Snake oil (cryptography): Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
No edit summary
imported>Sandy Harris
(12 intermediate revisions by the same user not shown)
Line 2: Line 2:
{{TOC|right}}
{{TOC|right}}


In [[cryptography]], the term '''snake oil''' <ref>{{cite paper|author=Bruce Schneier|title=Snake Oil | journal=Crypto-Gram Newsletter|publisher=Counterpane Inc.|date=February 1999|url=http://www.schneier.com/crypto-gram-9902.html#snakeoil}}</ref> is used to refer to various products which have both '''wildly extravagant marketing claims''' and '''appallingly bad  cryptography'''. Unfortunately, these are somewhat common. The name "snake oil" comes from 19th Century medicine shows selling various "miracle cures"; snake oil was a common ingredient. It still appears on ingredients lists for medicinal products in China.
In [[cryptography]], the term '''snake oil''' <ref>{{cite paper|author=Bruce Schneier|title=Snake Oil | journal=Crypto-Gram Newsletter|publisher=Counterpane Inc.|date=February 1999|url=http://www.schneier.com/crypto-gram-9902.html#snakeoil}}</ref> is used to refer to various products which have ''both wildly extravagant marketing claims and appallingly bad  cryptography''. Unfortunately, these are somewhat common.


For examples, see [[Dmitry Sklyarov]]'s [[Defcon]] presentation [http://www.cs.cmu.edu/~dst/Adobe/Gallery/ds-defcon/sld001.htm] on e-book security. ZDnet [http://news.zdnet.com/2100-9595_22-116424.html?legacy=zdnn] called some of these systems "astonishingly inept cryptography software". One company advertised "the only software in the universe that makes your information virtually 100% burglarproof!"; their actual encryption, according to Sklyarov, was "XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte". Another used [[Rot 13]] encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.
The name "snake oil" comes from 19th Century medicine shows selling various "miracle cures"; snake oil was a common ingredient. It is a traditional medicine, and still appears on ingredients lists for medicinal products, in Asia [http://blogs.reuters.com/oddly-enough/2009/07/24/we-found-him-he-really-exists/].
 
== Examples ==
For some examples, see [[Dmitry Sklyarov]]'s [[Defcon]] presentation
<ref>{{citation
| author = Dmitry Sklyarov
| title = eBook security - theory and practice
| date = July 2001
| url = http://www.cs.cmu.edu/~dst/Adobe/Gallery/ds-defcon/sld001.htm
}}</ref>
on e-book security. One commentator called some of these systems "astonishingly inept cryptography software".<ref>{{citation
| title = Dimitry Sklyarov: Enemy or friend?
| author = Bruce Perens
| url = http://news.zdnet.com/2100-9595_22-116424.html?legacy=zdnn
| date = August 2001
}}</ref> One company advertised "the only software in the universe that makes your information virtually 100% burglarproof!"; their actual encryption, according to Sklyarov, was "XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte". Another used [[Rot 13]] encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.


These systems all had substantial price tags, but they are all ''ludicrously'' weak, utterly worthless against any moderately competent attacker. The XOR and Rot 13 are so bad they can readily be broken with pencil and paper, not even using a computer. It is even fairly common for someone, with a bit of practice, to read Rot 13 by doing the decryption "in his head". The others are marginally stronger, perhaps difficult to attack with pencil and paper, but still trivially easy to break with a computer.
These systems all had substantial price tags, but they are all ''ludicrously'' weak, utterly worthless against any moderately competent attacker. The XOR and Rot 13 are so bad they can readily be broken with pencil and paper, not even using a computer. It is even fairly common for someone, with a bit of practice, to read Rot 13 by doing the decryption "in his head". The others are marginally stronger, perhaps difficult to attack with pencil and paper, but still trivially easy to break with a computer.
For other examples, see [http://www.cryptofails.com/ "Showcasing bad cryptography"]. Not all of those are true snake oil; some are just design or implementation blunders in systems that do not make outrageous marketing claims,


==Warning signs==
==Warning signs==
Line 13: Line 30:
Extravagant claims &mdash; "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough" &mdash; are a strong indicator that everything the vendor says should be treated skeptically.
Extravagant claims &mdash; "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough" &mdash; are a strong indicator that everything the vendor says should be treated skeptically.


Another strong indicator is a lack of technical details. This violates [[Kerckhoffs'_Principle#Implications_for_analysis | Kerckhoffs' Principle]]; no algorithm can be trusted until it has been published and analysed. If a vendor does not reveal ''all the internal details of their system'' so that it can be analysed, then they do not know what they are doing; ''assume their product is worthless''. Any reason they give for not revealing the internals can be ignored; the only exception would be a large government agency who have their own analysts.
Another strong indicator is a lack of technical details. This violates [[Kerckhoffs'_Principle#Implications_for_analysis | Kerckhoffs' Principle]]; no algorithm should be trusted until it has been published and analysed. If a vendor does not reveal the internal details of their system so that it can be analysed, that is strong evidence that they do not know what they are doing; the safest response is to ''assume their product is worthless''. Any reason they give for not revealing the internals should be ignored; the only possible exception would be a large government agency who have their own analysts.


A lack of references to the research literature is a distinctly bad sign. [[Cryptography]] is a highly developed field with an extensive literature; anyone claiming technical competence or making claims for the strength of some new system should back those claims up with appropriate references.  
A lack of references to the research literature is a distinctly bad sign. [[Cryptography]] is a highly developed field with an extensive literature; anyone claiming technical competence or making claims for the strength of some new system should back those claims up with appropriate references.  
Line 19: Line 36:
"Cracking contests" that offer huge prizes but provide neither the details of the cipher nor any plaintext are another bad sign. A real attacker will very likely have both, so demonstrating that the cipher is secure against attackers with neither proves almost nothing. The main reason for such contests is to produce yet more marketing copy.
"Cracking contests" that offer huge prizes but provide neither the details of the cipher nor any plaintext are another bad sign. A real attacker will very likely have both, so demonstrating that the cipher is secure against attackers with neither proves almost nothing. The main reason for such contests is to produce yet more marketing copy.


References to [[one-time pad]]s are suspicious. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. In particular, anyone who claims to generate something "just like a one-time pad" from a key has a basic misunderstanding. One-time pads absolutely require a truly random key as long as the messages; no algorithm can possibly generate that from a smaller key. A system that generates its keying material is ''not'' a one-time pad; it is a stream cipher based on a random number generator. Secure [[stream cipher]]s and secure [[random number]] generators certainly exist (see the links for details), but snake oil vendors often have weak ones.
References to [[one-time pad]]s are suspicious. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. In particular, anyone who claims to generate something "just like a one-time pad" from a key has a basic misunderstanding. One-time pads absolutely require a ''truly random'' key as long as the messages; no algorithm can possibly generate that from a smaller key. A system that generates its keying material is ''not'' a one-time pad; it is a stream cipher based on a random number generator. Secure [[stream cipher]]s and secure [[random number]] generators certainly exist (see the links for details), but snake oil vendors often have weak ones.


== The next generation: Naughahyde? ==
== The next generation: Naughahyde? ==


Such warning signs are far from infallible. Peter Gutmann <ref>{{cite paper|author=Peter Gutmann|title=Lessons Learned in Implementing and Deploying Crypto Software|date=2002|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02.pdf}}</ref> writes:
Such warning signs are far from infallible. [[Peter Gutmann]] writes:
{{quotation|The determined programmer can produce snake oil using any crypto tools.}}
{{quotation|The determined programmer can produce snake oil using any crypto tools.}}
{{quotation|What makes the new generation of dubious crypto products more problematic than their predecessors is that the obvious danger signs that allowed bad crypto to be quickly weeded out are no longer present. A proprietary, patent-pending, military-strength, million-bit-key, one-time pad built from encrypted prime cycle wheels is a sure warning sign to stay well clear, but a file encryptor that uses Blowfish with a 128-bit key seems perfectly safe until further analysis reveals that the key is obtained from an MD5 hash of an uppercase-only 8-character ASCII password.}}
{{quotation|What makes the new generation of dubious crypto products more problematic than their predecessors is that the obvious danger signs that allowed bad crypto to be quickly weeded out are no longer present. A proprietary, patent-pending, military-strength, million-bit-key, one-time pad built from encrypted prime cycle wheels is a sure warning sign to stay well clear, but a file encryptor that uses Blowfish with a 128-bit key seems perfectly safe until further analysis reveals that the key is obtained from an MD5 hash of an uppercase-only 8-character ASCII password. <ref>{{cite paper|author=Peter Gutmann|title=Lessons Learned in Implementing and Deploying Crypto Software|date=2002|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02.pdf}}</ref>}}


He suggests "naugahyde crypto" as the appropriate term for such things .
He suggests "naugahyde crypto" as the appropriate term for such things .


Examples of this actually do turn up in practice [http://www.randombit.net/bitbashing/security/juce_rng_vulnerability.html].
Examples of this actually do turn up in practice [http://www.randombit.net/bitbashing/security/juce_rng_vulnerability.html].
==External links==
Matt Curtin's Snake Oil FAQ [http://www.interhack.net/people/cmcurtin/snake-oil-faq.html] is the commonest reference.


==References==
==References==
{{reflist|2}}
{{reflist|2}}

Revision as of 19:08, 8 September 2014

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

In cryptography, the term snake oil [1] is used to refer to various products which have both wildly extravagant marketing claims and appallingly bad cryptography. Unfortunately, these are somewhat common.

The name "snake oil" comes from 19th Century medicine shows selling various "miracle cures"; snake oil was a common ingredient. It is a traditional medicine, and still appears on ingredients lists for medicinal products, in Asia [1].

Examples

For some examples, see Dmitry Sklyarov's Defcon presentation [2] on e-book security. One commentator called some of these systems "astonishingly inept cryptography software".[3] One company advertised "the only software in the universe that makes your information virtually 100% burglarproof!"; their actual encryption, according to Sklyarov, was "XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte". Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.

These systems all had substantial price tags, but they are all ludicrously weak, utterly worthless against any moderately competent attacker. The XOR and Rot 13 are so bad they can readily be broken with pencil and paper, not even using a computer. It is even fairly common for someone, with a bit of practice, to read Rot 13 by doing the decryption "in his head". The others are marginally stronger, perhaps difficult to attack with pencil and paper, but still trivially easy to break with a computer.

For other examples, see "Showcasing bad cryptography". Not all of those are true snake oil; some are just design or implementation blunders in systems that do not make outrageous marketing claims,

Warning signs

A few things are warning signs that a product is bogus, or at least should be treated as suspect. We cover only the most conspicuous here; for more complete lists see the references.

Extravagant claims — "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough" — are a strong indicator that everything the vendor says should be treated skeptically.

Another strong indicator is a lack of technical details. This violates Kerckhoffs' Principle; no algorithm should be trusted until it has been published and analysed. If a vendor does not reveal the internal details of their system so that it can be analysed, that is strong evidence that they do not know what they are doing; the safest response is to assume their product is worthless. Any reason they give for not revealing the internals should be ignored; the only possible exception would be a large government agency who have their own analysts.

A lack of references to the research literature is a distinctly bad sign. Cryptography is a highly developed field with an extensive literature; anyone claiming technical competence or making claims for the strength of some new system should back those claims up with appropriate references.

"Cracking contests" that offer huge prizes but provide neither the details of the cipher nor any plaintext are another bad sign. A real attacker will very likely have both, so demonstrating that the cipher is secure against attackers with neither proves almost nothing. The main reason for such contests is to produce yet more marketing copy.

References to one-time pads are suspicious. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. In particular, anyone who claims to generate something "just like a one-time pad" from a key has a basic misunderstanding. One-time pads absolutely require a truly random key as long as the messages; no algorithm can possibly generate that from a smaller key. A system that generates its keying material is not a one-time pad; it is a stream cipher based on a random number generator. Secure stream ciphers and secure random number generators certainly exist (see the links for details), but snake oil vendors often have weak ones.

The next generation: Naughahyde?

Such warning signs are far from infallible. Peter Gutmann writes:

The determined programmer can produce snake oil using any crypto tools.

What makes the new generation of dubious crypto products more problematic than their predecessors is that the obvious danger signs that allowed bad crypto to be quickly weeded out are no longer present. A proprietary, patent-pending, military-strength, million-bit-key, one-time pad built from encrypted prime cycle wheels is a sure warning sign to stay well clear, but a file encryptor that uses Blowfish with a 128-bit key seems perfectly safe until further analysis reveals that the key is obtained from an MD5 hash of an uppercase-only 8-character ASCII password. [4]

He suggests "naugahyde crypto" as the appropriate term for such things .

Examples of this actually do turn up in practice [2].

References

  1. Bruce Schneier (February 1999). Snake Oil. Counterpane Inc..
  2. Dmitry Sklyarov (July 2001), eBook security - theory and practice
  3. Bruce Perens (August 2001), Dimitry Sklyarov: Enemy or friend?
  4. Peter Gutmann (2002). Lessons Learned in Implementing and Deploying Crypto Software.