# Security

Cryptographers consider 128-bit encryption impossible to crack, as it would take millions of years with the fastest computers to try all the combinations. On the other hand, 40- and 56-bit keys are not as strong and it is feasible to try all the combinations.

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that even if someone did manage to decrypt a transaction, that would not mean that they would have found the server's secret key; if they wanted to decrypt another transaction, they'd need to spend as much time and effort on the second transaction as they did on the first. Of course, they would have first have to have figured out some method of intercepting the transaction data in the first place, which is in itself extremely difficult. It would be significantly easier to tap your phone, or to intercept your mail to acquire your credit card number than to somehow intercept and decode Internet Data.

Servers and browsers do encryption ranging from a 40-bit secret key to a 128-bit secret key, that is to say '2 to the 40th power' or '2 to the 128th power'. Many people have heard that 40-bit is insecure and that you need 128-bit to keep your credit card info safe. They feel that using a 40-bit key is insecure because it's vulnerable to a "brute force" attack (basically trying each of the 2^40 possible keys until you find the one that decrypts the message). This was in fact demonstrated when a French researcher used a network of fast workstations to crack a 40-bit encrypted message in a little over a week. Of course, even this 'vulnerability' is not really applicable to applications like an online credit card transaction, since the transaction is completed in a few moments. If a network of fast computers takes a week to crack a 40-bit key, you'd be completed with your transaction and long gone before the hacker even got started.

Of course, using a 128-bit key eliminates any problem at all because there are 2^128 instead of 2^40 possible keys. Using the same method (a networked of fast workstations) to crack a message encrypted with such a key would take significantly longer than the age of the universe using conventional technology. Remember that 128-bit is not just 'three times' as powerful as 40-bit encryption. 2^128 is 'two times two, times two, times two...' with 128 two's. That is two, doubled on itself 128 times. 2^40 is already a HUGE number, about a trillion (that's a million, million!). Therefore 2^128 is that number (a trillion), doubled over and over on itself another 88 times.