Stop calling it "Military-Grade Encryption"

One of the common marketing phrases I intentionally omitted from our product information is "Military-Grade Encryption". Another fairly common one is "Banking-Grade Encryption".

I believe these phrases should just be replaced with "Industry Standard Encryption", if you even want to give it a name at all.

Take for instance our product, Signata. We use the Advanced Encryption Standard (AES) symmetric algorithm, the Rivest-Shamir-Adleman (RSA) asymmetric algorithm, the Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, some Secure Hashing Algorithm 2 (SHA-2) here and there and finally the Elliptic Curve Digital Signature Algorithm (ECDSA) asymmetric algorithm used by the cryptocurrency networks. It's almost alphabet soup at this point with all of these acronyms.

All of these algorithms could be called "Military-Grade". I've worked with the military, a lot with military cryptographic systems, and they use the same algorithms that industry uses. I've worked with banks, and again with cryptographic systems for them. They use the same algorithms that industry uses. They aren't using some "special" algorithms that are superior from the rest of us - they pick the algorithms that will ensure the greatest security and maintainability for protecting their information. Note: there are some exceptions to this for some dedicated military equipment, but those kind of algorithms aren't worth caring about for the general public anyway, are typically never made public, and don't provide any additional benefits to the industry-standards.

Because this is somehow related to Cryptography

If you want to read the exact same guidelines that the military and banks use for cryptography, see the NIST website for their recommendations. Granted, countries that may not trust the United States may opt for alternative algorithms (such as GOST), but in the end these are still public algorithms.

I actually do a double-take when a company says "Military-Grade", as I start to question how well they know cryptography, and if they may have picked an inferior algorithm thinking it's safe. MD5 is thoroughly useless as a hashing algorithm these days (it serves more value as a checksum instead now), but it was used by the military and banks in the past, so it's technically "Military-Grade". Cryptography is a minefield of implementation gotchas, and bodies such as NIST have already done the hard work of figuring out what are the best algorithms and implementations to use for the greatest security.

I get it, you want to give customers assurance at a glance, and the general public seem to like the sound of "Military-Grade" (or at least the Sales people do). Switch to "Industry Standard" instead, and to make us security professionals happy please at least link to an explanation of the algorithms you're actually using so we can actually see what you're using. If you're using "Industry Standard" algorithms, then you should be happily flaunting what you use. And if you're not using them, well, you'd better start patching your products before someone notices :)

Timothy Quinn

Timothy Quinn

Managing Director of Congruent Labs