August 15, 2017

How Strong is Cord3’s Encryption?

Cord3 uses the standard AES (Advanced Encryption Standard) algorithm to encrypt information. AES is a symmetric encryption algorithm – it is “symmetric” because the same key is used for encryption and decryption. Unlike most products that provide encryption, Cord3 only uses symmetric cryptography and does not use public-key cryptography when encrypting information. More on why that’s important below …

Cord3 uses AES with random 256-bit keys. The beauty of random keys is that an attacker has no information, so an attacker must use a “brute-force” approach by testing each possible key to see if it is the correct one. Since there is nothing secret about the AES algorithm itself, the security comes from the keys being random and secret.

Each 256-bit key has 2256 possibilities. How many possibilities is that and how long would it take an advanced computer to search through all of those possibilities? Hold on to those questions and read on. The answers are amazing.

Each bit of a single 256-bit key has two possibilities (technically, either a 0 or 1). So, the number of possibilities for a 256-bit key can be written as 2x2x2x2x2x2x…. with 2 being multiplied by 2 a total of 256 times. The result is an astronomically huge number, so let’s break it down so you can see just how strong 256-bit keys are.

One way to break down this calculation is to separate the long string of 2’s multiplied together into two equal halves, with the two halves being multiplied together. Each half would be 2x2x2x2 … a total of 128 times (half of 256). Another way of writing 2 multiplied by itself 128 times is 2128.

The result is as follows:

(2x2x2x2x2 … 128 times) x (2x2x2x2x2 … 128 times)

=  2128 x 2128

So, how big is just 2128?

It turns out that 2128 is itself a massive number. Here is what 2128 equals:

2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

If you’re interested, the technically correct way to say that number is “340 undecillion”.

A random 128-bit key has 340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities that may need to be tried in a brute-force attack. Even assuming an incredibly powerful computer, conservative estimates are that it would take millions of years to brute-force search a random 128-bit key.

Even though a 256-bit key is only twice the length of a 128-bit key, it has 2128 more possibilities. That means a 256-bit key has this many possibilities:

340,282,366,920,938,463,463,374,607,431,768,211,456

x

340,282,366,920,938,463,463,374,607,431,768,211,456

Wow – if it would take millions of years to search a single 128-bit key, it would take billions upon billions upon billions of years to search all the possibilities for a single 256-bit key. It is difficult to write down how long it would it take, actually, because even “billions upon billions upon billions of years” is not really an accurate way to characterize how long it would take. Without worrying about the details, it would take so incredibly long to brute-force attack a single 256-bit key that nobody would ever really bother trying.

No improvements in computing power will ever make brute-force searching of 256-bit keys even remotely feasible. Recall that the above time is what would be required to brute-force attack a single key. Cord3 uses a different, random, 256-bit key for each piece of secure information!

 

Why should you care about the strength of the cryptography used by Cord3?

While brute-force attacks on random AES 256-bit keys are completely unrealistic, such is not the case for the other type of cryptography, known as public-key cryptography. In contrast to the future-proof nature of random keys and symmetric cryptography, widely used public-key cryptography algorithms are considered to be seriously threatened by potential developments in quantum computing, as described by the US National Institute of Standards and Technology (NIST):

“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use.” – NIST

The timeframe of the threat of quantum computing breaking public-key cryptography is significant because the threat is expected to be realized in the next two decades.

“Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use.” – NIST

Fortunately, symmetric cryptography is not susceptible to advances in quantum computing. As stated on Wikipedia,

In contrast to the threat quantum computing poses to current public-key algorithms, most current symmetric cryptographic algorithms … are considered to be relatively secure against attacks by quantum computers”         – Wikipedia

To protect your information against attackers today and advances in quantum computing in the future, the answer is to use AES with random 256-bit keys … and to avoid the use of public-key cryptography as part of the solution for encrypting data at rest.

Most encryption solutions today use public-key cryptography together with a symmetric algorithm such as AES. You need to be cautious about using those approaches for encrypting data at rest. The strength of the symmetric cryptography is completely undermined if the public-key cryptography can be broken.