Hmm, commercial product assurance for encryption from the spooks, it surely can't be just me that's a little sceptical about that can it?
A full disk encryption product has become the first bit of kit to be certified by Brit spooks in their new Commercial Product Assurance scheme. Covent Garden-based Becrypt's DISK Protect demonstrated good commercial security practice, earning it the official stamp of approval to be used by the UK government and public sector …
Friday 2nd March 2012 08:22 GMT Anonymous Coward
Friday 2nd March 2012 08:52 GMT adnim
Friday 2nd March 2012 09:26 GMT Paul Crawford
Re: So you can be Assured
I personally would only trust open source encryption, otherwise how can you know what it is doing?
However, there are *VERY FEW* people who are competent to properly asses cryptographic software, so CESG-approval has its place, but as this appears to be a paid-for service, I don't see FOSS getting assessment any time soon.
Friday 2nd March 2012 08:42 GMT Paul Crawford
I thought that was the lowest of the low, basically not worth any song and dance about?
So my questions is, what aspect(s) of the product stopped it from getting at least 'confidential' if not 'secret' rating? Or would secret need hardware-based disc encryption that cannot be turned off/bypassed by the legitimate user?
Friday 2nd March 2012 10:47 GMT Jinxter
Re: Only 'restricted'?
The CPA Foundation scheme only allows a protection level of up to Restricted. CPA Augmented scheme allows protection up to confidential (as the article says) but missed the fact that a company needs to spend significantly more money and submit their source code for approval to be verified as this level.
If you wish to protect SECRET or TOP SECRET you'll need to look towards the CAPS schemes which are significantly more expensive again and much more invasive.
This isn't necessarily saying that they Becrypt product cannot protect against a higher level of assurance but it is more likely that there is no financial or marketable benefit in gaining a higher assurance level certificate.
Friday 2nd March 2012 09:11 GMT NikT
Missing the point...
I think you're missing the point here - this scheme is for banks and agencies that see the need to carry the personal details of their clients round on laptops but can't stop their staff leaving them on trains. The sort of stuff that the ICO keeps handing out larger and larger fines for. If their crypto is CESG approved then they can show they've taken all reasonable steps to prevent the loss of data.
Friday 2nd March 2012 09:50 GMT Anonymous Coward
IMHO, this is *good* news
One of the principal problems with demanding that government laptops are encrypted was that there were no officially sanctioned products, thus leaving the creation of such protection in the hands of the clueless or consultancies. But I repeat myself (nods to Mark Twain).
Now there is a product that has been sanctioned there is no excuse not to implement it on laptops and usb sticks in use. In other words, in 6 months from now there is absolutely NO, repeat, NO excuse for a gov laptop to lie around unencrypted, and punishments for data loss can thus be brought into the area of criminal neglect.
Can GCHQ crack it? To be honest - there is no data to validate or disprove that assumption, any statement either way would be conjecture. However, I think we can safely assume that CESG cannot afford the political risk of approving a product that is as unsafe as CSS turned out to be (cough :), and it should thus be damn hard to crack for the average, non GCHQ-equipped entity. Which is what really matters..
Just my two cents.
Friday 2nd March 2012 10:05 GMT Joe Montana
This process of requiring "approved" software is extremely damaging for a number of reasons...
1, the approval process is expensive, which means that only a small number of vendors will be on the list and it effectively locks out new entrants and small vendors creating a cartel. this allows these vendors to rip the government off (and they do, rampantly) and goes against the policies of allowing smaller vendors to take pieces of gov contracts.
2, the process is expensive, so even large vendors wont certify all their products... if you look at the list of approved products for any scheme such as this, they are always several revisions out of date and in many cases are vulnerable to known issues which have been fixed in the more current (but not approved) versions.
3, the actual verification of the product is generally broken.. they verify that the features the vendor claims are present are actually there, but not wether they work properly or cant be circumvented... they basically look at the front of your house and verify you have a strong door, locked windows, an alarm etc while never venturing round the back.
4, further flaws... the products are generally only approved under a particular configuration, however in many cases this configuration is not appropriate, and so actual purchasers of the product will be using it in a configuration that was never evaluated.
5, such evaluation processes are generally set up to favour large commercial suppliers, the source code of the product is rarely if ever reviewed and the cost of entry is high... some of the products on such schemes are commercial distributions of open source software, however only the particular commercial distribution is approved and running the exact same open source code is not.
6, the process and vendors behind it are very slow, whereas hackers are not...
7, lock-in, if your stuck with approved products then your stuck with whatever platforms they run on... most of the approved disk encryption products only run on windows, and theres quite a lag between a new version of windows coming out and it being supported... Support for linux is even worse, you are generally stuck with the big commercial distros that also happen to be the least flexible/least up to date, and then you may find yourself not being able to install kernel updates and you certainly cant compile a custom kernel. want to run anything other than windows and specific commercial linux distros, well you cant at all... no macos, no bsd etc. Whats even more ridiculous, is that linux has had built in support for disk encryption for a long time, and yet your not allowed to use this because it hasnt been rubber stamped.
The entire thing is basically treated as a cover your ass exercise, by implementing something from the "approved" list then any problems encountered or any excessive costs can be blamed on someone else.
In terms of disk encryption the whole thing is completely backwards, why would you place blind trust in a commercial organisation who has a vested interest in making money from you (and wouldnt hesitate to lie if it meant profit for them), over an open source system that you can verify, and which is out there to be reviewed...
Look at the actual encryption algorithms, AES, DES etc... They are openly published so that skilled cryptographers can look at them and try to break them.
With encryption you can never be 100% sure that its strong, but you can be 100% sure that its weak (eg ROT13)... The only assurance you can have, is that people known to be skilled in the subject and completely independent from those trying to promote the system, have reviewed it and been unable to break it and the more such people you have, the greater confidence you can have in the strength of the system. The same applies to software...
Obviously you can never trust the opinion of someone who is trying to sell something to you, or in some way associated to them as they now have an incentive to lie. And there are plenty of documented cases (see google) where vendors have lied, or even explicitly written code which benefits themselves at the expense of users!
Monday 5th March 2012 09:05 GMT Shanghai Tom
I use truecrypt all the time, never had a problem, swap thumb/portable drives between Linux, Mac and Win, can the same be said about this "certified" product ? or as usual, is it a Windows only certification.
Truecrypt will also do full disk for windows as the prior post mentions, but linux can do it's own encryption anyway if you don't have a need to use Truecrypt because of dual boot. This leaves you still able to use truecrypt for your portable requirements.
My Windows runs in a VM under Linux and it runs on truecrypt virtual hard drives :)
There is a report out there somewhere that the FBI couldn't hack a truecrypt disk.....
Friday 2nd March 2012 12:11 GMT Anonymous Coward
This is only for "cheap" easy to use encryption. "Proper" encryption is listed at:
http://www.cesg.gov.uk/finda/Pages/CAPSResults.aspx?post=1&crypto=High+Grade+Top+Secret&sort=manu for link encryption and http://www.cesg.gov.uk/finda/Pages/CAPSResults.aspx?post=1&category=Data+Encryption&crypto=Enhanced&sort=crypto for disk encryption.
Go look up the prices for those bad boys. Then cry and buy something cheaper.
Friday 2nd March 2012 12:50 GMT Anonymous Coward
Icarus - duh!
Icarus, of course it's not used by CESG and GCHQ, they've got their own encryption software, which is probably far stronger - and will be if they're protecting anything at SECRET and TOP-SECRET which they are, so why would they bother with the hassle and expense of ripping out a complete security infrastructure which they know to be superior to the product they've tested and certified?
Friday 2nd March 2012 13:38 GMT Fat Northerner
I believe traitorous twatty northern fat boy David Shayler once ...
in response to the question as to whether they laptop left in a bar by some guy from the South Bank Massive, could be cracked, said....
"It's more likely that the Sun will melt."
So the last thing I'd expect would be the security services using it, Mr Section.
Friday 2nd March 2012 14:30 GMT Anonymous Coward
Kind of a lazy article really.
"The foundation-grade certification earned by Becrypt means the DISK Protect is trusted to safeguard data sensitive enough to earn the classification of "restricted". The technology is not approved for guarding more sensitive "confidential" or "secret" material. Nonetheless the seal of approval will make it easier for Becrypt to sell full disk encryption to public sector organisations"
Unless the public sector organisation needs something which can protect Confidential in which case they will purchase Becrypt Disk Protect Enhanced - which is basically a different crypto module loaded up. If they wanted to protect Restricted then they would be well advised to select Disk Protect Baseline which is designed for this purpose, but can get away with CPA foundation in some circumstances. The CPA cert just means the el cheapo product is good for nervous organisations that want to protect equivilant of Protect, or equivilant commercial marks.