Strong vs. Weak Encryption – CompTIA Security+ SY0-401: 6.2


Not all encryption algorithms are alike, and some are much better than others. In this video, you’ll learn how to evaluate encryption strength and how developers can use the bcrypt library to generate secure hashes.

<< Previous Video: Transport Encryption AlgorithmsNext: Certificate Authorities >>


Through the years we’ve used many different kinds of encryption algorithms to be able to protect our data, and as the years have gone on some of these algorithms have become easier and easier to crack, whereas others have maintained their strength. And we usually categorize these as strong cryptography and weak cryptography.

Of course, regardless of the algorithm that’s used to encrypt this data, everything is always subject to brute force checking. So if somebody’s trying every possible key to try to find a way to get into your data, they can certainly go through this brute force method. But, of course, you can make keys that are so large that it would be functionally impossible to be able to try every possible key in the limited amount of time that we have here on Earth.

These strong algorithms have been here for quite some time. That’s the reason we call them strong algorithms. Other algorithms, like the Wired Equivalent Privacy or WEP that we used to use on our wireless networks, had design flaws associated with it that we found after it had been implemented. That went from being a strong encryption algorithm, and overnight turned into one that was remarkably weak.

Some strong encryption algorithms that you’ll find out there are things like PGP or AES, whereas weak encryption algorithms might be things like WEP, which of course had that design flaw, or something like DES where you had very small 56-bit keys.

These days we use triple DES and larger keys and have effectively turned that into a much stronger algorithm by modifying some of its underlying algorithm features. There is a way that you could use some of these weak keys to create a little bit more of a stronger key. By itself the weak key doesn’t protect you very well. It’s probably a very short key, and it’s subject to a lot of brute force attacks.

But you can make a weak key stronger by performing multiple processes to the same key. For instance, you could take and hash a password, and then you can hash the hash of that password, and then hash the hash of the hash of that password and so on. This is called key stretching, or key strengthening, and the only way you could then brute force that particular key is to reverse each one of those hashes to get back to the original key.

This means that if you wanted to brute force the original key, you would have to reverse that hashing every single time to try to get back to the original key. This certainly limits how much a bad guy would be able to do when he was brute forcing. It would add a lot more work to his plate. And ultimately, you’re still using a very small key, you’re simply stretching it out to provide you with more security.

If you are an application developer, you might want to use these key strengthening or key stretching algorithms, and there’s no reason to rebuild it from scratch. There are many libraries out there that you could use.

One very popular library is called bcrypt. This creates those hashes from passwords. You’ll find this in the UNIX crypt library, and it uses the Blowfish cipher to be able to do those multiple rounds of hashing one after the other after the other.

Another pre-built library you might find is the Password-Based Key Derivation Function 2 or PBKDF2. This is part of RSAs key standards, and you’ll find it written up in PKCS #5, and it’s also part of RFC 2898.

If you are an application developer, there’s some already pre-built ways that would allow you to keep your information secure so that you can do your development work and not have to worry about all of the underlying cryptographic algorithms.