I've written a short "Snake Oil FAQ" below. It's incomplete and needs some work (adding a few definitions, rewording, aesthetic formatting, etc.), so think of it as a 'beta' FAQ (please don't post it on web pages, though I don't mind if it's distributed among anyone interested in criticizing or contributing). Comments and suggestions would be appreciated. Note that the aim is to write something accessible to 'newbies'. (Jeremy Barrett contributed to this, BTW) Snake-Oil Warning Signs Encryption Software to Avoid (Revision 0.1) Introduction ====================================================================== Good cryptography is an excellent and necessary tool for almost anyone. However, there are a multitude of choices for what products to use. Many good cryptographic products are available, both commercial and free. However there are also some extremely bad cryptographic products (known in the field as "Snake Oil"), which not only fail do their job of providing security, but are based on, and add to, the many misconceptions and misunderstandings surrounding cryptogra phy and security. It is extremely important that users of cryptography actively question the product they are considering using, to insure the security and integrity of their data-- be it personal or business informat ion. In order to make a more informed decision, it is necessary to understand some of the "red flags" to watch out for, and what they mean. For a variety of reasons, this document is general in scope and does not mention specific products or algorithms as being "good" or "Snake Oil". Some Common Snake-Oil Warning Signs ====================================================================== The following are some of the "red flags" one should watch for when looking at an encryption product: Technobabble ------------ The vendor's descrption of the product may contain a lot of hard-to-follow use of technical terms to describe how the product works. If this appears to be confusing nonsesense, it may very well be (even to someone familiar with the terminology). Technobabble is a good means of confusing a potential user and masking the fact that the vendor doesn't understand anything either. A sign of technobabble is a descrption which drops a lot of technical terms for how the system works without actually explaining how it works. New Type of Cryptography? ------------------------- Beware of any vendor who claims to have invented a "new type of cryptography". Avoid software which claims to use 'new paradigms' of computing such as cellular automata, neural nets, genetic algorithms, chaos theory, etc. Just because software uses to different mehtod of computation doesn't make it more secure. Anything that claims to have invented a new public key cryptosystem without publishing the details or underlying mathematical principles is highly suspect. Proprietary Algorithms ---------------------- Avoid software which uses "proprietary" or "secret" algorithms. Security through obscurity is not considered a safe means of protecting your data. If the vendor does not feel confident that the method used can withstand years of scrutiny by the academic community, neither should you. Beware of specially modified versions of well-known algorithms. This may unintentionally weaken the cipher. The use of a trusted algorithm, along with technical notes explaining the implementation (if not availablity of the source code for the product) are a sign of good faith on the part of the vendor that you can take apart and test the implementation yourself. Old Ciphers Never Die... ------------------------ Beware of something that sounds like a sophisticated nineteenth- century or even World War II scheme, or something based on a mechanical system. If the product's authors sound like they are entirely unfamiliar with the state of the art, that's a good warning sign. Experienced Security Experts ---------------------------- Beware of any product claiming that "experienced security experts" have analyzed it, but it won't say who (especially if the scheme has not been published in a reputable journal). Unbreakability -------------- Some vendors will claim their software is "unbreakable". This is marketing hype, and a common sign of snake-oil. Avoid any vendor that makes unrealistic claims. No algorithm is unbreakable. Even the best algorithms are breakable using "brute force" (trying every possible key), but if the key size is large enough, this is impractical even with vast amounts of computing power. Be wary of marketing gimmicks related to "if you can crack our software" contests. One-Time-Pads ------------- A snake-oil vendor may claim the system uses a one-time-pad (OTP), which is theoretically unbreakable. A OTP system is not an algorithm. It involves generating a random key at least the size of the message and garbling the message with it. When the message is decrypted, the key is destroyed. Only one message is encrypted with a OTP, and it is used only once. They key is random: generated using a real random source, such as specialized hardware, radioctive decay timings, etc., and not from an algorithm or cipher. Anything else is not a one-time-pad. The vendor may confuse random session keys or initialization vectors with OTPs. Algorithm or product XXX is insecure ------------------------------------ Avoid anything that makes claims that particular algorithms or other products are insecure without backing up those claims (or at least siting references to them). Avoid anything that misrepresents 'weaknesses' of other algorithms. (For example, if the product claims it doesn't use public key crypto, citing timing attacks or factoring as reasons.) Keys and Passwords ------------------ The "key" and the "password" are often not the same thing. The "key" generally refers to the actual data used by the cipher algorithm. The "password" refers to the word or phrase the user types in, which the software converts into the key (usually through a process called "hashing" or "key initialization"). The reason this is done is because the characters a user is likely to type in do not cover the full range of possible characters. (Such keys would be more redundant and easier for an attacker to gues s.) By hashing a key can be made from an arbitrary password that covers the full range of possible keys. It also allows one to use longer words, or phrases and whole sentences as a "passphrase", wh ich is more secure. Anything that restricts users passwords to something like 10 or 16 or even 32 characters is foolish. If the actual "password" is the cipher's key (rather than hashing it into a key, as explained abo ve), avoid it. Anything that claims to solve the "key management problem" is also be to avoided. (Key management is an inherent problem with crypto.) Convenience is nice, but be wary of anything that sounds too easy to use. Avoid anything that lets anyone with your copy of the software to access files, data, etc. without having to use some sort of key or passphrase. Avoid anything that doesn't let you generate your own keys (ie, the vendor sends you a key in the mail). Avoid anything by a vendor who does not seem to understand the difference between public-key cryptography and private-key cryptography. Lost keys and passwords ----------------------- If there's a third-party utility that can crack the software, avoid it. If the vendor claims it can recover lost passwords (without using a key-backup or escrow feature), avoid it. Exported from the USA --------------------- If the software is made in North America, can it be exported? If the answer is yes, chances are it's not very strong. Strong cryptography is considered munitions in terms of export from the United States, and requires approval from the State Department. Chances are if the software is exportable, the algorithm is weak or it is crackable (hence it was approved for export). If the vendor is unaware of export restrictions, avoid the software: the vendor is not familiar with the state of the art. Because of export restrictions, some legitimate (not-Snake Oil) products may have a freely exportable version for outside of the USA, which is different from a separate US/Canada-only distribution. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl@unix.asb.com (root@magneto) AB1F4831 1993/05/10 Deranged Mutant <wlkngowl@unix.asb.com> Send a message with the subject "send pgp-key" for a copy of my key.