Encryption can be described rather simply as encoding or obscuring data so that only the intended recipient or holder of certain information can read it. The practice of encryption is a bit harder, requiring certain math operations that are easy to do one way but not easily reversed and then using some special properties of those operations so we can put data in and retrieve it later. That sounds a bit complicated, so let’s look at a simpler example. Squaring a number is an operation that many people consider rather easy, but taking a square root of a number is considered hard. Most people can square just about any number, even without computers and calculators, but the same group of people would be challenged to solve any but the easiest square root problems. That is how encryption operates. Squaring 12 is easy, resulting in 144. However, if you ask someone to tell you what numbers you multiplied together to get 144, they would have to guess. The possible answers are 1 and 144, 2 and 72, 3 and 48, 4 and 36, 6 and 24, 8 and 18, and 12 and 12. You literally have to try every combination of numbers that could result in the target and see if the combination results in the correct answer. Now imagine that the target number you are trying to break is 24,514,637,765,345,777,254,910,164. Guessing which numbers were used to get that result would be a long process. Notice I said long—not impossible.
Determining “Strong Enough” and Moore’s Law
When you talk about encryption, one question that is bound to come up is “How strong is strong enough?” The answer isn’t easy. Strong enough for what? A better way to view encryption strength is to look at what you are protecting. If the data life (defined as the length of time the data is useful or valuable) is significantly shorter than the time it takes to crack the encryption, it is strong enough. If the data life is longer than the cracking time, the encryption isn’t strong enough. Let’s talk numbers. Currently the accepted standard in encryption key strength seems to be 128–256 bits. That means that various industries and government agencies have determined 128–256 bits to be the “right” strength for them, and they recommend this to others. The strength is derived from two main factors, the algorithm used (i.e., RSA, BlowFish, DES, 3DES) and the key length. The algorithm is the complex math operation, and the key strength is the randomness. A very long key on a weak algorithm might not be as secure as a shorter key on a better algorithm. Most Secure Sockets Layer (SSL) communications used in Web browsing are 128- or 256-bit strength, depending on your browser version.
You might be wondering “What does 128- or 256-bit strength mean?” That means the key uses 128 or 256 pieces of data to help randomize the encryption. This is kind of like the ridges and valleys on the keys to your house or car. Those ridges make the key unique, despite the fact that most house keys and car keys are shaped similarly. Encryption is the same way. We all use the same basic concepts, and using the same program or style of encryption is like having the same make and model of car. But the ridges on the key make my key unique to me and yours to you. Encryption performs the same function.
One last thing about encryption. A concept called Moore’s Law, in its original form, states that the number of transistors per integrated circuit would double every 18 months. That means that every 18 months, computers would double in power. Since Gordon Moore’s^{[1]} initial observation in 1965, this has indeed been the case. Its significance here is that because of Moore’s Law, encryption also gets twice as easy to break every 18 months. Encryption is based on really hard math, and the Central Processing Unit (CPU) power determines how fast those math operations can be carried out. More CPU power means a better chance of breaking encryption quickly. This is also why folks who have extremely powerful computers are more likely to be able to crack harder encryption. When you are planning your encryption strength, remember you will need to review and adjust it every 18 months or it will soon be too weak.