I've written a short "Snake Oil FAQ" below. It's incomplete and
needs some work (adding a few definitions, rewording, aesthetic
formatting, etc.), so think of it as a 'beta' FAQ (please don't post
it on web pages, though I don't mind if it's distributed among
anyone interested in criticizing or contributing). Comments and
suggestions would be appreciated. Note that the aim is to write
something accessible to 'newbies'. (Jeremy Barrett contributed to
this, BTW)
Snake-Oil Warning Signs
Encryption Software to Avoid
(Revision 0.1)
Introduction
======================================================================
Good cryptography is an excellent and necessary tool for almost
anyone.
However, there are a multitude of choices for what products to use.
Many good cryptographic products are available, both commercial and free. However there are also some extremely bad cryptographic
products (known in the field as "Snake Oil"), which not only fail do
their job of providing security, but are based on, and add to, the many misconceptions and misunderstandings surrounding cryptogra
phy and security.
It is extremely important that users of cryptography actively
question the product they are considering using, to insure the security and integrity of their data-- be it personal or business informat
ion. In order to make a more informed decision, it is necessary to
understand
some of the "red flags" to watch out for, and what they mean.
For a variety of reasons, this document is general in scope and does
not mention specific products or algorithms as being "good" or "Snake Oil".
Some Common Snake-Oil Warning Signs
======================================================================
The following are some of the "red flags" one should watch for when
looking at an encryption product:
Technobabble
------------
The vendor's descrption of the product may contain a lot of
hard-to-follow use of technical terms to describe how the product
works. If this appears to be confusing nonsesense, it may very well
be (even to someone familiar with the terminology). Technobabble is
a
good means of confusing a potential user and masking the fact that
the
vendor doesn't understand anything either.
A sign of technobabble is a descrption which drops a lot of technical
terms for how the system works without actually explaining how it
works.
New Type of Cryptography?
-------------------------
Beware of any vendor who claims to have invented a "new type of
cryptography".
Avoid software which claims to use 'new paradigms' of computing such
as cellular automata, neural nets, genetic algorithms, chaos theory,
etc. Just because software uses to different mehtod of computation
doesn't make it more secure.
Anything that claims to have invented a new public key cryptosystem
without publishing the details or underlying mathematical principles
is highly suspect.
Proprietary Algorithms
----------------------
Avoid software which uses "proprietary" or "secret" algorithms.
Security through obscurity is not considered a safe means of
protecting your data. If the vendor does not feel confident that the
method used can withstand years of scrutiny by the academic
community,
neither should you.
Beware of specially modified versions of well-known algorithms. This
may unintentionally weaken the cipher.
The use of a trusted algorithm, along with technical notes explaining
the implementation (if not availablity of the source code for the
product) are a sign of good faith on the part of the vendor that you
can take apart and test the implementation yourself.
Old Ciphers Never Die...
------------------------
Beware of something that sounds like a sophisticated nineteenth-
century or even World War II scheme, or something based on a
mechanical system.
If the product's authors sound like they are entirely unfamiliar
with the state of the art, that's a good warning sign.
Experienced Security Experts
----------------------------
Beware of any product claiming that "experienced security experts"
have analyzed it, but it won't say who (especially if the scheme has
not been published in a reputable journal).
Unbreakability
--------------
Some vendors will claim their software is "unbreakable". This is
marketing hype, and a common sign of snake-oil. Avoid any vendor that
makes unrealistic claims.
No algorithm is unbreakable. Even the best algorithms are breakable
using "brute force" (trying every possible key), but if the key size
is large enough, this is impractical even with vast amounts of
computing power.
Be wary of marketing gimmicks related to "if you can crack our
software" contests.
One-Time-Pads
-------------
A snake-oil vendor may claim the system uses a one-time-pad (OTP),
which is theoretically unbreakable.
A OTP system is not an algorithm. It involves generating a random
key
at least the size of the message and garbling the message with it.
When the message is decrypted, the key is destroyed. Only one
message
is encrypted with a OTP, and it is used only once. They key is
random: generated using a real random source, such as specialized
hardware, radioctive decay timings, etc., and not from an algorithm
or
cipher. Anything else is not a one-time-pad.
The vendor may confuse random session keys or initialization vectors
with OTPs.
Algorithm or product XXX is insecure
------------------------------------
Avoid anything that makes claims that particular algorithms or
other products are insecure without backing up those claims (or at
least siting references to them).
Avoid anything that misrepresents 'weaknesses' of other algorithms.
(For example, if the product claims it doesn't use public key crypto,
citing timing attacks or factoring as reasons.)
Keys and Passwords
------------------
The "key" and the "password" are often not the same thing. The "key"
generally refers to the actual data used by the cipher algorithm. The "password" refers to the word or phrase the user types in,
which the software converts into the key (usually through a process
called "hashing" or "key initialization").
The reason this is done is because the characters a user is likely to
type in do not cover the full range of possible characters. (Such keys would be more redundant and easier for an attacker to gues
s.) By hashing a key can be made from an arbitrary password that
covers the full range of possible keys. It also allows one to use longer words, or phrases and whole sentences as a "passphrase", wh
ich is more secure.
Anything that restricts users passwords to something like 10 or 16 or
even 32 characters is foolish. If the actual "password" is the cipher's key (rather than hashing it into a key, as explained abo
ve), avoid it.
Anything that claims to solve the "key management problem" is also
be to avoided. (Key management is an inherent problem with crypto.)
Convenience is nice, but be wary of anything that sounds too easy
to use. Avoid anything that lets anyone with your copy of the
software to access files, data, etc. without having to use some sort of key
or passphrase.
Avoid anything that doesn't let you generate your own keys (ie,
the vendor sends you a key in the mail).
Avoid anything by a vendor who does not seem to understand the
difference between public-key cryptography and private-key cryptography.
Lost keys and passwords
-----------------------
If there's a third-party utility that can crack the software, avoid
it. If the vendor claims it can recover lost passwords (without
using a key-backup or escrow feature), avoid it.
Exported from the USA
---------------------
If the software is made in North America, can it be exported? If the
answer is yes, chances are it's not very strong. Strong cryptography
is considered munitions in terms of export from the United States,
and
requires approval from the State Department. Chances are if the
software is exportable, the algorithm is weak or it is crackable (hence it was approved for export).
If the vendor is unaware of export restrictions, avoid the software:
the vendor is not familiar with the state of the art.
Because of export restrictions, some legitimate (not-Snake Oil)
products may have a freely exportable version for outside of the USA, which is different from a separate US/Canada-only distribution.
---
No-frills sig.
Befriend my mail filter by sending a message with the subject "send help"
Key-ID: 5D3F2E99 1996/04/22 wlkngowl@unix.asb.com (root@magneto)
AB1F4831 1993/05/10 Deranged Mutant