure your sensitive data can stay secure years into the future. If we establish some sort of quantum encryption method I believe that would be the only way of ensuring this.
I think given that the current infrastructure that is set in place for security standards being 100-300 bits it is sufficient enough for the time being however a reform is always set to take place especially in the tech industry that is constantly changing, and innovating things. It’s just a matter of when for 1000 bits.
Hello Dhaval, concerning your statement that “The longer the symmetric key, the longer it will take to encrypt/decrypt, and most computers would not be able to process keys longer than 300 bits due to the processor and the allocated RAM”. Rightly said, Systems are designed to ensure that the strength/processing speed of the CPU is efficiently allocated between several other services and functionalities. The longer the key length, the more processing power required and the less for different functions, leading to system slow down or disruption.
Longer keys require more resources, which limits their usage due to the computational costs. It is estimated that the length of time required to brute force AES 256 amounts to longer than the known universe has existed. Given the strength of this standard, and the increased costs of longer keys, there isn’t much incentive to increase key length.
Great points Matthew,
The time length required to crack AES-256 encryption with a brute forcer is not a realistic scenario with modern technology that a normal individual could obtain as far as we know. Because of this, there really is no need to increase the key length at this time, especially since it would likely render systems unusable because of the required resource tradeoffs to implement that much more security. Instead of this avenue, layered security controls should be implemented elsewhere rather than to pointlessly increase the key length.
Hey Matt, good that you mention the cost increase, which wouldn’t be necessary for 1,000 symmetric keys. Not really a practical approach to add more funds when what you already have (100-300) meets the security obligations considered necessary.
I definitely agree with your point. Considering the level of security already provided, it does not really make much sense from an organization’s perspective to waste additional time/resources to create longer keys when 100-300 bits is perfectly sustainable.
The longer the keys are the more secure they are considered. However, to decrypt the longer key it takes longer time and resources. Which the resources would also be more costly.
Most symmetric keys today are between 100 to 300 bits because of the ever-present issue with implementing just about any security control/function: there is always a tradeoff in one way or another between security and other limiting factors based on the relevant resources. With symmetric keys, 100 to 300 bits is a very reasonable level of security because it is unreasonable to brute-force the encryption key based on the unreasonable amount of time it would take to do so. At the same time, it does not require a heavy amount of processing to encrypt and decrypt these keys. While a 1,000 bit encryption key would surely be more secure, it would not matter in practice as it would be an unusable system (for average daily-used systems, that is). Thus, a proper security-usability balance is achieved with a standard encryption key comprised of 100-300 bits.
I like how you point out that even though a length of 1,000 bit symmetric key would be more secure, the tradeoffs in terms of processing time may not be worth it. I do agree that 100-300 bits is good enough for now, and I wonder if any companies are aware that eventually they may have to devote resources to upgrade their systems in this space when the time comes.
Symmetric keys are just being shared with the parties involved where it also offers high security and confidentiality of the data. Even though longer keys would be harder to crack, computers’ capacity also matters. Symmetric keys means that the same key is used to encipher and decipher the web traffic.
The processing capacity of the devices are not able to encrypt/decrypt that long keys. The communication and the data being transfer would be slow downed or failed if the symmetric keys are reached over capacity limit.
I agree with your points, and would like to add that at a certain point the length of a key can be considered ‘good enough’. Things like processing capacity, speed of data transfer and sensitivity of data could be factors when considering whether or not a symmetric key should be of a certain length.
I agree with your assessment regarding “good enough” security controls. I think some security professionals become hyperfocused on securing at all costs, often to the detriment of users being able to perform their tasks comfortably and ultimately for the business’s overall success. Cryptography highlights the balance between functionality and security. Thanks for sharing your thoughts.
Hello Kelly. Well phrased, ” Cryptography highlights the balance between functionality and security.”, This is true because other essential security controls would also be running within the system, which may become ineffective if adequate processing capacity is not efficiently allocated to them. As the saying goes, it is not based on the strength of control but on its effectiveness and ability to deter breaches.
While longer symmetric keys are more difficult to crack, using a longer symmetric key (for example, 1,000 bits) would lead to significant overhead on systems performing the decryption. For this reason, having a 100 to 300 bit symmetric key in many cases can be considered ‘good enough’ depending on the type of data that it is encrypting, keys longer than 300 bits long would have diminishing returns.
Good point on keys longer than 300 bits having diminishing returns. It ultimately takes us back to the fundamental cybersecurity question of what controls to implement vs the cost to implement those controls. Everything is a trade off, and keys longer than 300 bits don’t seem to justify the cost.
The longer the length of the key, the more processing power required. Based on the excessive computer processing power necessary to encrypt and decrypt asymmetric key sessions with extreme lengths, today’s central processing units (CPU) lack the capacity and would not deploy 1,000-bit symmetric keys.
Secondly, there would always be an urgent need to create an equilibrium between other security functionalities requiring processing power within the endpoint device. So, even though symmetric keys of that length would make more security by creating more work time for the attacker, the processing power needed would create disruptions and, if possible, shut down the endpoint device.
Although longer encryption keys are much more difficult to crack, and are therefore extremely secure, it is not logical nor practical to have highly complicated bit keys due to the impact it would have on transmitters and receivers. Complicated encryption keys and algorithms take up significant processing space within transmitting and receiving devices, increasing the time it takes for data/messages to be sent through the network. From a business standpoint, this would drastically slow operations and potential render encryption useless. This same concept is seen when business owners need to define which data requires stronger encryption algorithms, and which do not; by applying strong algorithms across the board, overall system performance and message transmission will be severely impacted.
I like how you expanded on how the limitations of more robust cryptography can impact both hardware resources and the business at a macro level. As security professionals, I believe this is a critical skill to possess to be able to understand how technical problems may affect various business operations. Further how our security controls may inadvertently disrupt the organization. I always say security operations cannot be adverse to business operations. Very thoughtful post!
Increasing the length of a key comes at a price in terms of processing power it takes to encrypt and decrypt the key. So while a key length of 1000 bits would be extremely secure, the current processing speed and hardware that we have now would be but under a lot of stress in handling this encryption. Therefore, there is a point of diminishing returns when increasing the length of a symmetric key. At this point in time it is best to have a key length of 100-300 bits.
The longer the key, the more handling force and RAM it may need to perform its routine operations. Therefore, it speaks well for systems to use the base key length for any intended threat, and 100 to 300 is deemed to be hugely strong at this time. Modern day systems currently don’t make use of 1,000-bit symmetric keys because of the unnecessary computer handling power it would take to encrypt and decrypt the symmetric key meeting. While a 1,000-bit key would be more secure, in theory so would disconnecting a computer completely from the internet; but this would deliver the gadget useless for day by day tasks. To that end, we must adjust security functions like cryptography with other cycles (internet access) competing for the computer’s handling power like RAM. The explanation most keys don’t use 1000 bit or more keys is because of RAM and handling speed. The longer the symmetric key the longer it will take to encrypt/decrypt and most computers would not have the option to process keys longer than 300 bits because of the processor and the allocated RAM. Therefore, it is best to go with 256 bit as it is the base amount that is most secure and doesn’t greatly impact handling time. Longer keys are more cumbersome to crack its right, most of the today’s symmetric keys are 100 to 300 bit long, because of current encryption key 100 to 300 is enough for today’s hardware capabilities or system execution. if consider fastest computer accessible in current situation in market is likewise inability to crack 100bit encryption key within barely any min hours or day. on the off chance that think about what computer accessible out in the open or programmers, they required extremely long time to crack 100-300 bit encryption key. To crack any type of encryption keys regularly used brute-power attack, it completely work on combination of all accessible character in key to possibilities of fruitful attack, Just in case encryption is increment 1000 bit or more long they can effect changes on communication process, greater key means straight forward longer decryption implies more slow communication, this is exceptionally for communication of internet browser establish communication after the authenticate required key and send information. Communication will be differ so at whatever point 300 bit crackable that time computer hardware capability of enough for use strong encryption keys for hander 1000 bit or more size keys.
I like the comparison of turning off a computer is the equivalent of using a 1000 bit key, in both situations the computer is ultimately useless. As you said most modern-day systems can’t go past 300 bits, but it makes me think will processing power and RAM be innovated enough one day to handle 1000 bit keys.
1,000 bit keys require more powerful computers to process, but it is impossible to break this encryption quickly in a short period of time. The longer the key, the more processing power and RAM is required to run. Therefore, it makes sense for the system to use the minimum key length for a given threat. At this time, 100 to 300 is considered very powerful. Most computers will not be able to handle keys longer than 300 bits. Too many keys will make the device unusable for everyday tasks. Although a 1,000-bit key may seem like a large number and more secure, the longer it takes to encrypt and decrypt.
Bits scale with resources required to actually decrypt and encrypt information. Since it is computationally infeasible to implement 1000 bit algorithms at this current period of time it would not provide any benefit for organizations to implement at 1000 bit unless there was some sort of next-level computer that could implement 1000 bit symmetric encryption while not limiting availability.
Hey Michael,
That’s definitely true that if there is no next-level computer that could encrypt and decrypt the 1000 bits then its not useful to use it. As it would affect the availability of the resources within the company,
Great analysis and yes we are good with 300 bits long. The computers are not made to process longer keys at the moment. This 100-300 is good enough to encrypt and decrypt information right now. It might or will change soon.
I believe as technology evolves, we would at some point upgrade to longer symmetric keys (1,000) but as of now these 100 to 300 keys are strong enough to encrypt a message or data. The computers we have now won’t support 1000 bits symmetric keys because of the excessive power processing it requires to encrypt or decrypt a message and also the costs associated to it.
The way technology is constantly evolving these days, upgrading the RAM and processing power to support 1,000 symmetric keys is bound to happen in the future.
Hello Ornella, your response makes a lot of sense. Information Systems are rapidly changing, so it is only logical that the security tools and practices we use will have to change at the same pace (at least) in order to successfully secure them and mitigate the threats that they will undoubtedly have to contend.
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
I don’t believe we have evolved enough in this field to successfully implement 1000 bit keys. I believe that as we progress, 1000 bit keys will be more beneficial and attainable, but 100-300 bit keys are good enough for us at this moment. 1000 bit keys would require a very high amount of processing power and some CPUs may not have the capacity for these messages.
I agree with you. The longer the keys, the more power we need to process those. At the moment, we are good with 300 bits long. When the time comes, then we will upgrade and I am pretty sure it will come soon. Technology is evolving and lots of things are changing so they won’t be no surprises if that happens.
It’s a balance between availability and confidentiality. Each bit adds to the processing power and time required to generate and decrypt the key. A 1000 bit key would slow down the system unnecessarily, since a 100-300 bit key is already considered strong. If you’re that concerned a key might be hacked, I’d consider other mitigating controls such as MFA, segmentation, or air gapping.
I agree with you in that I believe a 1000 bit key is just unnecessary at this time. Instead of adding that many bits, mitigation controls that you mentioned such as segmentation are a more reasonable option. I believe that as we progress, 1000 bit keys will be more beneficial and attainable, but we’re not quite there yet.
With today’s technology, longer keys are more difficult to crack. Having keys that are 100 to 300 bits long are strong enough for the current time. A brute force attack against a 256 bit key is very difficult and time consuming to crack. Having a 1,000 bit key would definitely make the encryption much strong but the computers now would not have the processing power to decrypt the document/ data in a timely matter. The 1,000 bit would drastically slow down the decryption time.
I like the way you added the caveat ‘for the current time’. I think that is one of the key tenets of the discussion – how secure is secure enough today? 20 years ago we didn’t even encrypt things, 10 years ago the keys were much smaller/weaker. 10 years from now I am sure that 1000 bits might seem trivial to crack!
Great question, how secure is secure today. With the amount of attacks that go on in today’s world, we need to make sure we are as secure as ever. 10 years from now, a super computer may be out there to crack a 1000 bit.
The purpose of symmetric keys is to encrypt and decrypt electronic information. The longer the symmetric key the better would appear to be the logical approach to make it more difficult to crack, but the disadvantage to that is it would cause a strain on memory storage space and may also be a financial burden. 100-300 bit keys is sufficient in cryptographic attacks so 1,000 is not necessary.
There are a number of reasons for this. First one is that it is not necessary for it to be that long at least for the time being as we are currently having symmetric keys that are 100 bits deemed very secure. Another reason would be that there is not enough computing power to encrypt and decrypt a symmetric session key with 1000 bit keys. Lastly it would take too long to encrypt and decrypt a 1000 bit key as it is not practical especially for day to day tasks, so there won’t be an application for it even if it was possible.
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
Its true, longer keys are more difficult to crack, however one would certainly run into issues with computer processing power if they attempted to setup 1000bit keys. Encryption and Decryption for an 1000bit key would simply be too much to ask on these current systems, so while yes we want a long key that is difficult to crack, we also want to make sure the resources in place can handle the job.
2. Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
The cost to process a symmetric key is best measured in CPU cycles or computer processing time. In order for existing systems to easily support symmetric encryption the industry has settled on 100-300 bit keys as being the ‘sweet spot’ between protection and convenience. More secure (1000 bit keys) will consume too many CPU cycles and impact system performance. This would require either an acceptance of a lesser rate of performance in a system or the purchase of more powerful compute platforms that could more rapidly process 1000 bit keys. The requirement for security has not yet reached that point – to require 1000 bit keys and trigger that incremental expenditure on computer processing power.
Thanks for sharing Richard! I wonder if a case could be made to utilize a key bit in excess of 300 for a system or application that is used solely as repository for storing sensitive information, such as PII. I believe you could potentially make case in this scenario that confidentiality of the data exceeds the need for performance since data is only being stored and limited and/or zero processing is performed within the repository.
Simply put, deploying 100-300 bit keys is considered best practice in order to deter attacks, such as brute force, because it’s generally difficult to compromise keys of this size. The utilization of keys exceeding 300 bits, which in this scenario is 1,000, will result in wasted resources in the CPU which should be allocated to other functions that are responsible for optimizing and supporting system performance.
Systems do not use far longer bit keys such as 1,000 bit keys due to the time and speed it takes to encrypt and decrypt. However, a system that utilizes 100-300 bit keys is necessary due to security protocols, protection, and fast enough speed.
Systems do not use longer symmetric keys such as; 1,000 bit keys because it is not feasible. It will require more processing power and random access memory (RAM), as well as more resources.
While longer keys may be more difficult to crack and thus more secure, the reason that they are typically 100-300 bits long is due to network processing and encryption time. As the symmetric keys double in size, encryption may take 6 to 7 times longer, making it extremely inefficient/unmanageable to use larger keys. Having smaller keys allows for much more efficient utilization, and thus increased performance.
zijian ou says
The longer the length of the key, the better, but only up to a certain point. So the longer the key is, the more processing power is needed to operate it while spending more resources.
Mohammed Syed says
Longer keys are more difficult to crack its right, most of the today’s symmetric keys are 100 to 300 bit long, due to current encryption key 100 to 300 is enough for today’s hardware capabilities or system performance.
if consider fastest computer available in current situation in market is also failure to crack 100bit encryption key within few min hours or day. if think about what computer available in public or hackers then they required very long time to crack 100-300 bit encryption key.
To crack any type of encryption keys commonly used brute-force attack, it fully work on combination of all available character in key to possibilities of successful attack,
2^256=115792089237316195423570985008687907853269984665640564039457584007913129639936
That’s a very big number to crack this encryption to computer generally available for public usage, in future when computer capabilities increases to crack this type of key in short period then surely key sizes will increase but today it’s enough for protect from any stronger system available in world.
If encryption is increase 1000 bit or more long they can effect on communication process, bigger key means straight forward longer decryption means slower communication, this is specially for communication of internet web browser establish communication after the authenticate required key and send information. Communication will be vary so whenever 300 bit crackable that time computer hardware capability of enough for use strong encryption keys for hander 1000 bit or more size keys.
Miray Bolukbasi says
Hi Mohammed,
It’s great that you brought it up the communication process importance. The trade off between speed in process and security level is a good example why we don’t want to go over 300 bits. It will be interesting to see the future capacity of computers that can crack more than 300 bits fast enough.
kofi bonsu says
Hi Mohammed,
I completely agree with you on your detailed analysis on symmetric keys and couldn’t agree more. In spite of this, one might cynically argue that by using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key that the sender and recipient both use could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG.
Andrew Nguyen says
Hi Zijian,
I agree that the longer the length of the key is the better (up to a certain point). I think this is an important distinction to make, so organizations can properly navigate how and when to allocate resources towards upgrading their systems if they want to.
Thanks for sharing your thoughts!
Best,
Andrew
Olayinka Lucas says
Hello Zijan, I would rather say the longer the length of the key, the more complicated the algorithm, and the more work time required for an intending attacker to compromise the algorithm. A longer key length may not necessarily be better based on the issue at hand because it requires more processing power from the CPU, which may, in turn, harm other functionalities within the system. Processing power not efficiently allocated may result in system slow or shut down.
Kelly Sharadin says
Modern systems currently do not employ 1,000-bit symmetric keys due to the excessive computer processing power it would take to encrypt and decrypt the symmetric key session. While a 1,000-bit key would be more secure, in theory so would disconnecting a computer entirely from the internet; but this would render the device useless for daily tasks. To that end, we must balance security functions such as cryptography with other processes (internet access) competing for the computer’s processing power like RAM.
Lauren Deinhardt says
Hi Kelly,
I really like your comparison between the 1000 bit encryption key and disconnecting a computer from the entire internet. When using a system, it is important to evaluate the type of encryption needed based on the value of the information. Like you said, there needs to be balance between security controls and the critical primary storage running the machine.
Dan Xu says
Hi Kelly,
I agree with your point. It makes sense for a system to use a minimum key length for a given threat. 1,000 bit keys require more processing power for a computer to handle, but it is not possible to break this encryption quickly in a short period of time. The longer the key, the more processing power and RAM is needed to run it. Although 1,000-bit keys may seem like a large number and more secure, the longer it takes to encrypt and decrypt them. Too many keys can make the device unusable for everyday tasks.
Richard Hertz says
An extremely succinct explanation of cost/benefit of an action. If it takes too long to encrypt (and conversely decrypt), then people won’t use the function!
Michael Duffy says
It’s interesting because attackers make processing and encryption counter-intuitive. As technology advances; so do attackers and so do the defenders. Ultimately an organization would decide how much impact would their devices have and whether or not how much availability will they want to sacrifice in terms of encryption. Because the more secure the bit-key; the more availability you must sacrifice.
Dhaval Patel says
The reason most keys do not use 1000 bit or more keys is due to RAM and processing speed. The longer the symmetric key the longer it will take to encrypt/decrypt and most computers would not be able to process keys longer than 300 bits due to the processor and the allocated RAM. For this reason, it is best to go with 256 bit as it is the minimum amount that is most secure and does not greatly impact processing time.
Matthew Bryan says
Dhaval,
I appreciate the detail of your post. It helps to illustrate the the resource trade-offs that come with larger keys. I am curious to see how the availability of quantum computing affects this and how feasible it will be for individuals to access this technology.
Ryan Trapp says
Hi Matt,
I am also curious about quantum computing in regards to encryption. Theoretically we could have individuals capturing encrypted data that hold it until there reaches a point that the standards we have today can be cracked. This really presents us with the problem of how do you ensure your sensitive data can stay secure years into the future. If we establish some sort of quantum encryption method I believe that would be the only way of ensuring this.
Wilmer Monsalve says
I think given that the current infrastructure that is set in place for security standards being 100-300 bits it is sufficient enough for the time being however a reform is always set to take place especially in the tech industry that is constantly changing, and innovating things. It’s just a matter of when for 1000 bits.
Olayinka Lucas says
Hello Dhaval, concerning your statement that “The longer the symmetric key, the longer it will take to encrypt/decrypt, and most computers would not be able to process keys longer than 300 bits due to the processor and the allocated RAM”. Rightly said, Systems are designed to ensure that the strength/processing speed of the CPU is efficiently allocated between several other services and functionalities. The longer the key length, the more processing power required and the less for different functions, leading to system slow down or disruption.
Matthew Bryan says
Longer keys require more resources, which limits their usage due to the computational costs. It is estimated that the length of time required to brute force AES 256 amounts to longer than the known universe has existed. Given the strength of this standard, and the increased costs of longer keys, there isn’t much incentive to increase key length.
Antonio Cozza says
Great points Matthew,
The time length required to crack AES-256 encryption with a brute forcer is not a realistic scenario with modern technology that a normal individual could obtain as far as we know. Because of this, there really is no need to increase the key length at this time, especially since it would likely render systems unusable because of the required resource tradeoffs to implement that much more security. Instead of this avenue, layered security controls should be implemented elsewhere rather than to pointlessly increase the key length.
Christopher Clayton says
Hey Matt, good that you mention the cost increase, which wouldn’t be necessary for 1,000 symmetric keys. Not really a practical approach to add more funds when what you already have (100-300) meets the security obligations considered necessary.
Alexander William Knoll says
Matt,
I definitely agree with your point. Considering the level of security already provided, it does not really make much sense from an organization’s perspective to waste additional time/resources to create longer keys when 100-300 bits is perfectly sustainable.
Vraj Patel says
The longer the keys are the more secure they are considered. However, to decrypt the longer key it takes longer time and resources. Which the resources would also be more costly.
Jason Burwell says
Hey Vraj,
I agree that in the end trying to use the much longer keys would end up being costly to the business
Antonio Cozza says
Most symmetric keys today are between 100 to 300 bits because of the ever-present issue with implementing just about any security control/function: there is always a tradeoff in one way or another between security and other limiting factors based on the relevant resources. With symmetric keys, 100 to 300 bits is a very reasonable level of security because it is unreasonable to brute-force the encryption key based on the unreasonable amount of time it would take to do so. At the same time, it does not require a heavy amount of processing to encrypt and decrypt these keys. While a 1,000 bit encryption key would surely be more secure, it would not matter in practice as it would be an unusable system (for average daily-used systems, that is). Thus, a proper security-usability balance is achieved with a standard encryption key comprised of 100-300 bits.
Andrew Nguyen says
Hi Antonio,
I like how you point out that even though a length of 1,000 bit symmetric key would be more secure, the tradeoffs in terms of processing time may not be worth it. I do agree that 100-300 bits is good enough for now, and I wonder if any companies are aware that eventually they may have to devote resources to upgrade their systems in this space when the time comes.
Thanks for sharing your thoughts!
Best,
Andrew
Miray Bolukbasi says
Symmetric keys are just being shared with the parties involved where it also offers high security and confidentiality of the data. Even though longer keys would be harder to crack, computers’ capacity also matters. Symmetric keys means that the same key is used to encipher and decipher the web traffic.
The processing capacity of the devices are not able to encrypt/decrypt that long keys. The communication and the data being transfer would be slow downed or failed if the symmetric keys are reached over capacity limit.
Andrew Nguyen says
Hi Miray,
I agree with your points, and would like to add that at a certain point the length of a key can be considered ‘good enough’. Things like processing capacity, speed of data transfer and sensitivity of data could be factors when considering whether or not a symmetric key should be of a certain length.
Thanks for sharing your thoughts!
Best,
Andrew
Kelly Sharadin says
I agree with your assessment regarding “good enough” security controls. I think some security professionals become hyperfocused on securing at all costs, often to the detriment of users being able to perform their tasks comfortably and ultimately for the business’s overall success. Cryptography highlights the balance between functionality and security. Thanks for sharing your thoughts.
Olayinka Lucas says
Hello Kelly. Well phrased, ” Cryptography highlights the balance between functionality and security.”, This is true because other essential security controls would also be running within the system, which may become ineffective if adequate processing capacity is not efficiently allocated to them. As the saying goes, it is not based on the strength of control but on its effectiveness and ability to deter breaches.
Andrew Nguyen says
While longer symmetric keys are more difficult to crack, using a longer symmetric key (for example, 1,000 bits) would lead to significant overhead on systems performing the decryption. For this reason, having a 100 to 300 bit symmetric key in many cases can be considered ‘good enough’ depending on the type of data that it is encrypting, keys longer than 300 bits long would have diminishing returns.
Madalyn Stiverson says
Hi Andrew,
Good point on keys longer than 300 bits having diminishing returns. It ultimately takes us back to the fundamental cybersecurity question of what controls to implement vs the cost to implement those controls. Everything is a trade off, and keys longer than 300 bits don’t seem to justify the cost.
Olayinka Lucas says
The longer the length of the key, the more processing power required. Based on the excessive computer processing power necessary to encrypt and decrypt asymmetric key sessions with extreme lengths, today’s central processing units (CPU) lack the capacity and would not deploy 1,000-bit symmetric keys.
Secondly, there would always be an urgent need to create an equilibrium between other security functionalities requiring processing power within the endpoint device. So, even though symmetric keys of that length would make more security by creating more work time for the attacker, the processing power needed would create disruptions and, if possible, shut down the endpoint device.
Lauren Deinhardt says
Although longer encryption keys are much more difficult to crack, and are therefore extremely secure, it is not logical nor practical to have highly complicated bit keys due to the impact it would have on transmitters and receivers. Complicated encryption keys and algorithms take up significant processing space within transmitting and receiving devices, increasing the time it takes for data/messages to be sent through the network. From a business standpoint, this would drastically slow operations and potential render encryption useless. This same concept is seen when business owners need to define which data requires stronger encryption algorithms, and which do not; by applying strong algorithms across the board, overall system performance and message transmission will be severely impacted.
Kelly Sharadin says
Hi Lauren,
I like how you expanded on how the limitations of more robust cryptography can impact both hardware resources and the business at a macro level. As security professionals, I believe this is a critical skill to possess to be able to understand how technical problems may affect various business operations. Further how our security controls may inadvertently disrupt the organization. I always say security operations cannot be adverse to business operations. Very thoughtful post!
Kelly
Ryan Trapp says
Increasing the length of a key comes at a price in terms of processing power it takes to encrypt and decrypt the key. So while a key length of 1000 bits would be extremely secure, the current processing speed and hardware that we have now would be but under a lot of stress in handling this encryption. Therefore, there is a point of diminishing returns when increasing the length of a symmetric key. At this point in time it is best to have a key length of 100-300 bits.
kofi bonsu says
The longer the key, the more handling force and RAM it may need to perform its routine operations. Therefore, it speaks well for systems to use the base key length for any intended threat, and 100 to 300 is deemed to be hugely strong at this time. Modern day systems currently don’t make use of 1,000-bit symmetric keys because of the unnecessary computer handling power it would take to encrypt and decrypt the symmetric key meeting. While a 1,000-bit key would be more secure, in theory so would disconnecting a computer completely from the internet; but this would deliver the gadget useless for day by day tasks. To that end, we must adjust security functions like cryptography with other cycles (internet access) competing for the computer’s handling power like RAM. The explanation most keys don’t use 1000 bit or more keys is because of RAM and handling speed. The longer the symmetric key the longer it will take to encrypt/decrypt and most computers would not have the option to process keys longer than 300 bits because of the processor and the allocated RAM. Therefore, it is best to go with 256 bit as it is the base amount that is most secure and doesn’t greatly impact handling time. Longer keys are more cumbersome to crack its right, most of the today’s symmetric keys are 100 to 300 bit long, because of current encryption key 100 to 300 is enough for today’s hardware capabilities or system execution. if consider fastest computer accessible in current situation in market is likewise inability to crack 100bit encryption key within barely any min hours or day. on the off chance that think about what computer accessible out in the open or programmers, they required extremely long time to crack 100-300 bit encryption key. To crack any type of encryption keys regularly used brute-power attack, it completely work on combination of all accessible character in key to possibilities of fruitful attack, Just in case encryption is increment 1000 bit or more long they can effect changes on communication process, greater key means straight forward longer decryption implies more slow communication, this is exceptionally for communication of internet browser establish communication after the authenticate required key and send information. Communication will be differ so at whatever point 300 bit crackable that time computer hardware capability of enough for use strong encryption keys for hander 1000 bit or more size keys.
Dhaval Patel says
Hi Kofi,
I like the comparison of turning off a computer is the equivalent of using a 1000 bit key, in both situations the computer is ultimately useless. As you said most modern-day systems can’t go past 300 bits, but it makes me think will processing power and RAM be innovated enough one day to handle 1000 bit keys.
Dan Xu says
1,000 bit keys require more powerful computers to process, but it is impossible to break this encryption quickly in a short period of time. The longer the key, the more processing power and RAM is required to run. Therefore, it makes sense for the system to use the minimum key length for a given threat. At this time, 100 to 300 is considered very powerful. Most computers will not be able to handle keys longer than 300 bits. Too many keys will make the device unusable for everyday tasks. Although a 1,000-bit key may seem like a large number and more secure, the longer it takes to encrypt and decrypt.
zijian ou says
Yes, I also think that the longer the key, the more ram, and processing power is needed.
Michael Duffy says
Bits scale with resources required to actually decrypt and encrypt information. Since it is computationally infeasible to implement 1000 bit algorithms at this current period of time it would not provide any benefit for organizations to implement at 1000 bit unless there was some sort of next-level computer that could implement 1000 bit symmetric encryption while not limiting availability.
Vraj Patel says
Hey Michael,
That’s definitely true that if there is no next-level computer that could encrypt and decrypt the 1000 bits then its not useful to use it. As it would affect the availability of the resources within the company,
Ornella Rhyne says
Hi Michael,
Great analysis and yes we are good with 300 bits long. The computers are not made to process longer keys at the moment. This 100-300 is good enough to encrypt and decrypt information right now. It might or will change soon.
Ornella Rhyne says
I believe as technology evolves, we would at some point upgrade to longer symmetric keys (1,000) but as of now these 100 to 300 keys are strong enough to encrypt a message or data. The computers we have now won’t support 1000 bits symmetric keys because of the excessive power processing it requires to encrypt or decrypt a message and also the costs associated to it.
Christopher Clayton says
The way technology is constantly evolving these days, upgrading the RAM and processing power to support 1,000 symmetric keys is bound to happen in the future.
Joshua Moses says
Hello Ornella, your response makes a lot of sense. Information Systems are rapidly changing, so it is only logical that the security tools and practices we use will have to change at the same pace (at least) in order to successfully secure them and mitigate the threats that they will undoubtedly have to contend.
Michael Galdo says
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
I don’t believe we have evolved enough in this field to successfully implement 1000 bit keys. I believe that as we progress, 1000 bit keys will be more beneficial and attainable, but 100-300 bit keys are good enough for us at this moment. 1000 bit keys would require a very high amount of processing power and some CPUs may not have the capacity for these messages.
Ornella Rhyne says
Hi Michael,
I agree with you. The longer the keys, the more power we need to process those. At the moment, we are good with 300 bits long. When the time comes, then we will upgrade and I am pretty sure it will come soon. Technology is evolving and lots of things are changing so they won’t be no surprises if that happens.
Madalyn Stiverson says
It’s a balance between availability and confidentiality. Each bit adds to the processing power and time required to generate and decrypt the key. A 1000 bit key would slow down the system unnecessarily, since a 100-300 bit key is already considered strong. If you’re that concerned a key might be hacked, I’d consider other mitigating controls such as MFA, segmentation, or air gapping.
Michael Galdo says
Hello Madalyn,
I agree with you in that I believe a 1000 bit key is just unnecessary at this time. Instead of adding that many bits, mitigation controls that you mentioned such as segmentation are a more reasonable option. I believe that as we progress, 1000 bit keys will be more beneficial and attainable, but we’re not quite there yet.
Corey Arana says
With today’s technology, longer keys are more difficult to crack. Having keys that are 100 to 300 bits long are strong enough for the current time. A brute force attack against a 256 bit key is very difficult and time consuming to crack. Having a 1,000 bit key would definitely make the encryption much strong but the computers now would not have the processing power to decrypt the document/ data in a timely matter. The 1,000 bit would drastically slow down the decryption time.
Richard Hertz says
I like the way you added the caveat ‘for the current time’. I think that is one of the key tenets of the discussion – how secure is secure enough today? 20 years ago we didn’t even encrypt things, 10 years ago the keys were much smaller/weaker. 10 years from now I am sure that 1000 bits might seem trivial to crack!
Corey Arana says
Great question, how secure is secure today. With the amount of attacks that go on in today’s world, we need to make sure we are as secure as ever. 10 years from now, a super computer may be out there to crack a 1000 bit.
Christopher Clayton says
The purpose of symmetric keys is to encrypt and decrypt electronic information. The longer the symmetric key the better would appear to be the logical approach to make it more difficult to crack, but the disadvantage to that is it would cause a strain on memory storage space and may also be a financial burden. 100-300 bit keys is sufficient in cryptographic attacks so 1,000 is not necessary.
Wilmer Monsalve says
There are a number of reasons for this. First one is that it is not necessary for it to be that long at least for the time being as we are currently having symmetric keys that are 100 bits deemed very secure. Another reason would be that there is not enough computing power to encrypt and decrypt a symmetric session key with 1000 bit keys. Lastly it would take too long to encrypt and decrypt a 1000 bit key as it is not practical especially for day to day tasks, so there won’t be an application for it even if it was possible.
Jason Burwell says
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
Its true, longer keys are more difficult to crack, however one would certainly run into issues with computer processing power if they attempted to setup 1000bit keys. Encryption and Decryption for an 1000bit key would simply be too much to ask on these current systems, so while yes we want a long key that is difficult to crack, we also want to make sure the resources in place can handle the job.
Richard Hertz says
2. Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
The cost to process a symmetric key is best measured in CPU cycles or computer processing time. In order for existing systems to easily support symmetric encryption the industry has settled on 100-300 bit keys as being the ‘sweet spot’ between protection and convenience. More secure (1000 bit keys) will consume too many CPU cycles and impact system performance. This would require either an acceptance of a lesser rate of performance in a system or the purchase of more powerful compute platforms that could more rapidly process 1000 bit keys. The requirement for security has not yet reached that point – to require 1000 bit keys and trigger that incremental expenditure on computer processing power.
Bryan Garrahan says
Thanks for sharing Richard! I wonder if a case could be made to utilize a key bit in excess of 300 for a system or application that is used solely as repository for storing sensitive information, such as PII. I believe you could potentially make case in this scenario that confidentiality of the data exceeds the need for performance since data is only being stored and limited and/or zero processing is performed within the repository.
Bryan Garrahan says
Simply put, deploying 100-300 bit keys is considered best practice in order to deter attacks, such as brute force, because it’s generally difficult to compromise keys of this size. The utilization of keys exceeding 300 bits, which in this scenario is 1,000, will result in wasted resources in the CPU which should be allocated to other functions that are responsible for optimizing and supporting system performance.
Victoria Zak says
Systems do not use far longer bit keys such as 1,000 bit keys due to the time and speed it takes to encrypt and decrypt. However, a system that utilizes 100-300 bit keys is necessary due to security protocols, protection, and fast enough speed.
Joshua Moses says
Systems do not use longer symmetric keys such as; 1,000 bit keys because it is not feasible. It will require more processing power and random access memory (RAM), as well as more resources.
Alexander William Knoll says
While longer keys may be more difficult to crack and thus more secure, the reason that they are typically 100-300 bits long is due to network processing and encryption time. As the symmetric keys double in size, encryption may take 6 to 7 times longer, making it extremely inefficient/unmanageable to use larger keys. Having smaller keys allows for much more efficient utilization, and thus increased performance.