Communication Security: What Military Level Encryption Means
For thousands of years, increasingly complex ciphers have guarded our secrets. A Mesopotamian potter shielded his prized glaze from his competitor’s eyes with a cipher. Julius Caesar sent encoded messages with a substitution cipher. France’s Great Cipher remained unbroken until 1893—eighty-two years after it fell out of use. Breaking these codes required days, sometimes years, hunched over a desk with a dictionary and a slide rule.
Then in 1943 British codebreakers built the Colossus.
Since then, our computing capabilities have grown exponentially. As our technology changed, various entities – including thirty nations and assorted hackers – all developed new ways of acquiring information that does not belong to them. These methods include session hijacking, phishing, dictionary attacks, eavesdropping attacks—both passive and active—and spyware.
Learn how to elevate the productivity of your enterprise through secure collaboration & encrypted messaging.
Download NOW our Free Whitepaper
Given these developments, leaving your organization’s instant messages, phone calls, texts, and other essential communications unprotected is like leaving your childhood diary on the kitchen table for your sibling’s reading pleasure. Your business communications need encryption.
What is military level encryption?
Encryption is an act of applying a cipher to something, such as a document, video, or call. The purpose is to prevent unauthorized parties from reading, listening, or watching things they are not authorized to see.
From a child’s diary written in pig Latin to a top-secret government file encrypted with an AES-256 secret key that uses a password longer than most names, the intent remains the same. Encryption is all about protecting information.
Understanding Encryption Standards
Over the last fifty years, as we’ve entered a period of exponential technological change and growth, our encryption standards have constantly evolved.
The US first published the Data Encryption Standard (DES) in 1975. In 1992, Eli Biham and Adi Shamir published a theoretical attack. In 1997, the DESCHALL Project publicly broke a DES key—twenty-two years after publication.
This story is not unique to military-grade encryption standards.
In 1995, the NSA published SHA-1, a cryptographic hash function. By 2005, its security was inversely related to your opponent’s bank account. The more money they had to throw at your servers, the less secure you were. By 2010, SHA-1 was no longer recommended. In 2017, web browsers stopped accepting it. SHA-1 survived unbroken for only ten years.
As technology progresses, our best data protection standards are broken and become obsolete. When you type “current encryption standards” into your favourite search engine and open an article, always check the dates – last year’s best practice may be this year’s worst.
Although quantum computers are still in their infancy, they will one day break today’s best encryption. The only question is when.
As of this writing, the advanced encryption standard (AES) is the current encryption standard. It uses a 128, 192, or 256-bitkey. A 256-bitkey is more secure than a 128-bitkey.
What is military level encryption?
Let me tell you a secret: military level encryption is a marketing term. Our cryptographic experts do not have a checklist labelled “military level encryption”. Instead, we use this term as a communication tool.
Saying military level encryption illustrates our product’s security without breaking out the jargon. Although we love discussing the strengths and weaknesses of various well studied and academically accepted algorithms, including AES-256-CCM/GCM, SHA 256, and the elliptic curves P-256 and P-521, we also understand that our customers are not necessarily cybersecurity experts. (If you are, let us know – we love talking details.)
Traditionally, military level encryption means a key size equal to or greater than 128 bits that uses one of the US National Security Agency’s (NSA) Suite B algorithms, announced in 2005. In July 2018, the NSA moved Suite B to historic status. They plan on publishing post-quantum standards in 2024.
Until then, they specific AES-128 for secret information and AES-256 for top secret. If an entity handles both secret and top-secret information, use AES-256. Therefore, AES-256 is the current defacto standard.
When we say military level encryption, we mean AES-256 with CCM/CGM as the main mode of operation. This is the NSA’s current standard for top-secret information (we’ll let you know when this changes).
Certifications, including FIPS 140-2 and Common Criteria, add an additional layer of protection for your organization because they provide a standards-based evaluation of a given cryptographic module.
What is End-to-End Encryption (E2EE)
With end-to-end encryption, also known as E2EE and E2E encryption, only the individuals sending and receiving a message can read it. No one else has the decryption key, including the service provider.
If you take a simple text file, type “Hello”, encrypt it, and reopen it, it looks like a foreign language from a science fiction novel. The same thing happens if you try to access an end-to-end encrypted message from the server. Without decrypting the message with the proper key, it’s useless.
In the unfortunate event that someone hacks into your servers and steals your highly encrypted information, then they’ll need either a million years or a major technological leap before they can read your data.
That’s why you use E2EE. It protects your data while it’s on your servers.
If you add in transit encryption, your data remains encrypted when it’s moving across the network. At rest encryption keeps your data secure on an individual device like your mobile phone or laptop.
Why do you need military level security?
Here’s a better question. Why isn’t enterprise level security enough?
Enterprise level security and military level security are both marketing terms. However, the difference between enterprise level security and military level security is the difference between thinking and knowing.
Enterprise level security has no official standards to back it up. Standards reduce uncertainty. Without one, enterprise level security means whatever the vendor wants it to mean. With enterprise level, you may think you’re secure. Are you?
Military level security means a company follows an established standard that countries use to protect everything from trade secrets to weapons plans. Ideally, you want a company with a proven track record working with governments and defense contractors.
Following a standard means knowing. You know when it’s updated. Most of the time, you know why they changed it. You know leading cybersecurity experts around the world have vetted this standard and they test it daily. They are your security.
Who Needs Military Level Security?
Cyber-attacks are on the rise. 66% of Chief Audit Executives consider cybersecurity their organization’s greatest 2019 threat. No industry is immune.
The finance industry is not just trillions of dollars, euros, yuan, and yen flowing around the globe like a giant river. It is account numbers, home addresses, phone numbers, emails, credit card numbers, and credit reports. Hackers proved this again in July 2017 when they stole 400,000 UniCredit customer’s loan and biographical data.
Hospitals and health insurers with their mountains of patient data and confidential medical records represent a prime target. Whether state-run like the Norwegian hospital system, which faced a failed attempt in January 2018, or privately-owned like Anthem—a successful February 2015 hack stole 80 million customers’ personal information—military level encryption protects your patients and gives them peace of mind.
The same applies to power companies, water boards, telecommunications firms, universities, law firms, and any other organization that routinely handles personal customer informative. Highly sensitive information like elected officials’ medical records, a CEO’s personal cell phone number, or mergers and acquisitions details is valuable to the right buyer unless they’re protected by strong encryption.
Governments are in an even worse position. They must protect their own secrets as well as the private information of every citizen who files a police report, fills out a census, or pays their taxes. Following cybersecurity best practices and encrypting their data is essential.
Which communications need improved security?
The rule of thumb here is quite simple. If you use it to communicate with another person, it must be secured. It begins with AES-256, which keeps your communications confidential. Then, you add features like multi-factor authentication, organization-wide password policies, remote wipe, and intuitive user management. These help you manage your communications’ systems. End-to-end, in transit, and at rest encryption are all mandatory.
This means you should secure the following:
- instant messages,
- text messages,
- phone calls,
- conference calls,
- video calls, and
- shared files.
The only unencrypted communication within your organization should be the sticky note you left on the office refrigerator.
Don’t be overwhelmed by this. Adeya’s secure communications platform offers all the communications channels your employees want, including secure instant messenger, and the security you need. Give us a call. We’re here to help.
For more industry-specific information, check out our white papers.