Rate this article: (2 votes, average: 3.00)
In a word? Yes. In fact, 256 bit SSL encryption is actually considered the standard when it comes to website security. But when it comes to understanding 256 bit security in terms of its certificate, hashing algorithm, and keys, there’s a surprising amount you need to know. It’s not just about the certificate itself — that’s only part of the equation when it comes to website security.
Let’s dive in to what you need to know about 256 bit SSL technology.
So, when we’re talking about 256 bit security or 256 bit SSL encryption, what exactly do we mean? Generally, this term refers to the size of the key that’s used to encrypt and decrypt the ciphertext of data or files. However, in some contexts, it’s actually referring to 256 bit encryption as a SHA-2 encryption algorithm, which is among the most modern and is the most commonly used across the industry (in AES, SSL, etc.).
In this case, we’re talking about 256 bit AES encryption. AES stands for Advanced Encryption Standard, and it’s a block cipher algorithm. It uses a symmetric encryption key, meaning that it’s one shared key that can be used to both encrypt and decrypt a message. This differs from an RSA key, which is an asymmetric key that falls under the umbrella of public key encryption. Public key encryption refers to a form of encryption that which uses a pair of corresponding public and private keys to encrypt and decrypt data.
For example, when you’re talking about SSL/TLS, the asymmetric public and private keys are used to perform an SSL/TLS handshake, a process in which the identities of both parties is established, and a unique, secure (symmetric) session key is generated. This newly-created session key is then used to encrypt the communication for the rest of the session because it’s faster than its asymmetric counterpart. If the client was to leave the website and come back even just seconds later, a new handshake process would start, resulting in the issuance of a new session key.
The way that a 256 bit encryption key differs from other algorithms in the SHA-2 family — such as the 224, 384, 512 bit keys — is the number of bits it comprises. Every bit, a portmanteau of the term “binary digit,” represents the most basic unit of information in technology and consists of two possible values — 0 and 1. Remember this, as it’ll be important during what we discuss next.
This means that to crack 256 bit encryption, you’d have to guess a specific string of 256 bits — either the 0s or 1s — in its precise order. Now, keep in mind that a 256 bit key is one that can have 2256 possible combinations for cybercriminals to hack. If you’re not much of a math person, this may not sound like a lot. But since we’re talking about exponents here, let’s take a moment for a brief refresher to provide perspective.
Every exponent multiplies the number — in this case, doubles it — 256 times. This means 2 x 2 x 2 x 2 x 2 x 2 x 2 x 2… and so on and so forth. This gives you a result of 1.157920892373162e+77. Whenever there’s a letter involved after a long string of numbers, you know it means a lot of combinations. (And headaches, for that matter. It’s something that makes my eyes glaze over after a brief period.)
But what does this equate to in terms of a more understandable number? It equates to something akin to 115,792,089,237,316,195,423,570,985,008,687,907,853,269
,984,665,640,564,039,457,584,007,913,129,639,936 possible combinations. No, I didn’t fall asleep on the keyboard — that number literally is 78 digitals long. And for a cybercriminal to crack a cipher of that length, they need to try the majority of those combinations, not just a few of them, in a massive brute force attack. But just imagine how long that would take with modern computational capabilities without the help of quantum computing. (Hint: More time than any cybercriminal has in their life, or the lives of many of their family generations to follow. According to the The SSL Store blog, “it would take millions of years to crack 256-bit AES encryption.” Some estimates say it could take billions of years. Regardless, the whole point here is that, unless by pure luck, no criminals will be breaking 256 bit encryption anytime soon.)
Not that we’re trying to make anything more confusing, but it’s important to note that symmetric and asymmetric encryption are not the same. For example, an 256 bit AES (symmetric) key is not the same as a 256 bit RSA (asymmetric) key.
When you buy a 256 bit SSL certificate, it means you’re guaranteed 256 bit encryption strength, right?
In truth, the SSL certificate is only one small part of the equation — the encryption strength claim tells you up to what level you could achieve under the right circumstances. Realistically, the actual strength of your encryption ultimately boils down to the configuration of your server and the capabilities of the client (the end user’s browser) that’s connecting to it.
This means that sometimes 256 bit encryption only provides, say, 128 bits of actual encryption strength if that’s all that the browser or your web server can handle. In each individual case, the encryption strength ultimately is contingent on the parameters decided in the handshake process as well as the capabilities of the server and client.
Want the good news? With AES which is what’s most commonly used with SSL/TLS, 256 bits really does mean 256 bits.
So, circling back to your original question: Is it safe to use 256 bit SSL encryption for website security? In the context of SSL/TLS certificates which most commonly use AES encryption, the answer is still yes. By the time anyone is going to be able to successfully crack an AES 256 bit symmetric encryption key, the key will have long since been discarded.
At ComodoSSLonline.com, all of our Comodo SSL certificate feature AES 256 bit symmetric encryption with a 2048 bit RSA signature key, or elliptic curve cryptography (ECC).
Get Comodo SSL certificates starting for as little as $7.02 per year!