In the indictment that led to the expulsion of ten Russian spies from the U.S. in the summer of 2010, the FBI said that it gained access to their communications after surreptitiously entering one of the spies' homes, during which agents found a piece of paper with a 27-character password.
In other words, the FBI found it more productive to burglarize a house than to crack a 216-bit code, despite having the computational resources of the U.S. government behind it.
That's because modern cryptography, when used correctly, is rock solid. Cracking an encrypted message can require time frames that dwarf the age of the universe.
That's the case today. But within the foreseeable future, cracking those same codes could become trivial, thanks to quantum computing.
The encryption landscape
"The entire commercial world runs off the assumption that encryption is rock solid and is not breakable" says Joe Moorcones, vice president at SafeNet Inc., an information security firm in Belcamp, Md.
There are two kinds of encryption algorithms used in enterprise-level communications security -- symmetric and asymmetric (also called public-key encryption), he explains. Symmetric algorithms are typically used to send the actual information, where asymmetric algorithms are used to send both the information and the keys.
Symmetric encryption requires that the sender and receiver both employ the same algorithm and the same encryption key. Decryption is simply the reverse of the encryption process -- hence the "symmetric" name.
There are numerous symmetric algorithms available, but Moorcones says that, at the enterprise level, nearly everyone uses the Advanced Encryption Standard (AES), published in 2001 by the National Institute of Standards and Technology after five years of testing. It replaced the Data Encryption Standard (DES), which debuted in 1976 and uses a 56-bit key.
Typically using keys that are either 128 or 256 bits long, AES has never been broken, while DES can now be broken in a matter of hours, Moorcones says. AES is approved for sensitive U.S. government information that is not classified, he adds.
As for classified information, the algorithms used to protect it are, of course, themselves classified. "They're more of the same -- they put in more bells and whistles to make them harder to crack," says Charles Kolodgy, analyst at IDC, a market research firm in Framingham, Mass. And they use multiple algorithms, he says.
Though rumors have long swirled around the idea, well-respected sources universally reject the idea that AES has a "back door" that allows the government to read messages encrypted with it. "It's been too heavily scrutinized," says Paul Kocher, head of Cryptography Research Inc., in San Francisco. "They would have to put in a back door that no one else could see, and to be able to do that they would have to be years ahead of everyone else, and that is unlikely."