The very concept of Encryption raises a lot of questions to a person who has never had much to do with cybersecurity. Naturally, when you hear the term 'military-grade encryption,' it gets even more confusing. But if you’re familiar with encrypted services, you might have heard this term a lot, especially among the various VPN services.
Some cyber experts may call this phrase a marketing gimmick. Others may argue that it communicates techy stuff in a much easier way. So with this article, we want to explain what military-grade encryption means. And it's up to you to decide on which side the truth stands.
What is military-grade encryption?
Military-grade encryption refers to AES (Advanced Encryption Standard) with 256-bit keys. In 2001, AES was announced as the new standard for information security by the National Institute of Standards and Technology (NIST), a unit of the US Commerce Department.
Traditionally, military-grade encryption uses a key size equal to or greater than 128 bits. The US government specifies that AES-128 is used for secret (unclassified) information and AES-256 for top secret (classified) information. If an entity handles information of both levels, it should adopt AES-256 as its standard.
To a person who is not a cybersecurity expert, the mixture of letters and numbers won't say much. In an attempt to bring encrypted services to the mainstream, security companies started to look for a term presenting the highest-level security with less jargon. As AES is used by the US government to secure classified information and by the NSA to protect national security data, the term 'military-grade' seemed suitable.
Has AES ever been cracked?
The AES-256 block cipher hasn't been cracked yet, but there have been various attempts against AES keys. The first key-recovery attack on full AES was published in 2011 by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. The biclique attack, which is faster than a brute force attack by a factor of about four, was used for this purpose. However, it's a minor success. The 126-bit key is not used much as the lowest key used in AES encryption contains 128 bits.
And still, it would take billions of years to brute force the 126-bit key in order to crack it. That’s why this attempt doesn't spell danger for information encrypted with the AES. To date, there is no known practical attack that would allow someone, without knowledge of the key, to access AES encrypted data. Of course, if encryption is implemented correctly.
How long will the AES last?
According to NIST, no one can be sure how long the AES or any other cryptographic algorithm will remain secure. However, NIST's Data Encryption Standard (known as DES) was a U.S. government standard for approximately 20 years before it became hackable. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, and even with future advances in technology, AES has the potential to remain secure well beyond 20 years.
Do you need military-grade security?
Many skeptics would say that you don't need it as other encryption algorithms would do a good job too. However, no industry or service is immune to attacks. And services that store sensitive information, such as passwords or financial data, should not apply anything less than the recommended standard.
Back when the NIST presented this standard to the public in 2001, they already expected that it would be widely adopted by the private sector. They saw and still see it as a benefit to millions of consumers and businesses for protecting their sensitive information.
So our answer is definitely yes due to several reasons. First, AES assures that the company is following the highest-level security standards. Secondly, it shows professionalism and respect for their users and their personal data.
Military-grade or not?
It's down to a personal choice. We, as cybersecurity experts, understand that it could be difficult to explain tech jargon to masses. Sometimes you need to use some known comparisons to make sure that message gets to the user. If you're a tech-savvy person, you may prefer the technical terms. Others who are seeking to close the communication gap may use the military-grade term. In our opinion, the most important thing is to understand the meaning regardless of the words used. And we hope that with this article we've answered some questions.