By submitting this form, you agree to receive RealVNC education content, special offers, exciting news and product updates. You can withdraw your consent at any time. We respect your data, see our Privacy policy.

How much encryption is too much: 128, 256 or 512-bit?

Andy Clark | 02 Aug 2018


Because remote access software is designed to take control of devices at other physical locations, security is an extremely important consideration in your overall strategy. You must prevent unauthorized individuals with fraudulent or destructive intentions from gaining control of your corporate systems and resources.

While absolute security can never be fully guaranteed, applying many layers of security features is an acknowledged best practice for creating strong defences. One security capability frequently associated with remote access is data encryption; sometime referred to as end-to-end encryption. This blog explores the purpose, basic architecture of encryption and the practical differences between different levels of encryption.

The purpose of encryption

When a remote access session is established between two devices, screen image and control activities are passed back and forth, and this data must be protected to keep it confidential. You can think of this as a physical pipe through which the screen and control data is streamed.

This pipe requires a hard, external shell to stop someone from seeing what’s flowing inside and prevent them from changing it. Encryption is the mathematical shell that protects the data stream.

There are different levels of encryption that vendors refer to in their promotional materials such as 128 or 256-bit AES, which reflects the algorithm used to protect the data (AES) and how hard it is for an attacker to break in (128 or 256-bit).

To continue the pipe analogy, these different levels of encryption could be seen as pipes built to the same principles (e.g. ‘the AES technique’) but with different materials. While all the pipes are tough, some materials are more resistant then others, and will take longer and require more effort to breach.

Encryption basics

Encryption is a mathematical algorithm that is used to lock the data stream being passed between two devices (end-to-end) during a remote access session. The key to this lock is a secret number known only to the sender and receiver, and that changes with each session.

The level of encryption reflects the number of possible key combinations. The higher the number of bits of encryption the greater the number of possible keys, so the more difficult it is to compromise the encryption.

A 128-bit level of encryption has 2128 possible key combinations (340,282,366,920,938,463,463,374,607,431,768,211,456 – 39 digits long) and 256-bit AES encryption has 2256 possible key combinations (a number 78 digits long). Because of the way the mathematics works, 256-bit encryption is not twice as hard to break in to or ‘crack’ as 128-bit encryption, but 340 billion-billion-billion-billion times harder.

To crack either of these encryption levels would be extremely time consuming given the total number of possible key combinations and the current state of computer processing. ‘Extremely time consuming’ is in fact a gross understatement – even if you build a world-wide network of super-computers designed just for the purpose of trying combinations as fast as possible, it would still take more than 100 billion years on average to stumble on the right one. For comparison, the universe has only been around for 13.8 billion years.

This also assumes that you could afford the astronomical energy bills required to run the system for that long – a significant fraction of the total energy use of the planet each year, for 100 billion years. A 256-bit key would be 340 billion-billion-billion-billion times as impossible.

So why are some vendors starting to promote 512-bit encryption? They rely on busy people assuming that 512-bit is ‘twice as good’ as 256-bit, and demanding the ‘best’ for their use, even though for practical purposes they get a slower experience for no better a level of protection.

They may argue that processor technology advances, it becomes more feasible to crack existing levels of encryption. Until we see widespread adoption of cheap, powerful and reliable quantum computers, we cannot even begin to contemplate such a scenario, which is why most experts agree that 128 and 256-bit AES encryption are sufficiently complex to remain extremely robust for many years to come.

Which encryption is right for you?

So, after all this explanation, which level of encryption is appropriate for your specific environment? The answer depends on the needs of your environment, but one very important point worth making is that encryption is essential.

Be aware that there is free, open source remote access software, which provides no encryption. Using unencrypted remote access software within a business environment is simply a bad idea – it allows anyone to view and modify your remote control session, without any indication of it occurring.

The price you will pay for a commercial remote access software subscription is minor compared to the risks you will introduce to your business by using “free” unencrypted product. A single successful attack could cost your business tens of thousands of dollars in compromised bank accounts, lost data, blackmail or reputational damage. Don’t take this risk.

128-bit AES encryption is highly robust, nearly impossible to crack and is still the strong default choice for all traditional commercial applications. Hackers stand no reasonable chance of defeating 128-bit AES encryption and it is accepted as providing a very high level of security.

256-bit AES encryption is the current gold standard for future-proofing against technology that has yet to be fully developed. It is practically speaking just as hard to compromise as 128-bit, but it comes with a performance trade-off: as it takes slightly more processing to encrypt and decrypt data compared to 128-bit encryption, so there is no reason to deploy it unless truly needed.

512-bit encryption in general adds even more delay for even less genuine benefit. Until there is a major step-change is computing technology, 512-bit encryption belongs in the ‘style over substance’ category.

256-bit encryption is sufficient to protect against sustained attacks from very sophisticated criminal gangs or the resources associated with rogue state entities. Given the quality of this level of encryption, it is often mandated by standard bodies associated with the financial, medical and security industries. In particular, it’s considered safe enough to protect TOP-SECRET classified information. You should insist on 256-bit AES encryption if you have very high security requirements or if it is specified in a standard that is essential to your industry.

End-to-end data encryption is essential for any commercial deployment of remote access software. In combination with additional security features such as multi-factor authentication and controlled teams and groups, you can create a highly secure remote access strategy. The question of choosing between 128-bit and 256-bit AES encryption must be addressed individually, and the answer largely depends on the sensitivity of your data and the requirements and standards defined by your industry.

If you’re interested in learning more about encryption, here’s another great blog we found really useful. If you want to learn more about how to prioritize security as part of your remote access strategy, you can download our whitepaper below.


2019 remote access security checklist


Andy Clark

Written by Andy Clark

Chief Technology Officer, RealVNC Ltd.