You must prevent unauthorized individuals with fraudulent or destructive intentions from gaining control of your corporate systems and resources.
While absolute security can never be fully guaranteed, applying many layers of security features is an acknowledged best practice for creating strong defences. One security capability frequently associated with remote access is data encryption; sometime referred to as end-to-end encryption.
This blog explores the purpose, basic architecture of encryption and the practical differences between different levels of encryption.
The purpose of encryption for remote access
When a remote access session is established between two devices, screen image and control activities are passed back and forth, and this data must be protected to keep it confidential. You can think of this as a physical pipe through which the screen and control data is streamed.
This pipe requires a hard, external shell to stop someone from seeing what’s flowing inside and prevent them from changing it. Encryption is the mathematical shell that protects the data stream.
There are different levels of encryption that vendors refer to in their promotional materials such as 128 or 256-bit AES, which reflects the algorithm used to protect the data (AES) and how hard it is for an attacker to break in (128 or 256-bit).
To continue the pipe analogy, these different levels of encryption could be seen as pipes built to the same principles (e.g. ‘the AES technique’) but with different materials. While all the pipes are tough, some materials are more resistant than others, and will take longer and require more effort to breach.
Encryption is a mathematical algorithm that is used to lock the data stream being passed between two devices (end-to-end) during a remote access session. The key to this lock is a secret number known only to the sender and receiver, and that changes with each session.
The level of encryption reflects the number of possible key combinations. The higher the number of bits of encryption the greater the number of possible keys, so the more difficult it is to compromise the encryption.
A 128-bit level of encryption has 2128 possible key combinations (340,282,366,920,938,463,463,374,607,431,768,211,456 – 39 digits long) and 256-bit AES encryption has 2256 possible key combinations (a number 78 digits long).
Because of the way the mathematics works, 256-bit encryption is not twice as hard to break in to or ‘crack’ as 128-bit encryption, but 340 billion-billion-billion-billion times harder.
What would it take to break in?
To crack either of these encryption levels would be extremely time consuming given the total number of possible key combinations and the current state of computer processing.
‘Extremely time consuming’ is in fact a gross understatement – even if you build a world-wide network of super-computers designed just for the purpose of trying combinations as fast as possible, it would still take more than 100 billion years on average to stumble on the right one. For comparison, the universe has only been around for 13.8 billion years.
This also assumes that you could afford the astronomical energy bills required to run the system for that long – a significant fraction of the total energy use of the planet each year, for 100 billion years. A 256-bit key would be 340 billion-billion-billion-billion times as impossible.
Is 256-bit the maximum level of encryption for remote access software?
So why are some vendors starting to promote 512-bit encryption? They rely on busy people assuming that 512-bit is ‘twice as good’ as 256-bit, however the original AES standard only specified 3 key sizes – 128, 192 and 256 bits.
These key sizes have been proven to be cryptographically secure, so although 512-bit AES could be theoretically created, it wouldn’t be tried and tested.
They may argue that as processor technology advances, it becomes more feasible to crack existing levels of encryption. Until we see widespread adoption of cheap, powerful and reliable quantum computers, we cannot even begin to contemplate such a scenario, which is why most experts agree that 128 and 256-bit AES encryption are sufficiently complex to remain extremely robust for many years to come.
Which encryption level is best for remote connections?
So, after all this explanation, which level of encryption is appropriate for your specific environment? The answer depends on the needs of your environment, but one very important point worth making is that encryption is essential.
Be aware that there is free, open-source remote access software, which provides no encryption out of the box. Using unencrypted remote access software within a business environment is simply a bad idea – it allows anyone to view and modify your remote control session, without any indication of it occurring.
The price you will pay for a commercial remote access software subscription is minor compared to the risks you will introduce to your business by using “free” unencrypted product. A single successful attack could cost your business tens of thousands of dollars in compromised bank accounts, lost data, blackmail or reputational damage. Don’t take this risk.
Choosing the best level for your needs
128-bit AES encryption
• Highly robust
• Nearly impossible to crack
• Still the strong default choice for all traditional commercial applications
• Accepted as providing a very high level of security
256-bit AES encryption
• Current gold standard for futureproofing against new technology
• Even harder to compromise than 128-bit
• Takes more processing power to encrypt and decrypt data, can lower performance
• No reason to deploy it unless it is truly needed e.g. military/government
256-bit encryption is sufficient to protect against sustained attacks from very sophisticated criminal gangs or the resources associated with rogue state entities. Given the quality of this level of encryption, it is often mandated by standard bodies associated with the financial, medical and security industries.
In particular, it’s considered safe enough to protect TOP-SECRET classified information. You should insist on 256-bit AES encryption if you have very high security requirements or if it is specified in a standard that is essential to your industry.
So, what’s the verdict?
End-to-end data encryption is essential for any commercial deployment of remote access software. In combination with additional security features such as multi-factor authentication and controlled teams and groups, you can create a highly secure remote access strategy.
The question of choosing between 128-bit and 256-bit AES encryption for remote desktop connections must be addressed individually, and the answer largely depends on the sensitivity of your data and the requirements and standards defined by your industry.
Of course, whichever level of encryption you go for, it’s not the only thing to consider when ensuring your data stays safe during a remote desktop session. Making sure you have unique passwords, staying off public Wi-Fi, and keeping track of your old accounts all contribute to your overall security. If you are interested in learning more, read our Remote Access Security Checklist
With VNC Connect Professional, every connection is end-to-end 128-bit AES encrypted. Or, with an Enterprise subscription, you can increase this to 256-bit AES encryption. Give it a try with a 14-day free trial of VNC Connect.