Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Key Length

Training Camp • Cybersecurity Glossary

What is Key Length?

Key length is the size of a cryptographic key in bits, setting the number of possible keys (2^n) and the brute-force resistance; NIST SP 800-57 defines minimums.

Glossary > Cryptography & PKI > Key Length

Key Length — Key length is the size of a cryptographic key in bits, setting the number of possible keys (2^n) and the

Understanding Key Length

Key length is the size of a cryptographic key, measured in bits, that an algorithm uses to encrypt or decrypt data. It determines the keyspace, the total number of possible keys (2 raised to the power of the key length), and therefore how resistant a cipher is to brute-force attack. Longer keys exponentially increase the effort required to try every possibility.

Key length must be evaluated relative to the algorithm, because security depends on both. Symmetric ciphers like AES are strong at 128, 192, or 256 bits, where AES-128 already offers about 128 bits of security. Asymmetric algorithms need far longer keys for equivalent strength: roughly 3072-bit RSA is comparable to 128-bit symmetric security, while elliptic-curve cryptography achieves the same with only 256-bit keys because its underlying math is harder to break per bit. NIST SP 800-57 publishes these equivalences and recommended minimums.

For security, choosing an adequate key length is essential to keep the work factor, the computational cost of attack, beyond an adversary's reach for as long as the data must stay protected. Keys that are too short become breakable as hardware improves; 56-bit DES, for instance, is now trivially cracked. Looking ahead, large-scale quantum computers running Shor's algorithm would break current RSA and ECC regardless of key length, and Grover's algorithm halves the effective strength of symmetric keys, which is why AES-256 and post-quantum algorithms are emphasized for long-lived secrets. Cryptographic agility, the ability to swap algorithms and key sizes, is increasingly a design requirement.

For example, a government agency protecting classified data for decades selects AES-256 for symmetric encryption and ECC P-384 or post-quantum candidates for key exchange, ensuring the work factor exceeds the reach of nation-state attackers with advanced and future quantum resources. A consumer web service, by contrast, may use AES-128 with 256-bit ECDHE, which is more than sufficient for session traffic while remaining fast. Selecting key length is a core CISSP and cryptography exam concept.

Learn More About Key Length:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →