cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Picking a Collab Tool - NSA Help

On April 24, 2020, the U.S. National Security Agency (NSA) released advice on

Selecting and Safely Using Collaboration Services for Telework

showing criteria to use in your selection and assessing those criteria for 13 commercial products.

The assessment table is based on claims by the companies offering those service, and not on any NSA testing. Even with that caveat, the document looks helpful.

 

Three items are online at NSA:

Press release

 Working from Home? Select and Use Collaboration Services More Securely

 

Selecting and Safely Using Collaboration Services for Telework - Short form

   Lists the criteria and includes the full comparison table.

 

Selecting and Safely Using Collaboration Services for Telework - Long form

   Adds a paragraph explaining each of the criteria. Same table as the short form.

 

Observations:

1. Since the information is based on company documentation and not testing, you may need added information for your purposes. For instance, under End-to-End Encryption for Zoom, the table says Yes - Partial. Only if you have seen the reports for Zoom will you know that E2E is only for two-party connections. All group connections are encrypted only between clients and the central server (which may or may not be in the same country as participating clients).

 

2. The legend code for Basic Functionality is a bit obscure in small print below the table. 

(a) text chat, (b) voice conferencing, (c) video conferencing, (d) file sharing, (e) screen sharing.

 

3. There are typos in the table footnotes, where it says 12 instead of 2 and 14 instead of 4 (Zoom E2E). 

 

PLUS

A report available gives solid reasons to think long and hard before selecting Zoom:

Zoom-ing in on You: Why Other Video Conferencing Platforms may be a Better Choice

Pointing out that, in addition to teh previously identified lie from Zoom that they use E2E encryption, they also claimed to use AES 256, but Citizen Lab reported that,

 

"However, a recent report found that Zoom only uses a single AES-128 key in Electronic Codebook (ECB) mode, which is less secure than AES-256, and ECB is not recommended for streaming media.13 Bill Marczak and John Scott-Railton from The Citizen Lab argue:
Zoom's encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea because this mode of encryption preserves patterns in the input. Industry-standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode.14"

 

 

UAYOR.

 

 

Craig

(Also posted on my Randomness Blog.)

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html