Many companies use «military-grade encryption» to protect your data. If it’s good enough for the military, it should be the best — right? Well, sort of. «Military-grade encryption» is more of a marketing term that doesn’t have a precise meaning.
Basics of Encryption
Let’s start with the basics. Encryption is essentially a way of getting information and encrypting it, which is why it looks like nonsense. You can then decrypt this encrypted information, but only if you know how. The method of encryption and decryption is known as a «cipher» and it usually relies on a piece of information known as a «key».
For example, when you visit a website encrypted with HTTPS and log in with a password or provide a credit card number, that personal data is sent over the Internet in an encrypted (encrypted) form. Only your computer and the website you communicate with can understand this, which prevents people from tracking down your password or credit card number. The first time you connect, your browser and website shake hands and exchange secrets that are used to encrypt and decrypt data.
There are many different encryption algorithms. Some are more secure and harder to hack than others.
CONNECTED:What is encryption, and why are people afraid of it?
Rebranding of Standard Encryption
Whether you’re logging into your online banking, using a virtual private network (VPN), encrypting files on your hard drive, or storing your passwords in a secure vault, you obviously need stronger encryption that’s harder to crack.
To keep you calm and overall sound as secure as possible, many services advertise «military-grade encryption» on their websites and in advertisements.
It sounds convincing and battle-tested, but the military doesn’t really define what’s called «military-grade encryption.» This is a phrase coined by marketers. When advertising encryption as «military grade,» companies are simply saying that «the military uses it for some purpose.»
What does «military-grade encryption» mean?
Dashlane, the password manager that announced its «military-grade encryption,» explains what the term means on his blog. According to Dashlan, military-grade encryption means AES-256 encryption. This is an advanced encryption standard with a 256-bit key size.
As the Dashlane blog points out, AES-256 is «the first public and open cipher approved by the National Security Agency (NSA) to protect information at the ‘top secret’ level.»
AES-256 differs from AES-128 and AES-192 in having a larger key. This means a bit more processing power used for encryption and decryption, but all that extra work should make AES-256 harder to crack.
Bank-level encryption is the same
“Bank-level encryption” is another term that is often used in marketing. They are basically the same thing: AES-256 or AES-128, as most banks use them. In fact, some banks advertise their «military-grade encryption».
This is good encryption in widespread use. This is often considered the best, most secure option. Timothy Quinn writes that both «military-grade encryption» and «bank-grade encryption» should simply be called «standard encryption».
AES-256 is good, but AES-128 is also good
AES-256 is widely used by many services and programs. In fact, you probably use this «military encryption» all the time. You just don’t know it because most services don’t even call it «military grade encryption».
For example, modern web browsers support AES-256 when interacting with secure HTTPS websites. We’re using «modern» very loosely here — even Internet Explorer got AES-256 support with Internet Explorer 8 for Windows Vista. Chrome, Firefox and Safari support this too, of course. You are probably connecting to all sorts of sites that use «military-grade encryption» without knowing it.
The built-in BitLocker encryption in Windows uses AES-128 by default, but it can be configured to use AES-256. It is not «military grade» by default, but the AES-128 is supposed to be very secure and attack resistant, and can also be military grade.
The 1Password password manager switched to AES-256 from AES-128 back in 2013. Jeffrey Goldberg of 1Password explained the company’s rationale at the time. He argued that AES-128 was basically just as secure, but many people felt more secure with that high number and that «military-grade encryption».
Ultimately, whether you use AES-256, AES-128, or AES-192, you end up with pretty secure encryption. Someone might be «military class» — almost a made-up term — but that doesn’t mean much.
CONNECTED:How to force BitLocker to use 256-bit AES instead of 128-bit AES
Encryption as ammunition
There is another interesting point here. If you’re wondering why encryption is so messed up with the military, you should know that it’s less messed up with the military than ever.
Cryptography has long been an important part of the war effort. This is a way in which the military can transmit messages securely without being intercepted by enemies. Even if the enemy intercepts the message, he must decrypt the message, so this is really useful. The ancient Romans used ciphers to mask messages two thousand years ago under the guidance of Julius Caesar. During World War II, Nazi Germany used the Enigma machine to encode their messages. It was famously hacked by the British and his allies, who used the information obtained from these encrypted messages to help win the war.
Therefore, it is not surprising that many governments regulate cryptography, in particular, its export to other countries. Up until 1992, cryptography was on the U.S. ammunition list as «auxiliary military equipment.» You may create and possess encryption technology in the United States, but not export it to other countries. At one time, the Netscape web browser had two different versions: a national American version with 128-bit encryption, and an «international» version with 40-bit encryption (the maximum allowed).
The rules were changed in the mid-90s to make it easier to export encryption technology from the US.
Encryption has long been associated with the military, so it’s no surprise that the term «military-grade encryption» really seems to speak to people. This may be one of the reasons why marketing campaigns continue to use it.