What is Military Grade Encryption?

What comes to mind when you hear the phrase “military grade”? Something strong and tough? Protection against disaster and destruction? That’s why marketers use it. So many products – from smartphone cases to notebooks – are labelled as military grade.

Encryption software is no exception. But what are you actually getting? Is there really any such thing as military grade encryption?

Who decides what the standards are for the Federal government? Who makes the decisions on the type of computers that are used, the rules for passwords, and what type of encryption is used? That comes from the National Institution of Standards and Technology (NIST). NIST, one of the oldest physical laboratories in the world, is in charge of developing standards. They have created scientific standards and measurements for everything from vaccine storage to protective equipment for firefighters.

NIST is also responsible for developing standards and guidelines for encryption software. These are published as Federal Information Processing Standards, or FIPS. Then, the actual IT management across Federal agencies is conducted by the Office of Management and Budget.

Starting in 1976, the Federal government used Data Encryption Standard (DES) to encrypt files. But by the mid-1990s, it was becoming clear that DES was far too weak to withstand the potential power and speed of modern computers. In 1997, a group of computer scientists successfully broke DES. That same year, NIST decided to create a standard called Advanced Encryption Standard (AES). Instead of creating the algorithm themselves, NIST put out a call for cryptographers to create one for them.

After years of testing, NIST selected an algorithm called Rijndael, developed by the Belgian cryptographers Vincent Rijman and Joan Daemen. While DES had a key length of 56 bits, AES has key lengths of 128, 192, and 256 bits. When we say that an encryption key has a length of 128 bits, that means it has 2¹²⁸ possible values. That is roughly 340 undecillion. Or to be precise, 340,282,366,920,938,463,463,374,607,431,768,211,456.

As I said earlier, NIST creates standards for the Federal government and publishes them in papers called FIPS. These standards are intended for civilian Federal agencies and government contractors. But AES is the only publicly available encryption method approved by the NSA to protect Top Secret information. A more accurate term would be “Federal-standard encryption,” but that doesn’t have quite the same ring to it.