John Young <jya@pipeline.com> wrote:
Despite the long-lived argument that public review of crypto assures its reliability, no national infosec agency -- in any country worldwide -- follows that practice for the most secure systems. NSA's support for AES notwithstanding, the agency does not disclose its military and high level systems. Nevertheless, given that the public has two options (disclosure or non-), it seems public review is as good as it gets. I also can't see an alternative; yes, we are giving military organizations the "crown jewels" of our efforts for no cost (although at least in theory they should pay for anything that is copyrighted or
Riad S. Wahby wrote: patented :) but no large company can afford to spend a fraction of what the NSA do every day on analysis - it is rely on the community or rely on a handful of staff who may or may not be able to code their way out of a paper bag (and if there is no community to give peer status to a cryptographer, how can you tell good from bad when you hire one?) Almost always, closed source systems are either snakeoil, or based on publically accepted algos with just a few extra valueless steps thrown in so that they can claim it is different (VME for example can be very secure indeed provided you combine it with something else - explicitly mentioned as an option in the patent document - but the combined system is still patented because their silly variant on a classic cypher is used at some point)