Encryption Strength Guide

Practical reference for algorithm selection and hardening baselines.

Recommended Baselines

Symmetric Encryption: AES-256-GCM for new projects
Asymmetric Encryption: RSA-3072 or ECC P-256 for TLS, Ed25519 for SSH
Hashing: SHA-256 or SHA-3-256 for general use
Password Hashing: Argon2id or bcrypt (cost 12+)
TLS/SSL: TLS 1.3 only, or TLS 1.2 with strong cipher suites
Key Derivation: HKDF with SHA-256 or Argon2

Symmetric Encryption

Algorithm	Strength	Status	Use Cases
AES 128, 192, 256 bits	Excellent	Recommended	General purpose encryption, TLS, disk encryption
ChaCha20 256 bits	Excellent	Recommended	Mobile devices, modern protocols
Blowfish 32-448 bits	Good	Legacy	Legacy systems
3DES 168 bits (effective: 112)	Weak	Deprecated	None (legacy only)
DES 56 bits	Broken	Broken	None

Asymmetric Encryption

Algorithm	Strength	Status	Use Cases
RSA 2048, 3072, 4096 bits	Good to Excellent	Recommended	SSL/TLS, digital signatures, key exchange
ECC (ECDSA) 256, 384, 521 bits	Excellent	Recommended	Modern TLS, cryptocurrency, mobile
Ed25519 256 bits	Excellent	Recommended	SSH keys, digital signatures
DSA 1024, 2048, 3072 bits	Weak to Good	Deprecated	None (legacy only)

Hashing Algorithms

Algorithm	Strength	Status	Use Cases
SHA-256 256 bits output	Excellent	Recommended	Integrity checking, certificates, blockchain
SHA-384 384 bits output	Excellent	Recommended	High security applications
SHA-512 512 bits output	Excellent	Recommended	High security, long-term integrity
SHA-3 224, 256, 384, 512 bits	Excellent	Recommended	Modern applications, diversity
SHA-1 160 bits output	Broken	Broken	None (git legacy only)
MD5 128 bits output	Broken	Broken	None

Password Hashing

Algorithm	Strength	Status	Use Cases
Argon2 Configurable	Excellent	Recommended	Password hashing (preferred)
bcrypt Configurable (cost factor)	Excellent	Recommended	Password hashing
scrypt Configurable	Excellent	Recommended	Password hashing, key derivation
PBKDF2 Configurable iterations	Good	Acceptable	Password hashing (if others unavailable)