Communication Security: What Military Grade Encryption Means
For thousands of years, increasingly complex ciphers have guarded our secrets. A Mesopotamian potter shielded his prized glaze from his competitor’s eyes with a cipher. Julius Caesar sent encoded messages with a substitution cipher. France’s Great Cipher remained unbroken until 1893—eighty-two years after it fell out of use. Breaking these codes required days, sometimes years, hunched over a desk with a dictionary and a slide rule.
Then in 1943 British codebreakers built the Colossus.
Since then, our computing capabilities have grown exponentially. Asour technology changed, various entities, including thirty nations and assorted hackers, all developed new ways of acquiring information that does not belong to them. These methods include session hijacking, phishing, dictionary attacks, eavesdropping attacks—both passive and active—and spyware.
Learn how to elevate the productivity of your enterprise through secure collaboration.
Download NOW our Free Whitepaper
Given these developments, leaving your organization’s instant messages, phone calls, texts, and other essential communications unprotected islike leavingyour childhood diary on the kitchen table for your sibling’s reading pleasure. Your business communicationsneed encryption.
What is encryption?
Encryption is an act of applying a cipher to something, such as a document, video, or call. The purpose is to prevent unauthorized parties from reading, listening, or watching things they are not authorized to see.
From a child’s diary written in pig latin to a top-secretgovernment file encrypted with an AES-256 secret key that uses a password longer than most names, the intent remains the same. Encryption is all protecting information.
Understanding Encryption Standards
Over the last fifty years, as we’ve entered a period of exponential technological change and growth, our encryption standards have constantly evolved.
The US first published the Data Encryption Standard (DES) in 1975. In 1992, Eli Biham and Adi Shamir published a theoretical attack. In 1997, the DESCHALL Project publicly broke a DES key—twenty-two years after publication.
This story is not unique to encryption standards.
In 1995, the NSA published SHA-1, a cryptographic hash function. By 2005, its security was inversely related to your opponent’s bank account. The more money they had to throw at your servers, the less secure you were. By 2010, SHA-1 was no longer recommended. In 2017, web browsers stopped accepting it. SHA-1 survived unbroken for only ten years.
As technology progresses, our best data protection standards are broken and become obsolete. When you type “current encryption standards” into your favorite search engine and open an article, always check the dates. Last year’s best practice may be this year’s worst practice.
Although quantum computers are still in their infancy, they will one day break today’s best encryption. The only question is when.
As of this writing, the advanced encryption standard (AES) is the current encryption standard. It uses a 128, 192, or 256-bitkey. A 256-bitkey is more secure than a 128-bitkey.
What is military grade encryption?
Let me tell you a secret. Military grade encryption is a marketing term. Our cryptographic experts do not have a checklist labeled “military grade encryption”.Instead, we use this term as a communication tool.
Saying military grade encryption illustrates our product’s security without breaking out the jargon. Although we love discussing the strengths and weaknesses of various well studied and academically accepted algorithms, including AES-256-CCM/GCM, SHA 256, and the elliptic curves P-256 and P-521, we also understand that our customers are not necessarily cybersecurity experts. (If you are, let us know. We love talking details.)
Traditionally, military grade encryption means a key size equal to or greater than 128 bits that uses one of the US National Security Agency’s (NSA) Suite B algorithms, announced in 2005. In July 2018, the NSA moved Suite B to historic status. They plan on publishing post-quantum standards in 2024.
Until then, they specific AES-128 for secret information and AES-256 for top secret. If an entity handles both secret and top-secret information, use AES-256. Therefore, AES-256 is the current defacto standard.
When we say military grade encryptio n,we mean AES-256 with CCM/CGM as the mainmode of operation. Thisis the NSA’s current standard for top-secret information.
We’ll let you know when this changes.
Certifications, including FIPS 140-2 and Common Criteria, add an additionallayer of protection for your organization because they provide a standards-based evaluation of a given cryptographic module.
What is End-to-End Encryption (E2EE)
With end-to-end encryption, also known as E2EE and E2E encryption, only the individuals sending and receiving a message can read it. No one else has the decryption key, including the service provider.
If you take a simple text file, type “Hello“,encrypt it, and reopen it, it looks like a foreignlanguage from a science fiction novel. The same thing happens if you try to access an end-to-end encrypted message from the server. Without decrypting the message with the proper key, it’s useless.
In the unfortunate event that a badactor hacks into your servers and steals your highly encrypted information, then they’llneed either a million plus years or a major technological leap before they can read your data.
That’s why you use E2EE. It protects your data while it’s on your servers.
If you add in transit encryption, your data remains encrypted when it’smoving across the network. At rest encryption keeps your data secure on an individual device like your mobile phone or laptop.
Why do you need military grade security?
Here’s a better question. Why isn’t enterprise gradesecurity enough?
Enterprise gradesecurity and military gradesecurity are both marketing terms. However, the difference between enterprise gradesecurity and militarygrade security is the difference between thinking and knowing.
Enterprise gradesecurity has no official standards to back it up. Standards reduce uncertainty. Without one, enterprise gradesecurity means whatever the vendor wants it to mean. With enterprise grade, you may think you’re secure. Are you?
Military grade security means a company follows an established standard that countries use to protect everything from trade secrets to weapons plans. Ideally, you want a company with a proven track record working with governments and defense contractors.
Followinga standard means knowing. You know when it’s updated. Most of the time, you know why they changed it. You know leading cybersecurity experts around the world have vetted this standard and they test it daily. They are your security.
Who Needs Military Grade Security?
Cyber attacksare on the rise. 66% of Chief Audit Executives consider cybersecurity their organization’s greatest 2019 threat. No industry is immune.
The finance industry is not just trillions of dollars, euros, yuan, and yen flowing around the globe like a giant river. It is account numbers, home addresses, phone numbers, emails, credit card numbers, and credit reports. Hackers proved this again in July 2017 when they stole 400,000 UniCredit customer’s loan and biographical data.
Hospitals and health insurers with their mountains of patient data and confidential medical records represent a prime target. Whether state-run like the Norwegian hospital system, which faced a failed attempt in January 2018,or privately-owned like Anthem—a successful February 2015 hack stole 80 million customers’ personal information—military grade encryption protects your patients and gives them peace of mind.
The same applies to power companies, water boards, telecommunications firms, universities, law firms, and any other organization that routinely handles personal customer informative. Highly sensitive information like elected officials’ medical records, a CEO’s personal cellphone number, or mergers and acquisitions details is valuable to the right buyerunless they’re protectedby strong encryption.
Governments are in an even worse position. They must protect their ownsecrets as well as the private information of every citizen who files a police report, fills out a census, or pays their taxes. Following cybersecurity best practices and encrypting their data is essential.
Which communications need improved security?
The rule of thumb here is quite simple. If you use it to communicate with another person, it must be secured. It begins with AES-256, which keeps your communications confidential. Then, you add features like multi-factor authentication, organization-wide password policies, remote wipe, and intuitive user management. These help you manage your communications’ systems. End-to-end, in transit, and at rest encryption are all mandatory.
Thismeans you should secure the following:
- instant messages,
- text messages,
- phone calls,
- conference calls,
- video calls, and
- shared files.
The only unencrypted communication within your organization should be the sticky note you left on the office refrigerator.
Don’t be overwhelmed by this. Adeya’s secure communications platform offers all the communications channels your employees want, including secure instant messenger, and the security you need. Give us a call. We’re here to help.
For more industry-specific information, check out our white papers.