What does it mean if a “secure” website has 128 bit (sp?)encryption? What is encryption and what does 128 bit mean? Is this 128 bit a good encryption?
It’s probably using Kerberos or SSL (maybe TLS?) to keep it’s data encrypted and safe from sniffers on a network.
What in the computer-idoit way I asked the question led you to believe I could understand this? 
Could you dumb it down a bit.
Think of it as a way of only displaying the contents of a web page clearly when you view it on your screen and when it arrives at the server’s database after you send it. They prevent some other “hacker” or “computer nerd” from seeing your personal information, if that is the information you are sending.
Let me put the question another way. The company I work for has recently started putting out insurance information on the web. We can access claim information and other information about ourselves. I would rather this information not be accessed by anyone but me. I was assured that the 128 bit encryption would totally protect the information. Is this true?
The data is safe (basically scrambled) as it passes from the server to you and vice-versa. Presumably, anyone monitoring the connection between you and the server would see nothing but gibberish.
It is not a guarantee that whoever has your username (or ssn or whatever) and password (your credentials) could not get to that info.
Here’s my best attempt at a complete layman’s explanation:
Encryption is a method of hiding the content of a message. Alice wants to send a message to Bob, but does not one the message-boy to be able to read the message. She does something with the message to make it unreadable by anyone but Bob.
Typically, encryption uses some sort of publicly known algorithm (series of mathematical operations) on the message to produce a message which is unreadable without a “secret key”. This “secret key” is called the “key” or sometimes “password”.
If an encryption algorithm is “good”, then there is no way to decrypt the message (make it readable) without knowing the “secret key” (which presumable is only known by Bob).
One problem with some encryption algorithms is that they can be defeated by “brute force”. This is the process of trying every possible key.
Imagine, for a moment, that a key had to be a word in the English language. There are at most about 500,000 words in the English language. If a computer could try 10,000 keys per second, it would take it only 50 seconds to try all words in the English language.
128-bit encryption has to do with the size of the key. A bit is “binary-bit”; this is a number set to either zero or 1. A 128-bit key is 128 values set to zero or one. If the algorithm is “good”, the only way to decrypt it is to know how each of the 128 bits are set in the secret key. Since there are 2^128 possible keys (roughly 340,000,000,000,000,000,000,000,000,000,000,000,000 of them), that same computer which could try 10,000 per second, might now take 1,070,000,000,000,000,000,000,000 millenium to try all of the keys.
Of course, if your computer has a chip which could try 1,000,000,000,000,000,000,000 keys per second, and you had one million such chips in the computer, it might take only 10 years to try all of the keys, and perhaps an expected time of only 5 years to descrypt the message. But no one has that many fast computers – I think?!
If you used 64-bit encryption, there are only 18446744073709551616 keys. If a chip could try one million keys per second, and you had one million such chips, you could try all of the keys in about 6 months. You’d expect to guess the password after about 3 months. Its probably reasonable to assume that large organizations such as the National Security Agency have such technology (or better).
For many of the standard encryption algorithms (Data Encryption Standard, for example), no one can prove mathematically that the only way to decrypt the message is to guess they key, and that there’s no shortcut to trying all of the keys by brute force.
128 bit encryption is state of the art, if that’s what your asking. As far as I know, no-one has figured a way of cracking it that doesn’t require thousands of years of computer time. Of course, the NSA is another matter but if they want your info they’ll get it 
Aaargh - you’re ! I’ve caught the disease!
you encrypt something by creating some prime numbers and assumeing that no one can ever figure out what they are. Which is true since the thing you have to do to figure it out is beyond our technology to do anything but try every single possiblity.
something that is 1 bit long is a number 1 can be the numbers up to 1
something that is 2 bits long is a number up to the number 3
something that is 3 bits long can be any number up to the number 7
4 bits long can be anything up to the number 15
5 bits long is anything up to the number 31
6 bits " " 63
7 bits " " 128
8 bits " " 256
.
.
.
128 bits can be any number between 0 and
3.4028236692093846346337460743177e+38
(trying to explain that in no nerdy computer terms… derr)
In response to the clarification of the OP:
There are a lot of ways information can be “stolen” without brute-force descrypting the message.
- An employee of the company that stores the information could view it and sell it, or give it away.
- They could be tricked into giving it away.
- A software flaw in any of the software systems being used to guard the information could allow a hacker to enter the site and view it.
- A careless employee could allow his password to be stolen or guessed. Perhaps he uses an English word as his password, or his name, or someone’s birthday.
- Someone could hack into your computer while you’re connected to the internet, and steal the information before it even gets encrypted.
- You could enter the information enter your password when logging in to the site, but really be logging into a “fake” site which just looks like the site which sotres the insurance information. That fake site would simply take your password and use it to log in to the real site.
- Any number of other possibilities…
Most security breaches in information systems are not caused by “brute-force” password attacks, which is all that a 128-bit encryption key can protect against.
128 bit encryption used on secure Web pages hasn’t been broken in any way I’m aware of. Banking, stock trading, and other high security transactions take place on websites all the time using this encryption. Theft and break-ins happen, but I’ve never heard of the encryption being broken.
Here’s one website (there are several) which simply displays the security settings of your browser:
Didn’t someone just discover a Prime Number Generator Algorithm?
A crude one has been known for centuries: start with a number, and find all of its divisors. If it’s prime, output it. Add one to that number, and start again.
What you’re thinking of is the polynomial-time primality checking algorithm that was just recently discovered. But that’s not sufficient to crack encryption.
128-bit encryption isn’t “state of the art”, as you can always just add more bits. However, if you look at MHand’s post, you’ll see that it’s good enough for current technologies. The NSA wants your data, they’ll torture you for it.
IIRC, it’s not known whether there is a quick method of cracking all modern encryption technologies. There may well be, and it would have interesting ramifications.
To give you a rough idea of how secure 128bit encryption is: distributed.net, which uses tens of thousands of computers around the world, took 1757 days to break 64bit encryption.
DarrenS mentioned taking thousands of years for 128bit. Let’s see. For each bit we add, the time to break effectively doubles. If we imagine that Secret Shadowy Government Agency has an amazingly amazing computer that could break 64bit encryption in just one millisecond, then it would take them roughly 292 billion years to break 128bit (if I’ve finally got it right…I hate mornings). DarrenS is obviously an optimist!
On the other hand, if they have a working Quantum Computer then all bets are off. Or a quick method of factoring large numbers into their componant primes.
some people have claimed to crack 128 bit SSL codes though I am not savvy enough to know what this means in practice http://pauillac.inria.fr/~doligez/ssl/.
However, WEP 128-bit encryption definitely does not look secure because of the way it is sent http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2810563-2,00.html
The moral - not all 128 bit encryptions are equal
Yeah, the WEP one looks like a dodgy implementation. The Netscape one isn’t 128 bit though…it’s 40 bit, which used to be (I believe they’ve changed it?) the maximum strength encryption that the USA allowed to be exported. That’s why it was broken so easily (it was a simple brute force attack).
Only public-key algorithms typically use the prime number problem. Most symmetric algorithms are based on discrete logs, which is totally different math. Since the OP is asking about “128 bit” encryption, we must assume he’s asking about a symmetric algorithm since this would be a trivially short key in most public-key systems.
The phrase “128 bit encryption” is meaningless because it’s ambiguous. If you mean “AES with a 128-bit key” then it’s certainly state of the art. If you mean “Bob’s super-secret XOR code with 128-bit key”, then it’s not. In order to know anything about the security of the system, you have to know the algorithm and protocol in addition to the key length.
From the description in the OP, he’s almost certainly talking about SSL, which is a protocol. SSL includes a public-key algorithm for key exchange, a MAC algorithm, and a symmetric algorithm for encrypting the content. The 128-bit key refers to the key length used in the symmetric part. Many browsers have disabled or weakened crypto packages that would only allow 56-bit keys to be used.
For the OP, note well MHand’s comments. The fact that your company site uses “128-bit” encryption is only one small piece of the security puzzle. This part will insure that no eavesdropper on the Internet between your computer and the company server can “sniff” your data in passing. However, that threat is relatively unlikely in the real world. It’s much more likely that your information will be released because some insider steals directly from the database, an outsider cracks security on the server and steals directly from the database, or someone cracks your computer and steals from you.
It’s true that with 128-bit encryption, having someone figure out your data by simply eavesdropping on the Internet traffic is the least of your worries. But that’s the purpose.
This isn’t strategically important data he’s talking about here - the information he’s talking about normally flows unsecured through the US mail system. But they want a way to send out fairly private information over the web, and the problem is that many of their customers are wary of doing so. Everyone, even my 74 year old mom, has heard warnings about sending data over the Internet, basically because data is visible to many parties.
I think the appropriate answer to the OP is that 40 bit encryption is enough to keep most people from spending any time trying to crack it. It would still be much easier to just intercept a piece of mail and open it. 128-bit is completely secure for all practical purposes, so there is zero worry about someone cracking the code, and now all you have to worry about are the standard things you do every day to keep your customers’ data private.