If you’re a website owner who’s been worrying endlessly about encryption strengths and whether to opt for a 128 bit encryption or 256-bit encryption, you’ve just got to read on to ease your nerves! For our other tech-savvy readers, concerned about accessing insecure websites, we’ll look at if a 128 bit SSL encryption standard can be adopted with reasonable safety.
Sectigo EV SSL Certificates from $79.84/year!
Get the lowest prices on trusted SSL certificates from Sectigo.Shop for Sectigo SSL Certificates
When it comes to choosing the right encryption strength in terms of a digital certificate, most sellers offer up to 256-bit encryption. Still, the actual encryption level that’s utilized to secure your data depends on a bunch of other factors.
Let’s take a look at how encryption comes into play as you surf the internet, shop on Amazon, or engage in other financial transactions.
What Happens Behind the Scenes When You Access a Website
Every time your web browser (Chrome, Firefox, etc.) talks to the server where the website is hosted, a three-way handshake occurs in the background followed by an SSL handshake if you’re trying to access the site over HTTPS.
Without getting into the details of how an SSL/TLS handshake works (that’s another topic for another day), in the image above, we can see some form of negotiation happening between the server and the client where they tell one another the standards and protocols supported on each end. These negotiations determine the best possible standards and protocols to use. Then, once that’s decided, we proceed with bulk data transfer.
In simple terms, even if you were to choose a certificate that supports up to 256-bit encryption, the outcome is dependent on these negotiations and the default server configurations. For all you know, you could end up with 128 bit encryption or significantly less encryption strength if the server you’re connecting to still supports outdated ciphers and its configuration settings have not been updated, or if your browser has not been updated.
This means that it’s better to choose a 256 bit encryption certificate and check your server configuration settings — as well as you browser — to ensure they both support it.
So, What’s 128 Bit Encryption Mean Anyway?
When we talk about 128 bit encryption, the “128” refers to the length of the key that’s used to encrypt your data. What this really means is that to crack the encryption key, an attack would need to brute-force up to 2128 possible combinations to decrypt your data.
Obviously, while 2128 might be a near-impossible number for humans to handle, computers can process information a lot faster. However, it would take approximately 885 quadrillion years for the most powerful supercomputer (as of 2017) to brute force a 128-bit AES key.
Here are a few key size examples and the amount of time it would take to crack each of them:
|Key Size||Time Required to Crack|
|128-bit||1.02 x 1018 years|
|192-bit||1.872 x 1037 years|
|256-bit||3.31 x 1056 years|
The bottom line here is that while 128 bit SSL encryption will take less time to crack than 256-bit encryption, it’s still reasonably safe to use. Having said that, these are all contingent on AES being implemented correctly, with sufficient entropy, and without falling victim to side-channel attacks, insecure passwords, etc.