Light Dark
June 12, 2014 By Rick Robinson 3 min read
Cloud Security
Data Protection

In giving presentations on cryptography and encryption key management, I am frequently asked about key size. Specifically, the question I am asked is if a 128-bit or 256-bit encryption key is enough. It does not matter what answer I give, the follow on question is usually predictable: Given Moore’s Law, when will that key size be inadequate?

We need to back up a little to answer this question, and we also need to put it into the perspective of money. We can easily get lost in the world of transistors, MIPS, TFLOPS, algorithms, processors and other technobabble (which is proudly part of my lexicon), but let me restate this concern from a monetary perspective: How much money does it cost to test every possible key in a 128-bit (or 256-bit) key space and how long will it take?

For people not familiar with Moore’s Law, it was a forecast by Gordon Moore of Intel fame who, in 1965, forecast that the number of transistors on integrated circuits would double every two years. For the most part, the computer industry has followed this forecast and that is why our smart phones have more than 100-times the computing power of the computers that launched the first space shuttle. This is beautiful thing, and we all have benefited from this explosion in computing power. But there can be dark side: using that computing power for nefarious purposes.

In other words, if you are a business and encrypting your data using a 256-bit encryption key, do you have to be concerned that Joe Hacker can harness the power of the cloud to get to your data by trying every possible key? As we address this concern, we must avoid getting lost in big numbers, like 256-bits, and losing perspective of what that actually means. For the forgetful, a key in a 256-bit key space is really just a single number that is somewhere between zero and 2 to the power of 256. (For those who like decimal values, that is 10^77, or simply 1 followed by 77 zeros). That is a BIG number. But, to put it in perspective, let’s look at another big number: all the atoms in the known universe.

The number of atoms in the known universe is estimated to be about 10^80 (again, 1 followed by 80 zeros). Nobody has a precise count of the atoms in the universe, so let’s us just say that the number of atoms is “about” the same as the number of keys in a 256-bit key space. That is a LOT of possible keys.

Key Management: Bringing It Home

So, I may be losing you in the numbers, but here is the essence of the message. The amount of money required to test every key in a 256-bit key space is going to be close to the amount of money that would be required to pay for the energy to move each atom in the universe, even by just a little. In other words, no human can afford enough computing power to test all of those keys. From an energy perspective, it would take more energy to drive the computers to perform the work (regardless of how many transistors they have) to try all the keys in a 256-bit key space than the planet produces over our lifetimes. For a 128-bit key, it’s estimated that it would take 1% of the world energy production for a full year. This is a LOT of power.

From a business perspective, how much is the encrypted-data worth? Is it worth a billion dollars? Is it worth a trillion? Or is it just worth a few thousand dollars? If the quarterly report of a public company was stored in an encrypted file and protected by a 256-bit key, how much money would you invest in computers to try to test every key (also known as a brute force attack)? Realistically, the ROI is just not there. And then consider that, with very little work, we can encrypt the file under more than one key. We could even encrypt each word under a different key. You would have a better chance of winning the lottery (about 1 in 10^8) than ever lucking upon the right key. It is simply too expensive (and will continue to be too expensive, if not completely impossible) to brute force attack keys. They are just too big.

At the end of the day, key management helps us use and manage millions of keys in cryptography to protect our data. It is easy. But because the keys are so big (even 128-bit symmetric keys), attempting to access the data by trying all possible keys is simply not feasible for the bad guys. They need to find another approach: guessing your password, hoping that you don’t encrypt your data, finding a way to have you “give” them the key through social engineering, phishing attacks or other sneaky tricks to fool you.

Read the white paper: Three guiding principles to improve data security and compliance

So, don’t worry about cryptography or your encryption keys. Use AES and key sizes of 128-bits or greater. Even NIST considers 128-bit keys acceptable in their SP800-131A publication. Moore’s Law has a long way to go before our keys will be realistically breached through a brute force attack.

 |  | 
Rick Robinson
Product Manager, Encryption and Key Management

More from Cloud Security
November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

October 10, 2024

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

June 6, 2024

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature