Encryption is hard.
I don’t mean that encryption is hard to deploy in business applications, backup solutions, and on laptops. Software and hardware vendors are making the deployment of encryption easier all of the time.
I mean that as a security vendor getting encryption right in your products is really hard.
Getting encryption right means very diligent and specialized work and extensive testing. It means running perhaps millions of tests over and over. It is time consuming work, and even the slightest change means re-doing all of the tests over again. Then code has to be optimized and re-tested. Now that you’ve got your encryption library in good shape, you have to make it easy to use with a variety of languages and operating systems. This means more development and more testing on a large number of platforms.
Did I mention that encryption is hard? And we are definitely not there yet . . .
Now that you think you’ve got your encryption nailed down, it’s time to get it independently certified. The National Institute of Standards and Technology (NIST) provides a complete certification protocol for AES encryption, and charters independent labs to perform the tests. As a vendor this means signing up and paying the lab to perform the tests. This is expensive and takes more time and engineering resources. If there are any problems, you get to start over from the beginning.
It would be tempting to skip the certification, yes?
Let me tell you why that would be a really bad idea. In an early study of security companies engaging in certification, NIST discovered that nearly half had errors in their encryption software or implementation. These are the vendors who are really serious about security – imagine the error rates in software NOT going through certification. Of course, I’m sure that most of the companies who discovered errors during certification fixed the errors and went on to complete the certification process. But it is really an amazingly high percentage.
Security software vendors are businesses like all others. There is always pressure to get products to the market quickly and with minimal cost. Security vendors live in a competitive world, too. And getting to market later than your competition can be painful. So there are lots of pressures to develop quickly and get to market.
There are lots of encryption products in the market that have not gone through NIST certification.
They scare me, and they should scare you.
There is no good excuse for not certifying an encryption solution. If it is not certified it means the vendor doesn’t really care about security, can’t get a certification because it is not done right, or does not have the technical depth or patience to do the certification. As I said, there are no acceptable excuses for skipping certification.
You are going to pay a bit more for encryption solutions that have NIST certification.
Believe me, it’s worth it.