[ziddoap]

I've yet to see a good definition of what constitutes "military grade encryption" vs. regular old encryption. It generally has the opposite effect, for me at least, in the sense that I avoid any product that advertises "military grade <something>".

Edit: I'm not actually looking for definitions of "military grade encryption", thank-you everyone who tried to explain it though. I work in cybersec, and encryption is encryption. It is either compliant with standards or it is not. But "military grade" is pure marketing fluff, hence why I avoid it.

[GekkePrutser]

Bruce Schneier always used the term 'snake oil' for such unfounded buzzwords and frequently did naming and shaming on his blog.

But military-grade is just a buzzword. Unlike something like MIL-SPEC there is no body that determines what is military grade. And even MIL-SPEC is not very specific, most of its standards have many components that don't apply unless the vendor specifically certifies for it.

But yeah most vendors that use such terminology demonstrate a very poor understanding of the technical principles and use their marketing buzzwords to make up for it.

[uvesten]

Off topic, but please consider using the correct tense when talking about people. E.g ”Uses” instead of ”used”, otherwise you are implying that the person in question is dead…

(After reading your comment I went to wikipedia to check that Bruce Schneier hadn’t unexpectedly passed away.)

[ouid]

That is not what the past tense means, and you should maybe take some responsibility for this. OC doesnt know what Bruce schneier currently does or endorses.

[unethical_ban]

I agree with you, even if I wouldn't have made the comment.

"has historically used" or "has used in the past" or "tends to use" or "uses".

The term "always used" does sound like the subject is departed.

[GekkePrutser]

I used past tense because he stopped his blog/mailing list ;) At least in the form I used to read it.

But I agree that 'used to use' would be a better form without this connotation. I will strive to use this in the future in such cases.

He used to have a monthly mailing list, and I wasn't sure whether he still had a blog or something.

[tzs]

One problem with 'used to use' is many might take it as implying that he now uses something different. Perhaps 'has used' would be better?

[vengefulduck]

To me being FIPS compliment would be a good definition of something being “Military Grade” because that would be the actual standards the US military would use. However, that still doesn’t mean it has the best security because really good algorithms like Ed25519 aren’t FIPS compliant dispute being much better than their FIPS counterparts IMO.

[ajsnigrutin]

> I've yet to see a good definition of what constitutes "military grade encryption"

Done by the cheapest contractor :)

[2OEH8eoCRo0]

The cheapest contractor who meets requirements who it turns out is not up to the task causing timelines to slip and end up costing more?

[zinekeller]

Plain old AES-128 is technically military-grade, at least if you're talking about the US military or if it's top secret, AES-256 is the approved one. It is military-grade but it's meaningless in this context. In some other context, it's even worse: you wouldn't prefer military-grade food (it's still edible, just that shelf life has been the top priority while taste took a back seat if it's even considered).

[HWR_14]

"Military grade encryption" means that the government has signed off on the algorithms use for information up to a specific classification level. Probably the NSA, but maybe the DOD has their own department. It's certainly a vote of confidence, probably by people more educated about cryptography than you specifically, although possibly less trusted by you (in terms of skill and/or ulterior motives) than other people.

A big, undisputed, downside is that newer algorithms take longer to be approved and it's possible that people keep using the term after algorithms get deprecated.

Encryption is more like "milspec", meeting military minimum quality guidelines than "military issue" which is the cheapest implementation of milspec in physical (or electronic for that matter) goods.

[lazide]

Unless someone is specifically naming the military standard they are compliant with (and provides an auditing record!) it’s bullshit, 99.99% of the time.

Legit vendors who sell actual mil-spec equipment (except stuff that has known shitty mil-specs like entrenching tools) don’t use ‘military grade’ anywhere when they’re selling to the military. They go through procurement and identify the specific mil-spec’s they are compliant with.

Military grade is the weasel word way of implying they have done that without being able to be sued because they aren’t.

[HWR_14]

Fair enough. The words mean nothing while implying exactly what I thought but not saying it, and I was one of the fools who fell for it. Although I won't after today. Thank you.

[lazide]

You’re welcome. If you find something like this elsewhere, please post it too.

I consider it part of the war against Bullshit, which never ends.

Also, ‘industrial grade’, ‘heavy duty’, ‘as seen on TV’ (that one is thankfully almost dead), celebrity endorsements, and the trend in tools over the last decade of buying out an aging brand with a great market reputation and ‘capturing brand value’ by selling cheaply made versions until no one can find anything fit for purpose anymore.

[fl0wenol]

NSA is the entity in the DOD which sets certain minimum requirements and validates their cryptographic implementations. NIST owns the overarching standards for the whole government and sets requirements and performs validations through NVLAP that NSA doesn't, usually with their input.

When you see "FIPS", that means NIST approved/validated.

NSA approval/validation is relevant when the system has to handle classified information and often (but not necessarily) you start with components that have FIPS certification.

[ziddoap]

So, I understand what they intend it to mean (and maybe that wasn't clear from my original message; I work in cybersec). But what you have described is an encryption scheme which meets certain standards (i.e. it is XYZ compliant). I don't think it is justifiable to call that "military grade", and that saying so is a misrepresentation used by marketing folk.

[mandlebraut]

For what it’s worth this is addressed in the linked video at the 6 minute mark.

The presenter shows a slide with an online post saying: “cryptography marketed as military grade is often to crypto what military music is to music”

The use in the title is almost certainly self aware and tongue in cheek.

[ziddoap]

The product website uses "military grade" all over the place in the marketing materials. Certainly not tongue-in-cheek. See https://www.encsecurity.com/solutions.php and search "military".

[spaetzleesser]

After spending time in the (German) military I translate “military grade” as “nothing special but really expensive and convoluted designed by committee”. I don’t really see why the military should have better encryption. More likely they have some stupid back doors added by clueless contractors.

[OskarS]

Yep, totally, it's a big red flag. Another term like that when it comes to software is "patented technology" (or "algorithm", or "software", or whatever). Instant turn-off.

[marcosdumay]

A long time ago, the US government ranked the available encryption algorithm by their security level. The highest level was considered equivalent to military equipment and their people were prohibited from exporting those.

Then a team from Europe published some free software that enabled people to use stronger encryption than the ones on the top rank from the US, and their government stopped with this nonsense. So, the only really "military grade" algorithms are broken stuff from the 90's.

[nomilk]

The military is to insecure encryption what a canary is to gas in a coal mine. Hence a layperson can assume it's worthy encryption without extensive investigation and without needing to know the details of how it works. "Military grade encryption" is just the layperson's translation of "encryption" (assuming it's a strong implementation).

[2OEH8eoCRo0]

Perhaps it held more weight in the past? Now "military grade" encryption is cheap so everything is "military grade".

[kevin_thibedeau]

Nowadays it means outdated, bare minimum security so we can still certify 3DES.

[fl0wenol]

Only for grandfathered-in systems that are critical to keep operating that can't be replaced. New systems and lower-impact existing systems cannot use 3DES at all, unless it's only to decrypt stuff previously encrypted with it.

[lazide]

Frankly it doesn’t even guarantee THAT. If they could certify it, they could list the mil-spec certification. It’s pure weasel wording.

[rkeene2]

Well, there's NSA certified devices (Type 1, Type 2, etc) which are military grade. Something using AES correctly could be a Type 3 device.. "when appropriately keyed" :-)

[ziddoap]

To me, this would be "XYZ Compliant", not "XYZ Grade".

Grade implies something fundamentally changed/altered/adjusted in the underlying product to make it suitable for government/military/whatever use. Here, though, AES is AES whether it is used by my mother or by the military.

[bawolff]

"Military grade" means minimum that would be accepted by the military.

Mostly means someone is trying to sell you something and betting you dont know much about the subject matter.

[dqpb]

There’s also no such thing as “sushi grade” fish.

[coffeeblack]

Soon: “tactical encryption”