The IT Law Wiki

This wiki's URL has been migrated to the primary domain.Read more here


The IT Law Wiki


Security strength (also referred to as security level) is a number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. The security strength is specified in bits and is currently a value from the set {80, 112, 128, 192, 256}. 80 bits of security was good through December 31, 2010. Thereafter, NIST recommends 112 bits as the minimum.[1]


The appropriate security strength to be used depends on the sensitivity of the data being protected, and needs to be determined by the owner of that data (e.g., a person or an organization). For the Federal government, a minimum security strength of 112 bits is required for applying cryptographic protection (e.g., for encrypting or signing data). Note that prior to 2014, a security strength of 80 bits was approved for applying these protections, and the current transitions reflect the change to a strength of 112 bits. However, a large quantity of data was protected at the 80-bit security strength and may need to be processed (e.g., decrypted or have a digital signature verified). The processing of this already-protected data at the lower security strength is allowed, but a certain amount of risk must be accepted.


  1. Digital Signature Standard (DSS) 4 (FIPS 186-3) (June 2009).


See also[]