Our approach to security
Our security strategy can be summarized in some important points:
- Exclusive use of Open and Standard encryption algorithms
- Exclusive use of Open and Standard encryption protocols
- Exclusive use of technologies subject to public peer review
- Exclusive use of Open source encryption technologies
- Work in a way to guarantee that no backdoor can be put in place
- Avoid security through obscurity
- Provide easy-to-use products
- We work in a democratic European country with no restrictive crypto law
We use Open and Standard encryption algorithms and protocols that are fruits of years of public research in cryptography certified by internationally recognized institutes such as IETF (Internet Engineering Task Force), NIST (US National institute of Standard); by major security agencies such as NSA (National Security Agency) and NATO (North Atlantic Treaty Organization).
All the encryption algorithms and security methods including Random Number Generation follow strictly the FIPS (Federal Information Processing Standards) rules.
However just using standard algorithms such as AES or Diffie-Hellman is not enough to consider an encryption technology secure and robust.
AES and Diffie-Hellman algorithms are only the building blocks of a more complex system, the encryption protocol.
The IETF (Internet Engineering Task Force) is the authority that analyzes, approves and manages all the widely used internet protocols. Besides, the IETF has a strong policy against wiretapping. It is officially described in the IETF Policy on Wiretapping RFC2804 where it affirms that no IETF protocol should have wiretapping feature included.
When a security technology uses only the standards, we can be sure that the technology has been subject to independent security peer review by scientific and security communities. In fact, the two most famous international cryptographers in the world enforce that concept:
Philip Zimmermann in his “Beware of Snake Oil” explains that typical mistake made by a software company that considers itself expert just not to get subject to peer review: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.”
In order for encryption technologies to be subject to peer review, they should be open not only in the algorithms and protocol specifications but also in their implementations by using only the OpenSource Encryption Engine.
We make only public use of codes that have been already audited by a huge number of security experts and used in thousands of security software.
PrivateWave’s solutions cannot be polluted with backdoors by design. We strongly warn users against any kind of proprietary solutions as we believe that security through obscurity does not work. Just think that in 1883, the core of modern cryptography was summarized in the La Cryptographie Militaire by Auguste Kerckhoffs stating that: “The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret”.
This simple concept represents the foundation of modern cryptography, also serves to avoid Crypto Virus that any proprietary solution can have hidden inside their code.
However, making encryption technologies in the most secure way is not enough.
Any IT or security manager knows well that if a security system is too difficult or too annoying, the final user will just avoid it. To be efficient, a security system must be extremely easy to use.. PrivateWave’s products carry a high degree of usability.
All voice encryption products are, by default, integrated with mobile phone’s operating system, so that the end-user does not have to change the way he uses mobile phone. To make a secure call is no different than to make a standard phone call.