TIPS & BEST PRACTICE 03. JUN 2016
Why proprietary encryption solutions are not the safest bet
There are solution providers around who develop their own encryption solutions. They claim that these solutions are ultimately secure but proof is lacking. Clever marketing lures the customer into the belief they can implicitly trust this solution to be truly secure and also does not contain any back doors. This trust is not always deserved as can be learned from the RSA software BSAFE for example.
S/MIME and OpenPGP as secure encryption solutions
There are proven standards for really secure encryption. In email encryption the international standards are S/MIME and OpenPGP which – if applied correctly – today provide the uttermost possible security.
S/MIME and OpenPGP utilize open source encryption algorithms. Everyone can find out how the keys are calculated. But it remains impossible to break the encryption. Not only the time needed to try all possible combinations is important, but the energy needed to calculate all possibilities is also a bottleneck.
You can hardly top the security of internationally recognized encryption algorithms. They are under constant scrutiny by a worldwide community of IT security experts who are constantly trying to find vulnerabilities. No single vendor can afford such an infrastructure. Instead proprietary solution providers keep the technology behind the actual encryption a secret, which is a step back in the history of cryptology, see: Security through obscurity.
There is nothing to be gained with a proprietary IT security solution as Bruce Schneier proclaimed in 1998 with what is referred to as Schneier’s law:
“Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.”