Posted Date: 6/5/2008

Security Matters: Are All Encryption-based Products Created Equal?

By Ben Halpert
If you have ever been involved in the selection processes for security related products that contain cryptographic components, you most likely have seen claims as to the level of protection afforded by a specific product. However, upon deeper analysis you discover that the encryption algorithm employed provides little or no protection. Here is how one product touts the data protection capabilities:

Your information is encrypted before it is passed across the Internet; it is also stored in encrypted form in our database. While we take every security precaution, we do not recommend storing sensitive information such as bank account passwords.

Isn't protecting sensitive information the whole point of using the product?

Information security professionals define secure encryption algorithms by three benchmarks:

• Being based on sound mathematics
• Having stood the test of time
• Having been analyzed by experts and found to be sound.

Unless your organization is large enough to have a fulltime information security staff -- or you work at the National Security Agency (NSA) which employs more mathematicians than any other organization -- differentiating one supposedly secure encryption algorithm from another may appear to be a futile task.

To ease this process for enterprises, the U.S. and Canadian governments provide verification and validation for products that utilize encryption. The process is known as the Cryptographic Module Validation Program (CMVP). CMVP is detailed in Federal Information Processing Standard (FIPS) 140-2. A list of products that have been vetted can be found on the FIPS Validation List at http://csrc.nist.gov/groups/STM/cmvp/validation.html.

This is not to say that products not found on the validated products list should be considered insecure. Why? Mainly because companies have to pay for their product to be tested and validated in order to appear on this list. As a result, those free security products out there may not necessarily have been validated to FIPS 140-2. However, when you have a choice between two or more comparable products and one of them has been FIPS validated, that product would be the better choice. It may help you and your customers sleep better at night knowing that an independent entity validated the soundness of the encryption capabilities.

Next time you issue an RFI, or are looking at a product that utilizes encryption, make sure you include questions related to the soundness of the implementation of the cryptographic components. Alternately, you can search the FIPS Validated Product listing yourself.