Do not underestimate the security of your data. Thefts of data and entire computers are a daily matter. Both individuals and enterprises lose top-secret financial data and for some it costs reputation. In the light of the latest news on the FBI wanting to require all encrypted communications systems to have back doors really undermines the right to privacy. Lately, Privacy and Security issues are very much talked about and taken into consideration.
Recently we’ve been asked if our encryption software Rohos Mini Drive (freeware) and Rohos Disk Encryption (shareware) have backdoors. Our answer is No. Rohos team claims its encryption programs have no backdoors. So you can sleep safe and sound knowing that nobody will be able to access your encrypted personal data unless you give them the password.
Also, we have been asked how we could prove it. The only way to prove it would be to open the source code which we will do, but later and only for our utility Rohos Mini Drive Portable.
Rohos Mini Drive is totally free for the home user and it is the best free encryption security tool that uses NIST-approved encryption standards. In other words, it has all a home user needs to achieve a good level of computer data privacy.
Download Rohos Mini Drive
Open source vs. closed source disk encryption
Well, some people may say that having open-source encryption software gives you the opportunity to know what you use and how strong is encryption and security protocols. But we have some doubts about it.
Looking at the most popular open-source encryption software Truecrypt some serious questions arise: why its developers are anonymous, why would someone do so much work (and believe encryption is not the easiest field of developing) and give it free of charge, and many more. It looks like it’s not only me who has serious concerns when it comes to backdoors in Truecrypt. The author of one blog has really uncovered the veil about it in his article Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot? This article makes wonderful reading.
On the other hand, we must admit that the other open-source encryption software OTFE is very much open to the community and has the developer’s name publically published, and no way it falls behind in the variety of encryption algorithms (AES, Twofish, and Serpent) or any other feature that is so much popular among users as compared to Truecrypt.
Certified encryption solutions
Many USB flash drives with hardware encryption features have a FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST). FIPS certification means Cryptographic module validation by one of the approved NIST labs:
- The lab takes the Cryptographic Module (this could be just a part of the entire security solution) and run a set of tests with it. Encrypting the predefined data blocks, using predefined encryption keys, inspecting encryption output.
- The lab may also inspect the Cryptographic Module source code.
To simplify the certifications process vendors often collect all encryption code from the entire source code into a single module and certify only this module. In the future when a new version of the product is published there is no need to certify it again.
So Certified Encryption Products/Solution means: “Somewhere in the past we certified only encryption code in our product”. But the entire solution/product may contain bugs/holes in security protocols.
- Look at the list of certifications – there are only “Cryptographic modules” but not Products.
- Read about security holes in USB flash drives with certified encryption.
One more example of a possible backdoor could be Russian encryption standard GOST 28147-89. Though it was developed by KGB, some claim it to be transparent for the National Security department. This encryption standard has been severely criticized due to the fact that cipher strength may depend on the quality of S-Boxes. And certified encryption vendor should use S-Boxes provided by KGB. The Russian Wiki page describes better these issues: GOST critics. An excellent article about this standard and many more we have found and wanted to share with you. It’s called “Weakness of Cryptosystems”.
We should say that none of the existing cryptographic algorithms gives 100% data security. It just extends the time that is necessary for the third party to read information. Usually, it takes quite a while so your information by that time loses its value. But if to look at it from a different point of view the fact that the majority of encryption protocols and cryptographic algorithms are developed in the USA should put us on guard.
So it’s really up to you what to use. But only time can prove how secure and reliable software can be.