Two phrases that you’ll often hear when companies boast about their level of security are “bank-level security” and “military-grade encryption.” They might seem like marketing buzzwords, but both phrases refer to types of encryption.
Advanced Encryption Standard
Advanced Encryption Standard (AES) was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. It uses a symmetric-key algorithm, which means it uses the same key for encrypting and decrypting data. Data is encrypted in 128-bit blocks, while the key can have three sizes: 128-, 192-, and 256-bits.
Bank-level encryption is the phrase commonly associated with AES-128, while military-grade encryption usually means AES-256. I won’t go too deep into the mathematics behind the encryption (you can read the Wikipedia entry for that) but Apple uses a minimum of AES-128 to encrypt data stored in iCloud.
A common question is: Which is more secure, AES-128 or AES-256? As with all types of encryption, it really depends on how well a company implements it. You can use the strongest encryption algorithm in the world, but if you don’t use it correctly, it doesn’t matter if it’s 128 or 256.
Even if a company is “just” using AES-128, think about how big a 128-bit key is. That means 2^128, or from a NIST press release:
For a 128-bit key size, there are approximately 340,000,000,000,000,000,000,000,000,000,000,000,000 (340 followed by 36 zeros) possible keys.
It should also be noted that the NSA approves AES-128 as adequate for federal government uses up through the Secret classification. AES-192 and AES-256 are used for Top Secret applications.
So although a properly-used AES-256 algorithm is more secure, as in it would take longer to crack it, that doesn’t mean AES-128 is less secure. In the end, both phrases can be used as marketing buzzwords. This is why open-source software is a good thing. Open-source doesn’t necessarily mean more secure, but it does mean you can see if the company properly uses encryption algorithms and other code.