If you need cryptographic software, we'd obviously like you to consider ours. However, you may not need it now, but might need it later. In the hope that you'll remember us favorably when you do need it, we offer the following guidance to help you decide.

NOTE: This information is not intended to be and should not be construed as legal advice. Advice of counsel should be sought in case of considerations of lawfulness.

Will encryption protect my PC or laptop?
Should I encrypt my programs?
Will high-grade encryption protect my data?
How can high-grade encryption be cracked?
Will a certified encryption engine provide high-grade encryption?
What is forensic software?
Will sanitizing per DOD 5220.22-M defeat recovery by forensic software?
Can your forensic software countermeasures be defeated?
Can I travel with strong encryption software on my laptop?
Will your software give me access to my employees' files?
Can I use another cipher than 168-bit triple-DES with your software?
How can I verify the absence of "back-doors" in your software?
Do you sell forensic software or services?

Will encryption protect my PC or laptop?

No. If you wish to deny others the use of your particular one of the world's millions of Windows® PCs, you must employ physical security measures; i.e. lock it up. Access control software can be bypassed with a floppy diskette, and plug-in cards can be easily removed from an unlocked case - as can your entire hard disk. You can, however, cryptographically protect the confidentiality of data stored on it.

Should I encrypt my programs?

Not unless there's something that makes them different from everyone else's copy. Why wait for many megabytes of program files to be decrypted? The delay of "on-the-fly" decryption of their component library files can crash many programs.

Will high-grade encryption protect my data?

Yes, but only while it's encrypted. While you're using it, it's unencrypted and you must physically protect it. That's why eliminating all of Windows®' "extra copies" is so important. If your software doesn't plug Windows® security leaks, even though it encrypts with a strong cipher, attackers can bypass the encryption. Furthermore, if you don't make backup copies of your data, it can still be destroyed. You must be sure that your method of encryption won't interfere with your backup software.

How can high-grade encryption be cracked?

By definition, it can't be - but its keys can. Some techniques used, in increasing order of cost/risk are: (1) exploiting operator errors (e.g. recovering a password from its repeated use with slight variation in less secure applications which can be cracked); (2) dumpster diving for papers on which the operator may have doodled hints to the area of interest s/he used to pick a password, and using them to guide automated dictionary attacks; (3) bribery or rubber hose cryptanalysis (duress).

NOTE: High-grade encryption cannot be reversed without the keying information. Its very high work-factor shifts the focus of attack from "cracking the cryptosystem" to "cracking the owner." High-value data requires a total security plan, of which encryption is only an element.

Will a certified encryption engine provide high-grade encryption?

Not by itself. If it is fed cryptographically strong keying information, it can produce a strongly encrypted version of one of your data files. This version can be securely communicated. However, Windows® not only can't be relied upon to dispose of your unencrypted original, it even makes and leaves extra copies on your hard disk. All of these copies can be recovered with forensic software, unless the encryption engine is integrated in a cryptosystem specifically designed to plug Windows® security leaks.

What is forensic software?

Forensic software was developed for computer evidence recovery in law enforcement. It makes evidentiary copies of all magnetic data records on a disk, and performs searching by keywords of disk sectors likely to contain evidence. It also establishes a clear custody chain for the evidence that will withstand court challenges. It is used to scan disks to which a court has ordered the defendant to provide access by plaintiff's lawyer(s) during the discovery phase of litigation, as well as for industrial espionage.

Will sanitizing per DOD 5220.22-M defeat recovery by forensic software?

Yes. Even clearing will, if applied to all copies. The specialized laboratory equipment used by intelligence agencies of major industrialized nations can recover small groups of data bytes from under any number of overwrites. However, this is not a practical way to explore an entire hard disk for potentially interesting data, such as in discovery for litigation. Sanitizing or clearing of all non-encrypted copies per DOD 5220.22-M should clearly demonstrate due diligence in protecting trade secret or privacy data.

NOTE: Rule 34(a) of the Federal Rules of Civil Procedure includes computerized records. Discoverable documents are generally held to include computer hard drives, and courts can impose discovery sanctions for proven willful destruction of data relevant to litigation.

Can your forensic software countermeasures be defeated?

Yes - by the user circumventing their application to all copies of sensitive data. Forensic software exploits non-zeroized object re-use leaks. Before releasing them to the operating system for re-use, sensitive memory or storage objects handled by our software are automatically Cleared (zeroized) or Sanitized, per DOD 5220.22-M. Any file it writes to disk has the tail Cleared of RAM buffer scavanging leaks. However, its automatic on-exit offers to Clear the Windows® swapfile and TEMP space can be refused by the user in time-critical system shut-down situations. Furthermore, deleted data which it never handled can still lurk on the user's disk, if s/he doesn't explicitly use our Clear a disk's free clusters and Clear a disk's file slack countermeasures.

Can I travel with strong encryption software on my laptop?

The Commerce Department's Bureau of Export Administration (BXA) has the latest information concerning the personal use exemption from encryption export controls. Provided you satisfy their record keeping and custodial rules, you should have no difficulty in leaving and re-entering the USA with such software on your laptop. However, many countries outlaw the use or possession of high-grade cryptosytems.

Will your software give me access to my employees' files?

Not without their cooperation. If they provide you with up-to-date key share diskettes, multiple trusted parties acting in concert (such as the immediate supervisor and the personnel director, for example) can access their encrypted files in event of their death or incapacity. Any one diskette is useless. You can, of course, pursue legal remedies to force disclosure of keying information, as can law enforcement agencies. In any case, your employee agreements should address the duty to maintain the integrity and the availability of your proprietary information, as well as its confidentiality.

Can I use another cipher than 168-bit triple-DES with your software?

No. We don't serve the enthusiast market. Our focus is on INFOSEC for people who must protect sensitive data on Windows® PCs or laptops, rather than on encryption technology. Our (conservative) choice of this cipher is only a small part of the solution to that problem. There are many available software products focused on encryption, per se. Ours are designed to plug the Windows® security leaks that can bypass it.

How can I verify the absence of "back-doors" in your software?

You could check our design by examining our source code (under Non-Disclosure Agreement). You can check for "spiking" of the actual implementation with our built-in tests. In addition to the NIST tests, you can force the actual file encryption key to any value you select to verify the cipher. You can compare the resulting file (with zeroized masterkey) against our specification, to assure absence of added bytes containing key leaks. Our FIPS 140-1 key generator tests include the option to generate a one megabyte keystream file, on which you can run randomness tests for pattern leaks.

Do you sell forensic software or services?