image credit: Pixabay

Military-Grade Encryption: Just a Marketing Gimmick?

February 13, 2020


When you are looking for the perfect security solution for your company or personal data, you might be overwhelmed by the tons of information available online. Today, there are plenty of service providers who claim your data is protected by military-grade encryption. To anyone who is not familiar with tech jargon, the term might sound confusing. Discover below what military-grade encryption really means and why many cybersecurity experts call this phrase a marketing gimmick. 

Understanding the Basics: Encryption and Encryption Standards

Encryption has been around for thousands of years. From Julius Caesar’s encoded messages to France’s great Cipher that remained unbroken until 1893, complex ciphers have guarded vital information. Essentially, it is a way to take information and scramble it, so that it looks like mumbo jumbo. By applying a “key”, you can then decrypt that hidden information. 

A fairly simple example of this process would be when dealing with websites encrypted with HTTPS. When you sign in with a password, send a text message or provide vital information like credit card numbers, that private data is sent in a scrambled (encrypted) form. Only your device and the server you’re communicating with can understand it. That prevents hackers from snooping on your password, credit card number or any other vital data.

According to security experts, organizations handling highly sensitive information should use strong encryption to secure emails, instant messages, text messages, phone calls, conference calls, video calls or shared files. 

Over the last fifty years, encryption standards have constantly evolved. Technological advancements mean our best data protection standards are becoming obsolete. The US first published the Data Encryption Standard (DES) in 1975. Then, in 1997 the DESCHALL Project publicly broke a DES key. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. By 2010, SHA-1 was no longer recommended. In 2017, Google Chrome marked all SHA-1-signed HTTPS certificates as unsafe.

Military-Grade Encryption Explained – What’s So “Military” About It?

In 2001, the National Institute of Standards and Technology (NIST) announced AES as the new standard for information security. The standard is public and can be used by any security service provider. Use cases of AES encryption include VPN, online payments, cloud data, databases, and emails.  

Military-grade encryption refers to AES (Advanced Encryption Standard) with 256-bit keys. Traditionally, military-grade encryption uses a key size equal to or greater than 128 bits. AES-256 with CCM/CGM as the main mode of operation is the NSA’s current standard for top-secret information, but it’s not exclusive to the military. Put simply, “military-grade encryption” is the strongest option when talking about data security. The AES-256 block cipher hasn’t been cracked yet, but there have been various attempts. To this day, there is no known practical attack that would allow someone to access AES-encrypted data. 

To a person who is not familiarized with tech jargon, these letters and numbers won’t mean much. The attempt to bring encryption to the masses meant translating complex technological ideas into everyday language. Therefore, security companies started to use the term “military-grade” for describing the highest-level security. The term seemed suitable, as AES is used by the US government to secure classified information and by the NSA to protect national security data. Military-grade encryption is AES-256, which differs from AES-128 and AES-192 by having a larger key size in the AES encryption algorithm, thus using more processing power to encrypt and decrypt information.

“Bank-level encryption” is another term that’s thrown around a lot by marketing specialists. It’s basically the same thing, as most banks use AES-256, AES-192 or AES-128. In fact, some banks advertise their “military-grade encryption”, in an effort to close the communication gap.

You Are Using “Military-grade Encryption” All the Time. You Just Don’t Know It 

In a blog post titled Stop calling it “Military-Grade Encryption”, Timothy Quinn writes that both “military-grade encryption” and “banking-grade encryption” should just be called “industry-standard encryption.”

AES-256 encryption has been adopted widely by many services and many pieces of software, but most services don’t call it “military-grade encryption”. For example, up-to-date web browsers support AES-256 when communicating with secure HTTPS websites. Google Chrome, Mozilla Firefox, Safari, and even Internet Explorer have AES-256 support. You’re probably connecting to all kinds of websites that use “military-grade encryption” without knowing it. When a VPN service is offering a military-grade encryption system, it means that they are offering their customers the highest and most secure encryption that is available today. 

As cryptographic experts do not have a checklist labeled “military-grade encryption”, is understandable why some tech experts see the use of this term as just a marketing gimmick to define a top-notch security solution.