When discussing symmetric encryption algorithms – like the Advanced Encryption Standard (AES) – you may have been considering using AES-128 or AES-256. The last three digits represent the length of the secret key – think of it like the number of teeth in a physical key. From a security perspective, a 256-bit secret key is obviously better, but does it really matter which of the two options you choose? This article walks through some of the main security considerations for AES-128 and AES-256.
Brute Force Attack Protection
A brute force key guessing attack is where an attacker tries each potential secret key until the right one is found. This attack is guaranteed to succeed (eventually) and (ideally) should be the fastest way to break an encryption algorithm.
When discussing brute force attack protection, understanding just what different key lengths mean is essential. With the impending arrival of quantum computing, it is also good to know how they will impact cryptographic security. Are the current forms of AES strong enough?
The Difference in Key Length
The main difference between 128 and 256-bit encryption algorithms is the length of the secret key that they use. The 128 and 256 in AES-128 and AES-256 means that the two algorithms use 128-bit and 256-bit keys respectively.
The longer the secret key, the harder it is for an attacker to guess via brute force attack. However, AES-256 is not just twice as strong as AES-128.
With 128 and 256-bit secret keys, AES-128 and AES-256 have 2128 and 2256 potential secret keys respectively. With binary keys, each bit added to the key length doubles the key space. This means that AES-256 has 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 times as many keys as AES-128.
As a result, a brute force attack against an AES-256 key is much harder than against an AES-128 key. However, even a 128-bit key is secure against attack by modern technology. At its peak, the Bitcoin network – arguably the largest modern use of computational power for cryptography – performed approximately 150*10^18≈2^67 operations per second. Assuming that these operations are of equal difficulty to a brute force attack, it would take the Bitcoin network over 70,000,000,000,000,000,000,000,000 years to crack a single AES-128 key.
Resistance to Quantum Computing
The threat of quantum computing to cryptography has been well-publicized. Quantum computers work very differently than classical ones, and quantum algorithms can make attacks against cryptography much more efficient.
In the case of asymmetric encryption algorithms (like RSA), quantum computing completely breaks them. However, for symmetric algorithms like AES, Grover’s algorithm – the best known algorithm for attacking these encryption algorithms – only weakens them. Grover’s algorithm decreases the effective key length of a symmetric encryption algorithm by half, so AES-128 has an effective key space of 2^64 and AES-256 has an effective key space of 2^128.
However, while this seems significant, it doesn’t break either algorithm. With the right quantum computer, AES-128 would take about 2.61*10^12 years to crack, while AES-256 would take 2.29*10^32 years. For reference, the universe is currently about 1.38×10^10 years old, so cracking AES-128 with a quantum computer would take about 200 times longer than the universe has existed.
This also makes the assumption that an attacker has the “right” quantum computer. Cracking AES-128 would take an estimated 2,953 logical qubits and AES-256 would require 6,681. In 2020, the largest quantum computer had 65 qubits with a goal of hitting 1,000 by 2023.
128 and 256-Bit Algorithms Under the Hood
Brute force attacks against a secret key are the best potential attack against a secure algorithm but what if the algorithm is has a vulnerability?
AES is broken up into two distinct algorithms: the encryption algorithm (which does the actual encryption) and the key schedule (which converts the secret key into round keys). The security of each of these matters to the security of AES.
The Encryption Algorithm
AES-128 and AES-256 use an almost identical encryption algorithm. Each encryption algorithm takes a set of operations and applies them a certain number of times or “rounds”. The only difference between AES encryption algorithms is the number of rounds: AES-128 uses 10 and AES-256 uses 14.
This means that, if an attack against the AES algorithm was discovered, it would likely affect both AES-128 and AES-256. The only difference is if the attack only worked up to a certain number of rounds of AES (which some AES attacks do). If an attack worked for at least ten rounds but less than fourteen, then a clear winner exists between AES-128 and AES-256. However, no such attack is currently known for AES.
The Key Schedule
The key schedule is where AES-128 and AES-256 become very different. The AES-128 key schedule is designed to turn a 128-bit secret key into ten 128-bit round keys. The AES-256 key schedule transforms a 256-bit secret key into fourteen 128-bit rounds keys.
Of the two, the AES-128 key schedule is actually more secure. The AES-256 key schedule has known weaknesses that might make it possible to perform related key attacks against the algorithm.
A related key attack should never happen in real life. For it to occur, an attacker needs to:
- Convince the key owner to take their existing encryption key
- Create three other keys based on this key using relationships known to the attacker
- Encrypt 299.5 (that’s eight followed by 29 zeros) blocks of data with these keys
Even if this attack were feasible, it can be avoided simply by using good key generation practices. A truly random key should never be vulnerable to a related key attack because it has no related keys.
Despite the fact that this attack is infeasible to perform, some cryptographers advise – when given a choice between AES-128 and AES-256 with no constraints – using AES-128 over AES-256. If you have a simpler algorithm with a stronger key schedule, why use the more complex one?
Picking Between AES-128 and AES-256
128-bit and 256-bit AES both have their pros and cons. AES-128 is faster and more efficient and less likely to have a full attack developed against it (due to a stronger key schedule). AES-256 is more resistant to brute force attacks and is only weak against related key attacks (which should never happen anyway).
Since both algorithms are secure against modern and anticipated future threats, the choice between them doesn’t really matter from a security perspective. Our best guidance is that AES-128 provides more than adequate security while being faster and more resource-efficient but readers who want that extra security provided by greater key sizes and more rounds in the algorithm should choose AES-256.
The Ubiq Platform currently supports both AES-256-GCM and AES-128-GCM, so if you’re interested to find out more about how to quickly build data encryption into any application, watch our short demo video.
FAQs
Our best guidance is that AES-128 provides more than adequate security while being faster and more resource-efficient but readers who want that extra security provided by greater key sizes and more rounds in the algorithm should choose AES-256.
Is 128-bit encryption good enough? ›
If you ask how long will it take to crack 128-bit encryption using a brute force attack, the answer would be 1 billion years. A machine that can crack a DES key in a second would take 149 trillion years to crack a 128-bit AES key. Hence, it is safe to say that AES-128 encryption is safe against brute-force attacks.
What the advantage is of using 128-bit or 256-bit data encryption rather than 56 bit encryption? ›
The main benefit of AES lies in its key length options. The time required to crack an encryption algorithm is directly related to the length of the key used to secure the communication -- 128-bit, 192-bit or 256-bit keys. Therefore, AES is exponentially stronger than the 56-bit key of DES.
What is the difference between 128 and 256 AES keys? ›
Both of these encryption types use 128-bit blocks, but AES-256 uses double that of AES-128. On top of this, while AES-128 uses 10 rounds of processing to create keys, AES-256 uses 14 rounds. Overall, AES-128 and AES-256 encryption are pretty similar in how they function, and have very similar encryption algorithms.
Is a 256-bit encryption key more secure than a 128-bit key? ›
Because of the way the mathematics works, 256-bit encryption is not twice as hard to break in to or 'crack' as 128-bit encryption, but 340 billion-billion-billion-billion times harder.
Is 256-bit encryption better than 128? ›
Comparing 128 bit vs. 256 bit encryption algorithms, we can find that the main difference lies in the security key length that is 128 bit and 256 bit, respectively. The 256 bit algorithm provides a much more secure protocol than 128 bit algorithm.
Do I need 256-bit encryption? ›
The U.S. government requires that all sensitive and important data be encrypted using 192- or 256-bit encryption methods.
How safe is 256-bit encryption? ›
AES-256 encryption is extremely secure. It is the most secure encryption algorithm available today and is used extensively in government and military applications, as well as by businesses operating in highly regulated industries.
What is 256-bit encryption even used for? ›
All the data communicated between browsers and websites are encrypted with 256-bit encryption. Even extremely sensitive financial data of government, military, or any other special departments, prefer AES-256-bit encryption methods rather than AES-128 or AES-192 block ciphers.
Who uses 128-bit encryption? ›
Because of that, 128-bit encryption is commonly used for online banking, e-commerce transactions, and communication between devices. It provides a high level of security and is considered to be very difficult to crack, even by advanced hackers using powerful computers and sophisticated software.
AES 256 is Quantum-Resistant, Capable of Withstanding Brute-Force Attack By QuSecure, Inc. The National Institute of Standards and Technology (NIST) has yet to announce its final list of post-quantum security algorithms and encryption schemes designed to resist quantum computer attacks.
How long would it take a quantum computer to crack 256-bit encryption? ›
It just takes a long time. Currently 256-bit encryption would take about 6.4 quadrillion years to produce a number sieve probable for decrypting a message encrypted with it. A quantum computer, in theory, could do it faster. Maybe in a couple months to a few weeks.
How long would it take to break 256-bit encryption? ›
With a symmetric encryption key 256 bits long (2 to the 256th power possible combinations!), on current hardware it would take literally millions of years.
Does key size matter in encryption? ›
Key length is equal to the number of bits in an encryption algorithm's key. A short key length means poor security. However, a long key length does not necessarily mean good security. The key length determines the maximum number of combinations required to break an encryption algorithm.
Is 128-bit encryption unbreakable? ›
It is one of the most secure encryption methods used in most modern encryption algorithms and technologies. 128-bit encryption is considered to be logically unbreakable.
What is the strongest encryption key? ›
AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. While it is theoretically true that AES 256-bit encryption is harder to crack than AES 128-bit encryption, AES 128-bit encryption has never been cracked.
Is AES 256 enough in terms of security for today's world explain with a real time example? ›
AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. Nevertheless, no encryption system is entirely secure.
Do I need encryption on my SSD? ›
To protect against malicious hackers and organizational data breaches, it is necessary to encrypt inflight data as well as data at rest. Encryption provides a fortified layer of protection just in case unauthorized access to a computers network or storage device is somehow granted.
Does Chrome use 256-bit encryption? ›
All data that is stored by Google is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256.
Can hackers break AES 256? ›
AES-256 is unbreakable by brute force
Data protected by AES 256 is unbreakable by brute force. It is the strongest encryption and is almost impossible to break. A brute force attack is when a hacker checks different key combinations until he/she arrives at the correct combination.
Key Size: 256-bit vs 192-bit vs 128-bit
There are three different sizes: 256-bit AES, 192-bit AES and 128-bit AES. The largest size, 256-bit AES, is the most secure, while 128-bit is conversely the least secure of the three.
How many digits is 256-bit encryption? ›
A 256-bit private key will have 115,792,089,237,316,195,423,570,985,008,687,907,853,269, 984,665,640,564,039,457,584,007,913,129,639,936 (that's 78 digits) possible combinations.
Why don't we use 128-bit? ›
As of 2022, there are no 128-bit computers on the market. A 128-bit processor may never occur because there is no practical reason for doubling the basic register size.
Do banks use 128-bit encryption? ›
There is also the 128-bit encryption level that many companies, besides financial institutions, use to encrypt their secure data. Although this number is half the size of 256-bit, it is still incredibly large and safe when it comes to protecting data.
What is 128-bit used for? ›
128 bits is a common key size for symmetric ciphers and a common block size for block ciphers in cryptography. The IBM i virtual instruction set defines all pointers as 128-bit.
What encryption is safe from quantum computing? ›
Code-based cryptography
The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended the McEliece public key encryption system as a candidate for long term protection against attacks by quantum computers.
Can a quantum computer break AES 128? ›
Any system using public-key encryption will be vulnerable to an attack by a quantum computer and systems using certain types of AES, such as AES-128, must double their current key length to be remain secure.
What encryption is vulnerable to quantum computing? ›
Much of today's modern cryptography is based on mathematical algorithms used to encrypt data. With quantum computers, attacks on encryption methods that would normally take years could be theoretically done in days with quantum computers. Asymmetric and symmetric encryption types could both be at risk.
Is AES 256 better than AES 128? ›
Picking Between AES-128 and AES-256
AES-128 is faster and more efficient and less likely to have a full attack developed against it (due to a stronger key schedule). AES-256 is more resistant to brute force attacks and is only weak against related key attacks (which should never happen anyway).
Will quantum computers break all encryption? ›
Researchers typically estimate that it will be many years until quantum computers can crack cryptographic keys—the strings of characters used in an encryption algorithm to protect data—faster than ordinary computers.
AES is considered secure against classical computers, but it is vulnerable to quantum attacks. To understand why AES is vulnerable to quantum attacks, it is important to understand how the algorithm works. AES uses a key to encrypt and decrypt data. The key is typically 128 bits, 192 bits, or 256 bits in length.
What is the recommended key size for AES? ›
Advanced Encryption Standard (AES) keys are symmetric keys that can be three different key lengths (128, 192, or 256 bits). AES is the encryption standard that is recognized and recommended by the US government. The 256-bit keys are the longest allowed by AES.
How fast can a quantum computer crack a password? ›
Most of the updated algorithms being used are currently "secure enough" for the time being until quantum computing is developed further specifically for bruteforcing passwords or cracking hashes. At minimum it would take a month, or up to a year to crack a single "standard" strong password of constant computing.
How often should encryption keys be changed? ›
The U.S. National Institute of Standards and Technology (NIST) recommends that cryptographic keys be changed at least every three years or sooner if there are indications that the key may have been compromised.
Does using a longer key make encryption harder? ›
Encryption keys are created with algorithms designed to ensure that each key is unique and unpredictable. The longer the key constructed this way, the harder it is to break the encryption code. Both the IBM and T10 methods of encryption use 256-bit AES algorithm keys to encrypt data.
What is the recommended key size for cryptography? ›
Advanced Encryption Standard (AES) keys are symmetric keys that can be three different key lengths (128, 192, or 256 bits). AES is the encryption standard that is recognized and recommended by the US government. The 256-bit keys are the longest allowed by AES.
Does Windows 10 use 128-bit encryption? ›
Windows uses 128-bit encryption to help protect file sharing connections by default. Some devices do not support 128-bit encryption and must use 40- or 56-bit encryption.
Does Windows 10 have 128-bit encryption? ›
Windows uses 128-bit encryption for local sharing, but you can change the encryption level if you need to. Here's how to change the encryption level for file-sharing connections in Windows 10 or 11.
What are the four 4 most secure encryption techniques? ›
Symmetric encryption
- Advanced Encryption Standard (AES)
- Data Encryption Standard (DES)
- Triple DES (TDES)
- Twofish.
AES encryption
One of the most secure encryption types, Advanced Encryption Standard (AES) is used by governments and security organizations as well as everyday businesses for classified communications. AES uses “symmetric” key encryption. Someone on the receiving end of the data will need a key to decode it.
Encryption algorithms such as TripleDES and hashing algorithms such as SHA1 and RIPEMD160 are considered to be weak. These cryptographic algorithms do not provide as much security assurance as more modern counterparts.
What is the weakest form of encryption? ›
The DES (Data Encryption Standard) family is a symmetric block cipher. It was designed to handle only 56-bit keys which is not enough for modern computing power. It is now considered to be weak encryption. The triple DES family improves on the original DES (Data Encryption Standard) by using 3 separate 56-bit keys.
Is 128 AES sufficient? ›
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths.
How secure is 128-bit SSL? ›
Because the size of the 128-bit key is large it is computationally unfeasible to crack and hence is known as strong SSL security.
Is there 512 bit encryption? ›
The efficient hardware that implements the algorithm is also proposed. The new algorithm (AES-512) uses input block size and key size of 512-bits which makes it more resistant to cryptanalysis with tolerated area increase.
What is the strongest encryption? ›
AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. While it is theoretically true that AES 256-bit encryption is harder to crack than AES 128-bit encryption, AES 128-bit encryption has never been cracked.
Has AES 256 been cracked? ›
In the end, AES has never been cracked yet and is safe against any brute force attacks contrary to belief and arguments. However, the key size used for encryption should always be large enough that it could not be cracked by modern computers despite considering advancements in processor speeds based on Moore's law.
What are the disadvantages of AES 128? ›
Drawbacks or disadvantages of AES
➨It uses too simple algebraic structure. ➨Every block is always encrypted in the same way. ➨Hard to implement with software. ➨AES in counter mode is complex to implement in software taking both performance and security into considerations.
Is 256 AES weak? ›
AES-256 encryption is virtually uncrackable using any brute-force method. It would take millions of years to break it using the current computing technology and capabilities. However, no encryption standard or system is completely secure. In 2009, a cryptanalysis discovered a possible related-key attack.
What is the difference between 128-bit and 256-bit SSL? ›
A 128-bit key means that there's 2128 possible key combinations a hacker would have to try to break the encryption. A 256-bit key, on the other hand, means that there's 2256 possible combinations — as in 2x2x2x2… meaning 2×2 multiplied a total of 256 times.
Currently, the most secure and most recommended combination of these four is: Elliptic Curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES 256 in Galois Counter Mode (AES256-GCM), and SHA384. See the full list of ciphers supported by OpenSSL.
Who uses 256-bit encryption? ›
Common Uses of 256 Bit Encryption
Encryption of stored data on third-party cloud platforms like Google Drive, Dropbox, AWS, etc. Encryption of sensitive data owned by the government and defences.
Does Bitcoin use 256-bit encryption? ›
The Bitcoin protocol mainly uses SHA-256 for all hashing operations. Most importantly, hashing is used to implement Bitcoin's Proof-of-Work mechanism. A hash is a large number, and in order for a miner to submit a block to the network, the hash of the block must be below a certain threshold.
What is 256-bit encryption today? ›
256-bit encryption is considered the strongest level of encryption since it currently uses the longest encryption key. This method requires 14 rounds of multiple processes to encrypt data and the same number of rounds to decrypt it. Imagine having to go through 14 bank vault doors to get to your target.
