Author: Domen Savič, an Internet freedom activist from Slovenia. See more at: http://www.e-demokracija.si/cryptoparty/
The Government of Slovenia has released a national cryptography strategy draft, thus beginning to develop an overall national cryptography strategy. Cryptography has gotten a lot of attention in the past few years – worldwide and in Slovenia – most likely due to the Snowden related happenings. In Slovenia we’ve also had the recent arbitrage spying debacle between Slovenia and Croatia which again put the matter of communication cryptography into public focus.
The subject of national cryptosecurity is in Slovenia unknown and hasn’t been tackled before. Therefore a vague and an incomplete draft of the national cryptography strategy was expected. But in my opinion this draft contains some highly problematical statements and claims which do not hold up to a critical review. Implementing the actions drafted in this document would not solve the cryptography threats that exist in today’s world.
The document has highly debatable claim in the sixth article of the preface. The article states that “in our professional opinion the software and hardware solutions used for securing and encrypting our data and communication channels should not be purchased abroad. By using international encrypting solutions we are exposing our encrypting solutions and by using it we become vulnerable since everybody knows our tools. This strategy states that we should develop our own home made encrypting solutions for the purpose of security top secret and other data.”
Bruce Schneier, one of the biggest experts in the field of secure communications and cryptology in the world warned about developing your own encryption software in a 1999 essay called Cryptography: The Importance of Not Being Different. He explains that “in cryptography, there is security in following the crowd. A homegrown algorithm can’t possibly be subjected to the hundreds of thousands of hours of cryptanalysis that DES and RSA have seen. A company, or even an industry association, can’t begin to mobilize the resources that have been brought to bear against the Kerberos authentication protocol, for example. No one can duplicate the confidence that PGP offers, after years of people going over the code, line by line, looking for implementation flaws.”
The public worldwide is well aware of that fact. This year Germany switched its government services over to PGP email encryption and Facebook also started encrypting messages that are sent to users’ email addresses.
The national cryptosecurity strategy draft includes a proposal to establish a govermental body and to educate two crypto-experts but does not include anything about educating and training the actual users and spreading the knowledge about securing your communication channels and data.
What good will two trained professionals do if the end users still live in ignorance? Furthermore, the general agreement in the crypto tech society is that the only truly safe way to encrypt communication is to use end-to-end encryption on both ends of a communication.
Therefore I do not see any sense in developing our own encryption systems which would most likely be closed-sourced instead of using open-sourced systems that have been independently tested multiple times already (RedPhone, TextSecure, Silent Circle).
When reading the national cryptosecurity strategy draft we cannot shake off the feeling that their creators focused solely on potential economic benefits of developing and selling our own crypto hardware and software and completely ignored the actual national cryptosecurity and surveillance prevention measures.
The national crypto strategy should in my opinion focus on two main goals – raise awarness of the importance of using encryption procedures by using verified, open-sourced tehnology used all over the world, and provide ongoing education and knowledge testing for the users using the encryption technology.
Focusing on awareness and education would raise the number of users using encryption software, thus protecting their data and communication channels. By only focusing on the development and marketing goals as stated in the draft, we are making triple damage – we are raising unnecesary security risks, we are limiting the usability of these tools since there is no one there to propagate them and finally – since we are not focusing on education, there is a risk of nobody using these tehnologies at all.