Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
Longer symmetric keys necessitate more computing resources and memory. A system ought to have a minimal key length for security reasons. Keys of more bits make them harder to decipher, however the encryption keys now in use are only 100–300 bits long because that is all that can be handled by most systems. Even the most powerful computer on the market today can not decipher a 100-bit encryption key in a matter of minutes or even a day. It would take a very long time for a public or hacker-accessible computer to decipher an encryption key of 100-300 bits in length. A brute-force assault is a frequent method for breaking encryption, as it tries every possible combination of characters in the key until it succeeds. 2^256=115792089237316195423570985008687907853269984665640564039457584007913129639936 That is a huge sum for any machine in the public domain to break; as computing power improves to the point where such keys can be broken in a reasonable amount of time, key sizes will inevitably grow, but for the time being, this level of security is more than adequate. Communication times can be impacted if the length of an encryption key is increased to 1000 bits or more; a larger key requires a longer time to decrypt, which slows down the communication process. This is especially true for the communication established between a web browser and a server after the browser has authenticated itself and received the necessary key. Since the nature of future communication is unpredictable, computers will be able to handle large encryption keys of 1000 bits or more in size once the 300-bit threshold is breached. There is a trade-off between processing speed and security, which is why we do not want to use ciphers with more than 300 bits. When computers become fast enough to crack more than 300 bits, we will get a glimpse into their true potential. Symmetric encryption techniques, one may argue cynically, transform data into an incomprehensible format for anyone who does not have the secret key to decipher it. When the keyholder receives the message, the algorithm turns back time to restore the original, legible message. Sender and receiver may share a common secret key, which may be a password or code, or it may be a string of letters and numbers created by a trusted random number generator (RNG).
Hi Samuel,
I completely agree that the current state of keys are more than capable. I also find your comment on the future of communication interesting. If modern computers become capable of cracking 300-bit key algorithms, then a different means of key generation should probably be considered since computing would probably reach a point where relying on current key-generating algorithms would not be secure.
Longer keys are more difficult to crack. However, better security requires more bits. 128 = a minimum size of 3072 bits for public keys. 256 = a minimum size of 15360 bit for public keys. However, that is for RSA. ECC can help alleviate this issue. ECC curves for AES-256 session = 512-bit ECC key. While 15360-bit RSA key is required which is computationally impracticable in the current system. That’s a 1:30 size ratio for ECC to RSA. The article I found nicely summarizes the importance. “Shorter keys in ECC encryption are as strong as long keys for RSA. This results in much less network overhead, allowing faster performance and a better customer or user experience. It also means that in the long term, there is more room for growth, because each additional bit gives more options than each additional bit in RSA. That also means a slower growth in bit size over time, which makes it more scalable, potentially, for the Internet of Things.”.
A longer symmetric key requires more time and processing power and the current 100-300 bit keys are more than enough to prevent against attacks such as brute force. Even if we did have a 1000 bit key, it would take lifetimes to crack therefore making it redundant.
Longer keys require more processing power and time to compute and also, to an extent, longer keys are excessive since keys that are 100-300 bits long already take an abnormally large amount of time and processing power to brute-force. Also, if larger keys are used, then communications will also take longer since they would need to transmit these keys to verify secure connections.
I totally agree with about if larger keys are used the communications will take longer since they would need to transmit these keys to verify secure connection. Most modern systems are not able to process that.
Currently, symmetric keys at 100-300 bits long take a considerable amount of time to crack via brute force, because of this, keys of that length are considered incredibly strong. A 1000-bit long key would be considered beyond overkill and would take hundreds of years to crack. This unnecessarily long key would also slow the process of key validation down for no additional benefit.
Hey Max. With the advancement of processing power there’s no doubt we will need longer keys as compensation; and this is where I agree with you because if we get into too long of a key then its purpose is redundant.
Using far longer symmetric keys for example, 1,000 bit keys may create issues with most systems. RAM and processing speed may not be compatible with that much key bits and it may require to much resources to process. 256 is good enough as it does not take much time to encrypt/decrypt, but at the same time still providing more secure service.
I agree with your comments and have the same thought process in that it’s a cost benefit in that 1000-bit keys will take more RAM and processing speed. Additionally, 256 bits is good enough to provide secure service.
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
Why do we only use 126 or 254 bit keys instead of 1024 bit keys? The simple answer is cost/benefit calculation. There is a cost in processing power and service delay that comes from encrypting and decrypting. While modern encrypted protocols like TLS are very optimized, it does still add a processor cycles to every message send and received. The longer the key, the more work it takes to encrypt and decrypt. While there is an improvement in security for a longer key, that improvement reaches a point where it either becomes infeasible that it would ever be broken, if it takes a 100 years on average to brute force a key of length N, then using a key of length N*2 is not a functional advantage. The security is not meaningfully improved if takes 200 years to break, it is already far beyond the useful life of the message. So the additional cost is not additional benefit.
The reverse is also sometimes useful. For example if you have a system with limited resources, you might be willing to accept a very small key length or “weaker” algorithm when protecting data with a short lifespan. The if the data is only useful or in existence for a few minutes, you don’t need a 100 year strong encryption. You can accept an algorithm that could be broken in a few hours, because it still exceeds the needs of protection while freeing up resources that a stronger algorithm would use.
I really like your point of view on the reverse thought process. I didnt think of it from that perspective, but it makes sense and agree with your points regarding if limited resources, might be willing to accept a weaker algorithm when protecting data with a shorter lifespan.
I have to think about the reverse case at my job. I am actively doing research on encrypted communications for embedded devices in a real-time reactive system where things like additional processing cycles and increased latency can have serious cumulative effects.
Another place where this cost/benefit analysis was carried out was in encrypted communications for military in the pre-digital age. You obviously don’t want to send written orders with a runner in plain text, but there is a cost in time and effort to encrypt and decrypt a long message by hand. There are some pencil and paper ciphers like Vigonere’s that are very strong and almost impossible to brute force by hand. However it takes a lot of effort to encrypt and decrypt using that method and if you make a mistake it can render the message unreadable even if you have the key. Other ciphers have a small key-space and correspondingly weak protection but less effort. A “weak” encryption can be good enough if you just need to make the message unlikely to be decrypted before the attack tomorrow morning and not something that needs to remain secret forever.
I like that you bring up the military aspect. This reminds me ironically enough of the movie “The imitation game”. The entirety of the movie is trying to crack the German’s Enigma Cypher during WWII. The reason the Axis were so successful was due to the Allie’s inability to decipher their cypher.
The longer the key, the more time consuming and expensive it is to decrypt. The 100-300 bits symmetric keys today provide enough security that there isn’t a reason to use longer keys due to cost and time. The longer the key, the more processing power and RAM it takes to operate. This could change in the future if it becomes feasible to brute-force, then the keys would need to increase in size and become longer.
In the future if computers become more power and brute forcing a current key becomes trivial, the processing power to handle larger keys and stronger algorithms should be available as well. Encryption is a cat and mouse game or an arms race, as the tools to break encryption get better, the protections get made stronger. It will be back and forth like that until there is a major breakthrough like quantum computers or another technology that can bypass the underlying math that makes modern encryption possible.
Systems do not use longer symmetric keys because we are not up to par with processing speed and RAM power. The longer the bit keys, the longer it will take to encrypt and decrypt I would say the mostly we should say in between 100-300 bit keys. The longer it is more resources and more cost would be going it into maintaining.
Longer symmetric keys necessitate more computing resources and memory. A system ought to have a minimal key length for security reasons. Keys of more bits make them harder to decipher, however the encryption keys now in use are only 100–300 bits long because that is all that can be handled by most systems. Even the most powerful computer on the market today can not decipher a 100-bit encryption key in a matter of minutes or even a day. It would take a very long time for a public or hacker-accessible computer to decipher an encryption key of 100-300 bits in length. A brute-force assault is a frequent method for breaking encryption, as it tries every possible combination of characters in the key until it succeeds. 2^256=115792089237316195423570985008687907853269984665640564039457584007913129639936 That is a huge sum for any machine in the public domain to break; as computing power improves to the point where such keys can be broken in a reasonable amount of time, key sizes will inevitably grow, but for the time being, this level of security is more than adequate. Communication times can be impacted if the length of an encryption key is increased to 1000 bits or more; a larger key requires a longer time to decrypt, which slows down the communication process. This is especially true for the communication established between a web browser and a server after the browser has authenticated itself and received the necessary key. Since the nature of future communication is unpredictable, computers will be able to handle large encryption keys of 1000 bits or more in size once the 300-bit threshold is breached. There is a trade-off between processing speed and security, which is why we do not want to use ciphers with more than 300 bits. When computers become fast enough to crack more than 300 bits, we will get a glimpse into their true potential. Symmetric encryption techniques, one may argue cynically, transform data into an incomprehensible format for anyone who does not have the secret key to decipher it. When the keyholder receives the message, the algorithm turns back time to restore the original, legible message. Sender and receiver may share a common secret key, which may be a password or code, or it may be a string of letters and numbers created by a trusted random number generator (RNG).
Hi Samuel,
I completely agree that the current state of keys are more than capable. I also find your comment on the future of communication interesting. If modern computers become capable of cracking 300-bit key algorithms, then a different means of key generation should probably be considered since computing would probably reach a point where relying on current key-generating algorithms would not be secure.
Longer keys are more difficult to crack. However, better security requires more bits. 128 = a minimum size of 3072 bits for public keys. 256 = a minimum size of 15360 bit for public keys. However, that is for RSA. ECC can help alleviate this issue. ECC curves for AES-256 session = 512-bit ECC key. While 15360-bit RSA key is required which is computationally impracticable in the current system. That’s a 1:30 size ratio for ECC to RSA. The article I found nicely summarizes the importance. “Shorter keys in ECC encryption are as strong as long keys for RSA. This results in much less network overhead, allowing faster performance and a better customer or user experience. It also means that in the long term, there is more room for growth, because each additional bit gives more options than each additional bit in RSA. That also means a slower growth in bit size over time, which makes it more scalable, potentially, for the Internet of Things.”.
https://www.ssl2buy.com/wiki/rsa-vs-ecc-which-is-better-algorithm-for-security#:~:text=For%20some%20organizations%2C%20network%20performance,ECC%20cryptography%20the%20better%20choice.
A longer symmetric key requires more time and processing power and the current 100-300 bit keys are more than enough to prevent against attacks such as brute force. Even if we did have a 1000 bit key, it would take lifetimes to crack therefore making it redundant.
Longer keys require more processing power and time to compute and also, to an extent, longer keys are excessive since keys that are 100-300 bits long already take an abnormally large amount of time and processing power to brute-force. Also, if larger keys are used, then communications will also take longer since they would need to transmit these keys to verify secure connections.
Hello Kenneth,
I totally agree with about if larger keys are used the communications will take longer since they would need to transmit these keys to verify secure connection. Most modern systems are not able to process that.
Currently, symmetric keys at 100-300 bits long take a considerable amount of time to crack via brute force, because of this, keys of that length are considered incredibly strong. A 1000-bit long key would be considered beyond overkill and would take hundreds of years to crack. This unnecessarily long key would also slow the process of key validation down for no additional benefit.
Hey Max. With the advancement of processing power there’s no doubt we will need longer keys as compensation; and this is where I agree with you because if we get into too long of a key then its purpose is redundant.
Using far longer symmetric keys for example, 1,000 bit keys may create issues with most systems. RAM and processing speed may not be compatible with that much key bits and it may require to much resources to process. 256 is good enough as it does not take much time to encrypt/decrypt, but at the same time still providing more secure service.
I agree with your comments and have the same thought process in that it’s a cost benefit in that 1000-bit keys will take more RAM and processing speed. Additionally, 256 bits is good enough to provide secure service.
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don’t systems use far longer symmetric keys—say, 1,000 bit keys?
Why do we only use 126 or 254 bit keys instead of 1024 bit keys? The simple answer is cost/benefit calculation. There is a cost in processing power and service delay that comes from encrypting and decrypting. While modern encrypted protocols like TLS are very optimized, it does still add a processor cycles to every message send and received. The longer the key, the more work it takes to encrypt and decrypt. While there is an improvement in security for a longer key, that improvement reaches a point where it either becomes infeasible that it would ever be broken, if it takes a 100 years on average to brute force a key of length N, then using a key of length N*2 is not a functional advantage. The security is not meaningfully improved if takes 200 years to break, it is already far beyond the useful life of the message. So the additional cost is not additional benefit.
The reverse is also sometimes useful. For example if you have a system with limited resources, you might be willing to accept a very small key length or “weaker” algorithm when protecting data with a short lifespan. The if the data is only useful or in existence for a few minutes, you don’t need a 100 year strong encryption. You can accept an algorithm that could be broken in a few hours, because it still exceeds the needs of protection while freeing up resources that a stronger algorithm would use.
I really like your point of view on the reverse thought process. I didnt think of it from that perspective, but it makes sense and agree with your points regarding if limited resources, might be willing to accept a weaker algorithm when protecting data with a shorter lifespan.
I have to think about the reverse case at my job. I am actively doing research on encrypted communications for embedded devices in a real-time reactive system where things like additional processing cycles and increased latency can have serious cumulative effects.
Another place where this cost/benefit analysis was carried out was in encrypted communications for military in the pre-digital age. You obviously don’t want to send written orders with a runner in plain text, but there is a cost in time and effort to encrypt and decrypt a long message by hand. There are some pencil and paper ciphers like Vigonere’s that are very strong and almost impossible to brute force by hand. However it takes a lot of effort to encrypt and decrypt using that method and if you make a mistake it can render the message unreadable even if you have the key. Other ciphers have a small key-space and correspondingly weak protection but less effort. A “weak” encryption can be good enough if you just need to make the message unlikely to be decrypted before the attack tomorrow morning and not something that needs to remain secret forever.
Hey Dave,
I like that you bring up the military aspect. This reminds me ironically enough of the movie “The imitation game”. The entirety of the movie is trying to crack the German’s Enigma Cypher during WWII. The reason the Axis were so successful was due to the Allie’s inability to decipher their cypher.
The longer the key, the more time consuming and expensive it is to decrypt. The 100-300 bits symmetric keys today provide enough security that there isn’t a reason to use longer keys due to cost and time. The longer the key, the more processing power and RAM it takes to operate. This could change in the future if it becomes feasible to brute-force, then the keys would need to increase in size and become longer.
In the future if computers become more power and brute forcing a current key becomes trivial, the processing power to handle larger keys and stronger algorithms should be available as well. Encryption is a cat and mouse game or an arms race, as the tools to break encryption get better, the protections get made stronger. It will be back and forth like that until there is a major breakthrough like quantum computers or another technology that can bypass the underlying math that makes modern encryption possible.
Systems do not use longer symmetric keys because we are not up to par with processing speed and RAM power. The longer the bit keys, the longer it will take to encrypt and decrypt I would say the mostly we should say in between 100-300 bit keys. The longer it is more resources and more cost would be going it into maintaining.
Hi parmita
I agree with you the longer the symmetric keys more resources will be utilized.
More processing power and memory are required for longer symmetric keys. It makes sense for a system to have a minimum key length.