Technology Networking & Internet

Does the SSL Key Size Matter?

    SSL

    • Desktop computers, laptops and even smartphones use a system called Secure Sockets Layer to securely transfer data between them and a business at the other end. The sending and receiving computer both have SSL. When you fill out a form to log into your online bank account, for example, the data passes through SSL, which scrambles it according to a mathematical formula. The Internet carries the scrambled data to the business, at which point the SSL program on its computer unscrambles it back into meaningful information. Most Web traffic, such as a weather report, a political blog page or a restaurant menu, do not need or use SSL. The encryption process slows down the transfer of data, so only sensitive Internet transactions use it.

    Key Sizes

    • Each computer on an SSL connection has a number called a key. Sending and receiving computers each have unique keys, which SSL uses to encrypt data. Key sizes are measured in bits, with the most common size in current use being 128 bits. Most modern computer applications no longer use 40-bit keys, as they lack sufficient security. The larger the key, the harder it is to guess it; every bit in the key’s size doubles the number of guesses you’d have to make to decode the message. A 128-bit key, for example, requires 2^128 or 10^38 guesses. SSL can use key sizes larger than 128 bits; key sizes can go to thousands of bits. Some organizations use 256-bit keys for stronger security.

    Attacks

    • All encryption systems have some vulnerability to decoding, either by sophisticated mathematical attacks or brute-force methods. A brute-force attack simply tries all possible combinations for a key’s value; the longer the key, the more combinations the attack needs to try. Even at the rate of billions of combinations every second, a computer would need more time to crack a 128-bit key than the current age of the universe. Mathematical techniques attempt to improve the speed of an attack through insights into the encryption process. This is a subject of serious study, as billions of dollars’ worth of commerce depend on the strength of SSL keys.

    Encryption Systems

    • SSL supports an alphabet soup of encryption systems, called ciphers, including AES and DES and triple DES. Each of these systems uses different mathematical techniques for encrypting data; they also have different requirements for key lengths. DES, for example uses a 56-bit key, which experts consider to be too easy for attackers to decode. Triple DES uses a 168-bit key, three times the size of the original DES’s, making it harder to attack.

Leave a reply