Library

5.3.1 Levels Of Security

For an ideal cipher, recovering plaintext without the key is impossible in principle; such a system is said to be unconditionally secure. Shannon’s bound for perfect security implies that the key must be at least as long as the plaintext—impractically large for most applications. The only known system satisfying this property is the one-time pad, whose perfect secrecy arises because each bit of ciphertext depends on a truly random key bit that is never reused. Its impracticality stems from the need to distribute as much key material as message data while maintaining absolute key secrecy.

Most practical encryption systems aim instead for computational security, meaning that the cost or time required to break the cipher exceeds the information’s value or useful lifetime. The difficulty of a brute-force attack depends primarily on the key length n: a cipher with an n-bit key has 2n possible keys, and on average half must be tested before finding the correct one.

For example, a cipher with a 56-bit key (as in the original Data Encryption Standard) has 256 possible keys—about 7.2×1016. At a rate of 109 keys per second, an exhaustive search would require roughly one year; at 1010 keys per second (easily achievable by distributing computation across a network of modern processors), the same attack would complete in about one month.

Figure 5.7 shows the approximate average time to break keys of different lengths, assuming it is necessary to test half of all possible keys. The figure accounts for improvements in available computing power as predicted by Moore’s Law, which observes that processing capability roughly doubles every 18 months (or increases tenfold every five years). A 40-bit key can now be broken within hours on a single personal computer, while 56-bit and 64-bit keys offer only temporary protection. Keys of 128 bits or longer are required for reliable long-term security and are therefore classified as strong encryption.

In practice, the computational effort needed for cryptanalysis is often less than the theoretical brute-force value because most algorithms exhibit exploitable weaknesses—shortcuts that allow an attacker to recover the key using fewer trials or less time.

Figure 5.7. Time required for cryptanalysis of a cipher, including the impact of Moore’s law.