So, if you need end-to-end encryption, is buying from well-established companies the best plan? A recent story about the German BND and US CIA buying a prominent encryption company might provide the answer, “Not necessarily.”
The two spy agencies purchased a company and then sold compromised encryption equipment to countries they wanted to monitor.
Here’s what happened, as reported in a BBC story. A Russian inventor created a portable encryption machine at the beginning of WWII. He fled to the US, where American forces used his machines heavily during the war. After the war ended, the inventor moved to Switzerland and created a company, Crypto AG, making encryption equipment. His technology became so advanced; the US feared it might interfere with their abilities to gather intelligence on other governments. It was the height of the Cold War, after all.
To prevent this from happening, the CIA and BND purchased the company and operated it from 1970 until 1993 when the BND dropped out. The CIA continued until 2018 when another company bought the firm. With the purchase, the espionage side of the company came to light.
So, what did the BND and CIA do that enabled them to read these encrypted messages? They set up rules that certain countries that could only purchase technology the spy agencies knew how to decrypt. These countries were typically those at odds with the US and West Germany. Other, friendly countries could purchase newer technology that did not allow the CIA and BND to eavesdrop.
In other words, dozens of countries purchased encryption technology from a large, respected provider, unaware that what they were buying was already compromised. Even though some of the equipment was mechanical in nature (think the German Enigma machine), the two spy agencies knew how to decrypt any communications created, creating a useful backdoor.
Today, backdoors can be built into firmware, software, and hardware components. Buying encryption technology from large, well-known companies does not guarantee a backdoor-free product, as this and other examples show.
Why would a major company build in a backdoor? Wouldn’t that hurt their credibility? There are a variety of reasons why a company would take this risk, but today a common one is pressure by governments to build in access so they can gather intelligence. Top-ranked officials in the US Justice Department have cited encryption as a national security threat. When governments have this concern, it can be difficult to resist the pressure to build in flaws or backdoors.
What are the options today, with cyber attacks on the rise and the use of electronic data communications necessary for every aspect of daily life, whether you are running a business, agency, or just staying in touch?
Secure, end-to-end encryption solutions from sources that guarantee no backdoors anywhere within the solution are the answer. You should carefully consider hardware-based solutions that can provide the best encryption with an ability to generate true random numbers (the basis for encryption keys). Also, hardware-based solutions are not exposed to flaws in operating systems like software-based encryption can be.
Here are things you need to consider when looking at encryption solutions.
- Open-source encryption algorithms rather than commercial ones (remember backdoor pressure)
- FPGA or ASIC encryption management hardware – the encryption functions are embedded at the time of manufacture so if your algorithms are free of backdoors, so is your hardware
- Oversite of the production process by trusted sources so no last-minute “flaws” can be introduced without your knowledge
If you think this last point is not realistic, consider the fact that chip maker, Micro, had this happen in an assembly plant run by subcontractors in China. You can read more here, but the effect was the creation of hidden doorways into company servers, where information could be stolen.
Skudo is dedicated to the creation and sale of the best end-to-end encryption solution available outside government agencies to make data communications safe in numerous applications. Here is how we do this:
- We use open-source encryption algorithms that rival the best anywhere.
- Our hardware-based approach allows us to insert these encryption functions at the time of manufacture. Or, you can purchase our hardware and manage the creation of your solution.
- We directly supervise production from start to finish, never entrusting your critical communications to a third party.
You can learn more about our latest hardware initiative here, read some of our blogs here, and learn more about our team here. Do not take your data security lightly. Even if you have the best commercial solution money can buy, it may have backdoors and exploitable flaws that render it open to attack.