Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
A Conversation with Whit Diffie
April 25, 2013 •Walt Paley
On Tuesday, we had the honor of announcing the establishment of SafeLogic’s advisory board and the first three members. The trio is absolutely stellar, and it’s a thrill to have the opportunity to work with such accomplished people. I recently got to chat with Whit Diffie about his thoughts on encryption, technology, and how SafeLogic factors into the long-term outlook of security and compliance. I’d like to share with you some of his thoughts. I also just wanted to brag that I was talking cryptography with Whit Diffie!
In the context of the validation of Suite B algorithms, I raised the question of importance with enterprise clients. In assessing government applications, the procurement officer's analysis is binary – either the cryptography has been validated, or it hasn’t. Nothing short of a validation is acceptable and there is no gray area. Business hasn’t embraced the same point of view yet, but it has certainly been evolving. Does that cultural acceptance of gray area create vulnerability?
Whit replied. “Cryptographic algorithms are the best cooked aspect of information security. Every other aspect, beginning with algorithm implementation, is prone to error and thus to penetration and compromise. The importance of validating cryptographic implementation is second to nothing in information security.”
I pressed further. SafeLogic’s mission is to bring government quality encryption to all, but some enterprise solution vendors believe that it is overkill for certain private sector use cases. Are there scenarios in theory where cryptography can be unverified and still inherently secure enough?
That didn’t sit well with Whit. “Cryptography is not just a theory. In order to secure everything from e-commerce to personal communication, cryptography must be properly implemented.”
Diffie’s response reinforced what I have been carrying as a central tenet to SafeLogic’s goals. In order to put faith in a solution that contains encryption, like trusting the lock on a door, we must be assured that each facet has been installed correctly and tested. Without an independent third party to verify it, vendors could claim anything at all.
In 2008, Whit commented in an interview that Suite B could have a major impact, improving the interoperability of cryptographic security systems worldwide. So I was curious about his thoughts five years later. Has it played out as he expected?
Whit’s commented on how huge the task really is. “The adoption of a world-wide cryptographic standard is an ongoing process that may last throughout the century. At any point, it’s possible to look around and say ‘look how much we have achieved’ but also to look around and say ‘look how much remains to be done.’ ”
Not to be discouraging, Diffie went on. The interoperability is indeed already showing rewards.
“The importance of standardized, pluggable, cryptographic implementation of the sort SafeLogic provides is that they ease the work of application-specific developers, which frees them to concentrate on their core competencies. To a non-security developer, cryptography is just another nuisance, a peripheral expertise that must be acquired to get the job done. The more of security that can be obtained from experts who have made it easy to install, the more quickly projects that depend on security – rather than focusing on security – will go.”
It’s very cool that Whit Diffie sees SafeLogic as a cog in the evolution of application development. His view is very copasetic with where we are positioned – by leveraging a specialist, companies can innovate faster, better, and more efficiently than ever.
Along with the rest of the SafeLogic team, I am excited to have Whit on the Advisory Board and I’m looking forward to many conversations like this in the future!
Walt Paley
Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)