Snake oil (cryptography)

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Talk
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

In cryptography, the term snake oil [1] is used to refer to various products which have both wildly extravagant marketing claims and appallingly bad cryptography. Unfortunately, these are somewhat common.

The name "snake oil" comes from 19th Century medicine shows selling various "miracle cures"; snake oil was a common ingredient. It is a traditional medicine, and still appears on ingredients lists for medicinal products, in Asia [1].

Examples

For some examples, see Dmitry Sklyarov's Defcon presentation [2] on e-book security. One commentator called some of these systems "astonishingly inept cryptography software".[3] One company advertised "the only software in the universe that makes your information virtually 100% burglarproof!"; their actual encryption, according to Sklyarov, was "XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte". Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.

These systems all had substantial price tags, but they are all ludicrously weak, utterly worthless against any moderately competent attacker. The XOR and Rot 13 are so bad they can readily be broken with pencil and paper, not even using a computer. It is even fairly common for someone, with a bit of practice, to read Rot 13 by doing the decryption "in his head". The others are marginally stronger, perhaps difficult to attack with pencil and paper, but still trivially easy to break with a computer.

For other examples, see "Showcasing bad cryptography". Not all of those are true snake oil; some are just design or implementation blunders in systems that do not make outrageous marketing claims,

Warning signs

A few things are warning signs that a product is bogus, or at least should be treated as suspect. We cover only the most conspicuous here; for more complete lists see the references.

Extravagant claims — "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough" — are a strong indicator that everything the vendor says should be treated skeptically.

Another strong indicator is a lack of technical details. This violates Kerckhoffs' Principle; no algorithm should be trusted until it has been published and analysed. If a vendor does not reveal the internal details of their system so that it can be analysed, that is strong evidence that they do not know what they are doing; the safest response is to assume their product is worthless. Any reason they give for not revealing the internals should be ignored; the only possible exception would be a large government agency who have their own analysts.

A lack of references to the research literature is a distinctly bad sign. Cryptography is a highly developed field with an extensive literature; anyone claiming technical competence or making claims for the strength of some new system should back those claims up with appropriate references.

"Cracking contests" that offer huge prizes but provide neither the details of the cipher nor any plaintext are another bad sign. A real attacker will very likely have both, so demonstrating that the cipher is secure against attackers with neither proves almost nothing. The main reason for such contests is to produce yet more marketing copy.

References to one-time pads are suspicious. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. In particular, anyone who claims to generate something "just like a one-time pad" from a key has a basic misunderstanding. One-time pads absolutely require a truly random key as long as the messages; no algorithm can possibly generate that from a smaller key. A system that generates its keying material is not a one-time pad; it is a stream cipher based on a random number generator. Secure stream ciphers and secure random number generators certainly exist (see the links for details), but snake oil vendors often have weak ones.

The next generation: Naughahyde?

Such warning signs are far from infallible. Peter Gutmann writes:

The determined programmer can produce snake oil using any crypto tools.
What makes the new generation of dubious crypto products more problematic than their predecessors is that the obvious danger signs that allowed bad crypto to be quickly weeded out are no longer present. A proprietary, patent-pending, military-strength, million-bit-key, one-time pad built from encrypted prime cycle wheels is a sure warning sign to stay well clear, but a file encryptor that uses Blowfish with a 128-bit key seems perfectly safe until further analysis reveals that the key is obtained from an MD5 hash of an uppercase-only 8-character ASCII password. [4]

He suggests "naugahyde crypto" as the appropriate term for such things .

Examples of this actually do turn up in practice [2].

References

  1. Bruce Schneier (February 1999). Snake Oil. Counterpane Inc..
  2. Dmitry Sklyarov (July 2001), eBook security - theory and practice
  3. Bruce Perens (August 2001), Dimitry Sklyarov: Enemy or friend?
  4. Peter Gutmann (2002). Lessons Learned in Implementing and Deploying Crypto Software.