Key Length

Why Trust Techopedia

What Does Key Length Mean?

Key length is equal to the number of bits in an encryption algorithm’s key. A short key length means poor security. However, a long key length does not necessarily mean good security. The key length determines the maximum number of combinations required to break an encryption algorithm.


If a key is n bits long, then there are two to the nth power (2n) possible keys. For example, if the key is one bit long, and that one bit can either be a zero or a one, there are only two possible keys, 0 or 1. However, if the key length is 40 bits long, then there are 240 possible keys.

This term is also known as key size.

Techopedia Explains Key Length

Humans would be bored trying all possible keys. However, as one author put it, “Computers excel at impossibly boring tasks”. The same author stated, in a 1999 article on key length and security, that on average a computer would only have to try about half of the possible keys before finding the correct one to break the code and decipher the message. A computer capable of trying a billion keys per second would take about 18 minutes to find the correct 40-bit key. A Data Encryption Standard (DES)-breaking computer called Deep Crack, which was capable of 90 billion keys per second, took 4.5 days to find a 56-bit DES key in 1999.

A common rule is that the key length must be at least as long as the message for a one-time pad, a type of encryption proven to be impossible to break if used correctly. Used correctly means the key is actually random, is as large as, or larger than, the plain text message to be secured, is never used again either in whole or in part, and is kept secret. Then the encryption algorithm will be impossible to break without the key.

The examples scale linearly. Thus, the author recommended a key length of 90 bits to provide security through year 2016. Most 1999 algorithms had at least 128-bit keys. However, there are other security factors to consider beyond key length, such as entropy as measure of uncertainty. In this case, the author focused on the quality of the encryption algorithm and concluded that the most effective method of breaking a given implementation of a 128-bit encryption algorithm might not be to try every possible key.

Cryptographic security is a measure of the fastest known computational attack on a cryptographic algorithm, which is also measured in bits. A symmetric-key algorithm uses the same key for encryption and decryption, while an asymmetric-key algorithm uses different keys. Today, the majority of common symmetric-key algorithms are intended to have security equal to their key length. However, there are no known asymmetric-key algorithms with this property. The cryptographic security of an algorithm cannot exceed its key length, but it may be less.

As computational power increases, key size should increase. Triple DES is the common name for the triple data encryption algorithm block cipher. It was designed to provide a relatively simple method of increasing the key length of DES to protect against brute force attacks.


Related Terms

Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.