Certified For Classified Government Communications

EXAME INFORMATICA (original article in Portuguese).

GNS certifies the first encryption application for government mobile phones that was created in Portugal.

The SecurLine app uses a protocol that the NSA has already rated as the highest level of security against espionage. After certification for reserved communications, Privus intends to advance to the highest levels of confidentiality. Communications in the EU and NATO are also part of the startup script created by the Portuguese in Switzerland

How does the Prime Minister send a reserved document or make a call to the President of the Republic’s cell phone? If it depends on Privus, the answer will always go through the SecurLine app. The startup created by Portuguese based in Switzerland has just received from the National Security Office (GNS) the necessary certification to make the SecurLine application available for “the processing and transmission of classified information up to the National Reserved level”. In addition to phone calls and messages, SecurLine guarantees encryption for video calls and conference calls with multiple users.

Since 2016, Privus has been exploring the segment of encrypted communications through the sale of an app, which will not be very different from Whatsapp, Signal or Telegram in terms of how it works, but promises an increased level of security and privacy, through the use of AES 256 encryption tools and the ZRTP protocol, which the US National Security Agency (NSA) has already rated as having the highest level of difficulty and robustness against interception attempts. The GNS certification process took about a year and a half, and included the availability of the app’s source code and intrusion tests by cybersecurity experts.

Currently, SecurLine is used by more than 1000 entities – and among them, there are some of the personalities that figure among “the richest in the world”. Unlike other messaging and voice communications apps over IP, SecurLine can be used as long as it is installed on the mobile phones of two or more parties – but a version is also available which, in addition to the app, provides for the installation of servers that manage encrypted communications in the data centers of companies or government entities that are Privus customers. And it is this version that guarantees the management of communications with the installation of servers in data centers (“on-premises”) that received GNS certification.

“GNS has granted Privus’ SecurLine Application version 2.4.16 a certification based on pre-established criteria, which is subject to certain conditions inherent to its use, such as use made through platforms with Trusted Execution Environments, managed ” on-premises” and via centralized management systems such as Mobile Device Management (MDM)”, informs GNS, which is led by António Gameiro Marques.

In the version that does not provide for the installation of servers in customer data centers, encrypted communications are managed, in a cloud computing logic, by servers that Privus maintains in Switzerland. “This solution was designed from the beginning to guarantee both technical encryption and privacy at a legal level. In cloud mode, we only respond legally to Swiss courts. On the other hand, in the case of communications made available to government officials and representatives, it makes sense, as a matter of data sovereignty, that the servers are located in State facilities”, says Henrique Corrêa da Silva, director and founder of Privus.

Unlike the most well-known specialized messaging and voice over IP applications in the market, SecurLine is not free of charge – and is only marketed to large companies and government entities, and is not available to the general public. 

Henrique Corrêa da Silva guarantees that the Know Your Client logic (translation: Know Your Client) is followed. “We tell people who want to be our customers that SecurLine cannot be used for illegal things, and when we say that, people with less clear intentions usually give up on becoming our customer,” adds the leader of Privus, who is 15 years old on his resume. as an operative of the Judiciary Police and Information Services of Portugal. 

Privus guarantees that, once installed on users’ mobile phones, it no longer has a way of knowing who communicated with whom. The encryption app takes advantage of the security chips of iPhones and some recent mobile phone models that run Android to prevent intrusions and data extraction, such as those that lead to cell phone data being cloned across some borders. Therefore, hiring SecurLine’s services always implies a point of contact for the customer – who is responsible for managing the group of users of this app in different scenarios.

“We don’t store metadata. Imagine that user 6000 communicates with user 6002. Only the point of contact for that user group will be able to know who the 6000 or 6002 users are. Even in the worst case scenario, where someone breaks through our security and enters our servers , you will only know that the number 6000 has called the number 6002 – but there is no way of knowing who these people are, because we do not have this information”, stresses the Privus official.

Created by Portuguese and with 70% of capital held by national citizens, Privus chose to be headquartered in the so-called Crypto Valley, in Zug, Switzerland. This decision can be especially important for the course of legal cases related to the company or involving access, by the authorities, to data that are processed in the modality of cloud computing, which, instead of servers on the client, uses data centers Privus data.

“We chose to place the headquarters in Switzerland, because it is a country with good privacy laws. EU laws are not so privacy-friendly,” says Henrique Corrêa da Silva.

SecurLine is the first encryption application for mobile phones created by the Portuguese to receive GNS certification, but it is not alone in the market – and it will be government officials who will have the last word in choosing the encryption tools they will hire for classified communications different representatives and agencies of the State.  

GNS confirms that, currently, a request for certification of another encryption application that was created by the Portuguese is under consideration. In addition to this request for certification, it is necessary to add all the tools that have already received international certifications – and that may eventually even be in use in different ministries.

GNS emphasizes that origin or nationality is not a criterion for eliminating an encrypted communications provider for the Government in the first place. What may not exempt these providers from recognition by the NS.

“Under the terms of the respective Organic Law and in view of the responsibilities that are assigned to the GNS, it is responsible for evaluating, accrediting and certifying the safety of products that serve or may form part of a classified information processing system. It is also clarified that the GNS now accepts, for national use, certifications granted by international entities, for the processing of classified information. Taking into a
ccount this framework, the certification of mobile communications encryption technologies, as long as they are part of a system for those purposes, should always be recognized by the GNS”, informs the GNS.

With the certification for mobile communications reserved for the Portuguese State having been guaranteed, Privus began to work to request the GNS for certification for mobile communications for the highest degrees of confidentiality (above the “reserved”, there are also communications and documents considered to be “ confidential”, “secret” and “very secret”).

Henrique Corrêa da Silva recalls that Privus is also committed to guaranteeing other certifications of an international scope. “We are also going to ask for certifications at EU and NATO level. We have already launched pilot programs with other States that need secure communications without backdoors, and that do not trust the products of American, British or Israeli companies”, concludes the head of Privus.

PRIVUS – Privacy First, Security Always

PRIVUS was created to deliver complete communication security and peace of mind, knowing you can collaborate and communicate with total security and absolute privacy. The privacy of our users, – including governments, businesses and individuals – drives us to design, build and deliver the world’s only Hypersecure communication and collaboration solutions. While other providers collect, store, sell or share their users’ data with third parties or official agencies, PRIVUS does not and never will. Our zero- trust architecture does not allow us access to users decryption keys, hence PRIVUS does not have access to our users’ encrypted communications data.

Read original article

https://visao.sapo.pt/exameinformatica/noticias-ei/software/2020-06-08-gns-certifica-primeira-aplicacao-de-encriptacao-para-telemoveis-do-governo-que-foi-criada-por-portugueses/