Symmetric encryption requires that the sender and receiver both use the same algorithm and the same encryption key. Decryption is simply the reverse of the encryption process -- hence the "symmetric" label.
There are numerous symmetric algorithms, but most enterprises use the Advanced Encryption Standard (AES), published in 2001 by the National Institute of Standards and Technology after five years of testing. It replaced the Data Encryption Standard (DES), which debuted in 1976 and uses a 56-bit key.
AES, which typically uses keys that are either 128 or 256 bits long, has never been broken, while DES can now be broken in a matter of hours, Moorcones says. AES is approved for sensitive U.S. government information that is not classified, he adds.
As for classified information, the algorithms used to protect it are, of course, themselves classified. "They're more of the same -- they put in more bells and whistles to make them harder to crack," says IDC analyst Charles Kolodgy. And they use multiple algorithms, he says.
The genuine weakness of AES -- and any symmetric system -- is that the sender has to get the key to the receiver. If that key is intercepted, transmissions become an open book. That's where asymmetric algorithms come in.
Moorcones explains that asymmetric systems are also called public-key cryptography because they use a public key for encryption -- but they use a different, private key for decryption. "You can post your public key in a directory with your name next to it, and I can use it to encrypt a message to you, but you are the only person with your private key, so you are the only person who can decrypt it."
The most common asymmetric algorithm is RSA (named for inventors Ron Rivest, Adi Shamir and Len Adleman). It is based on the difficulty of factoring large numbers, from which the two keys are derived.
But RSA messages with keys as long as 768 bits have been broken, says Paul Kocher, head of security firm Cryptography Research in San Francisco. "I would guess that in five years, even 1,024 bits will be broken," he says.
Moorcones adds, "You often see 2,048-bit RSA keys used to protect 256-bit AES keys."
Besides creating longer RSA keys, users are also turning to elliptic curve (EC) algorithms, based on the math used to describe curves, with security again increasing with the size of the key. EC can offer the same security with one-fourth the computational complexity of RSA, Moorcones says. However, EC encryption up to 109 bits has been broken, Kocher notes.
Sign up for Computerworld eNewsletters.