Why Do We Need Encryption Standards?

“Standards” image by Picpedia.org is licensed under CC BY-SA 3.0 / A derivative from the original work

This is a question that we should be asking. The standardized encryption most organizations use today is clearly very flawed. One of the top methods of Ransomware Attack is going after a VPN connection. This is done, for the most part, through Social Engineering to get the encryption key.

Are Cyber Attacks Really That Easy?

The reason this is effective is because of encryption standards. If the encryption method was unknown, this would be nearly impossible to achieve as you would first have to figure out the encryption cipher. Having multiple standard ciphers that are based on keys and math also can be defeated as you would just need to try a list of possibilities. The only solution is to use encryption that can not be easily defeated like a Vernam Cipher

Poorly Implemented Laws Can Introduce Vulnerability

For law enforcement, it is an interesting question too and likely how we came to standardizing instead of validating encryption methods. The 1994 CALEA law was created to cover lawful intercept over the internet. It ensured carriers and equipment manufacturers had the ability to get copies of targeted Internet data. 

Once CALEA was in place, the justice department then made a system, Carnivore, that could collect and store targeted information. Through simple, deductive reasoning, what good is collecting encrypted data if you can not decrypt it? Well, it stands to reason, it’s not so good. It is rational that intercepted data can be decrypted by Nation State Actors by design (and potentially others).

This makes a strong case that encryption standards are part of this design. Your data can be easily collected off the Internet, stored and then decrypted as needed? That does not seem desirable.

Is There Any Valid Case For Encryption Standards?

With the exception of Web Browser based encryption where both sides are typically different entities and need a standard to establish encryption, standardization is really not required. Based on what we know, it is in users’ best interests to not use standard encryption when possible.

Why is Non-Standard Better?

If someone is to decrypt math based encryption en masse for government agencies, you will want to do this with a hardware solution as it is much faster. Building that hardware, you would need to know the cipher. With a non-standard, even mathematically based cipher, the cipher could be kept unknown. Discovering that cipher will provide a fairly large barrier making non-standard encryption with an unknown cipher better security. (The counter argument is that it can not be reviewed if it is unknown.)

Best: Non Key Based, Streaming Encryption

Streaming encryption does not use a key per se. A Stream Cipher does not have a short key that can be derived from algebraic equations. Instead, it sends a stream of information that can be used to encrypt data with simple, single operator calculation.

What is the Alternative to Standardization?

SmokeNet has a Department of Commerce/NSA disposition as a commodity, non-standard post-quantum encryption. This is a Stream Cipher that checks every box for maximum security. SmokeNet is also the only post-quantum encryption we know of that is quantum proof. The proposed standards are quantum resistant. This implies it is not completely secure from a Quantum Computer.

Key Based Encryption Can Be Brute Forced

Key based encryption is always susceptible to Brute Force and key deriving cryptanalysis. If you have the proof, you will be able to derive the key. Saying the equation is so complex no one can derive the key except the good guys is hubris. All the other reasons surrounding why the current encryption standards are secure are, under close scrutiny, academically flimsy or patently dishonest.

If It Is Provably Not Secure, It is NOT Secure

So, the bottom line is encryption standards are only helpful when parties need to connect that do not know each other. Even in that case, there are better solutions than key based encryption. It really is a question of standardizing the correct solution that does not use math. Math based encryption will always be provably insecure.

When you can prove something is not secure, take it at face value – it is not secure. If you need a non-mathematical narrative to convince people of security, be wary. If you can not prove something is secure with an actual proof, it is likely not secure.