Excerpt from [https://www.tens.af.mil/ewizardFAQ.htm][1]

## How do I know your software isn't full of backdoors?

Because doing so would violate principles of enlightened self-interest in exchange for no benefit. In other words, "we don't do that because that would be dumb." But, a little paranoia is healthy on the 21st century internet, so more detail follows. Concerns about violating trust tend to fall into particular areas:

## Flawed AES

Encryption Wizard Public Edition doesn't provide its own implementation of AES, it just uses whatever is supplied by your Java Runtime Environment. If you are using the JRE from Oracle, then (beginning with Java 7), the open-source OpenJDK is the reference implementation.

For Encryption Wizard Government FIPS Edition, the AES implementation is provided by the JSAFE/BSAFE library from RSA Security, and is FIPS 140-2 validated.

Encryption Wizard Unified FIPS Edition includes an AES implementation publicly available from The Legion of the Bouncy Castle, and is FIPS 140-2 validated.

### Cracked AES

The AES algorithms and their underlying Rijndael ciphers are well known, publically available, and extensively analyzed. No feasible attacks against AES have yet been demonstrated. The attacks which have been published to date fall into two broad categories. The first are academic/theoretical (in which the actual attack would take millennia, require calculating power that makes a Star Trek computer look like a microwave oven, or both). Technically this is faster than brute-forcing the keys, but still not practical.

The second are contrived attacks which among other things require access to the computer performing the ciphers (for example, malicious software already installed). An easy way of sidestepping that scenario for Encryption Wizard is to boot from trusted read-only media and avoid the local hard drive entirely.

## NSA, Weak Algorithmic Constants, Various Sneakiness

Encryption Wizard makes no use of the Dual_EC_DRBG random number generator. Other elliptic curve algorithms are available in the keypair generator tool, but those (a) have never been shown to be compromised, and (b) are not used in the encryption routines themselves.

## Privacy Violations

Encryption Wizard does not collect personal information nor upload any data to government computers. We don't collect usage statistics, even anonymously.

Some concluding observations from a pragmatic point of view:

* Deliberate backdoors are a violation of our own tenets of cybersecurity.
* If we were willing to hide backdoors in public software, we'd be willing to lie about it on a public webpage. Sending us an email to ask if we have backdoors is not a useful thing for you to do with your time.
* A backdoor to a system needs a key. If the key to a backdoor were to get out (whether by accident, malfeasance, or disgruntled employees is irrelevent), then whatever is protected by that system becomes vulnerable. Given that the primary use of Encryption Wizard is to protect sensitive information relevant to the DoD, inserting a master backdoor would be dangerously risky and profoundly shortsighted.

[1][https://www.tens.af.mil/ewizardFAQ.htm]