If You Want to Protect A Security Secret, Make Sure It's Public

Dave Howe DaveHowe at gmx.co.uk
Tue Mar 16 09:33:39 PST 2004


Riad S. Wahby wrote:
> John Young <jya at pipeline.com> wrote:
>> Despite the long-lived argument that public review of crypto assures
>> its reliability, no national infosec agency -- in any country
>> worldwide -- follows that practice for the most secure systems.
>> NSA's support for
>> AES notwithstanding, the agency does not disclose its military and
>> high level systems.
> Nevertheless, given that the public has two options (disclosure or
> non-), it seems public review is as good as it gets.
  I also can't see an alternative; yes, we are giving military
organizations the "crown jewels" of our efforts for no cost (although at
least in theory they should pay for anything that is copyrighted or
patented :) but no large company can afford to spend a fraction of what
the NSA do every day on analysis - it is rely on the community or rely on
a handful of staff who may or may not be able to code their way out of a
paper bag (and if there is no community to give peer status to a
cryptographer, how can you tell good from bad when you hire one?)
  Almost always, closed source systems are either snakeoil, or based on
publically accepted algos with just a few extra valueless steps thrown in
so that they can claim it is different (VME for example can be very secure
indeed provided you combine it with something else - explicitly mentioned
as an option in the patent document - but the combined system is still
patented because their silly variant on a classic cypher is used at some
point)





More information about the cypherpunks-legacy mailing list