Apple’s recent revelation about a U.S. government order to create a “backdoor” for undermining iPhone encryption will leave lots of people wondering which encryption methods are reliable. Here’s a quick run-down of which encryption algorithms to trust, and which ones are flawed.
First, you should understand that there are three basic ways that encryption can be broken:
- Keys can be brute-forced — which means attackers try all combinations randomly until they hit the right one — because the possible number of keys that the encryption algorithm produces is too small.
- Encryption can be broken because of accidental software flaws that let attackers predict the key.
- Deliberate “backdoors” are engineered into the encryption scheme that allow people with knowledge of the backdoors to break keys.
Some encryption attacks rely on a combination of these methods. And there are other ways to exploit encryption, including at the hardware level. But the three methods above are the ones that matter most for data stored and exchanged online.
State of Encryption Algorithms in 2016
So, which encryption methods are known to be subject to one or more of the above flaws? And which ones can you trust? Here’s a list of the main algorithms, and their current reliability:
- AES: this is one of the most reliable encryption algorithms today. To make it most effective, though, it should use 256-bit keys, rather than the more common 128-bit. More bits mean exponentially more time to brute-force a key.
- DES: this is an older encryption algorithm. While it is not known to be fundamentally flawed, it’s not as reliable as other algorithms. You should avoid services that use DES encryption when possible.
- RSA: this is another older and widely used encryption algorithm, especially for data shared on the Web. It remains secure in theory, but poor implementations of tools that rely on this protocol can cause problems. Not using sufficiently random numbers when creating keys is a particular challenge. For that reason, RSA is also worth avoiding when possible.
- Twofish: this algorithm is about as reliable as AES — which is to say it’s very good. However, it’s less widely used because it does not always perform as well (that is, it can be slower) under some conditions. It’s safe to use services that depend on Twofish algorithms when you can find them.
A final note: keep in mind that poor encryption algorithms are only one of the potentially weak links in the online data-privacy chain. On its own, a secure algorithm does not guarantee that other flaws, like poor key storage or exchange methods, can lead to data being stolen when using an online app or service.
And, of course, you can’t always determine which type of encryption algorithm a service uses in the first place (although VPN providers, in particular, often disclose this information).
Still, knowing how much you can trust the various encryption algorithms is a helpful piece of the puzzle to have if you want to stay private online.