Snake oil (cryptography)

From Citizendium
Revision as of 23:41, 23 March 2009 by imported>Sandy Harris (→‎External links: format fiddle)
Jump to navigation Jump to search
This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Template:TOC-right

In Cryptography, the term snake oil [1] is used to refer to various products which have both wildly extravagant marketing claims and appallingly bad cryptography. Unfortunately, these are somewhat common. The name "snake oil" comes from 19th Century medicine shows selling various "miracle cures"; snake oil was a common ingredient. It still appears on ingredients lists for medicinal products in China.

For examples, see Dmitry Sklyarov's Defcon presentation [1] on e-book security. ZDnet [2] called some of these systems "astonishingly inept cryptography software". One company advertised "the only software in the universe that makes your information virtually 100% burglarproof!"; their actual encryption, according to Sklyarov, was "XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte". Another used Rot 13 encryption, and another used the same fixed key for all documents. These systems all had substantial price tags, but they are all ludicrously weak, utterly worthless even against an attacker who uses only pencil and paper.

Warning signs

A few things are warning signs that a product is bogus, or at least should be treated as suspect. We cover only the most conspicuous here; for more complete lists see the references.

Extravagant claims — "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough" — are a strong indicator that everything the vendor says should be treated skeptically.

Another strong indicator is a lack of technical details. This violates Kerckhoffs' Principle; no algorithm can be trusted until it has been published and analysed. If a vendor does not reveal all the internal details of their system so that it can be analysed, then they do not know what they are doing; assume their product is worthless. Any reason they give for not revealing the internals can be ignored; the only exception would be a large government agency who have their own analysts.

A lack of references to the research literature is a distinctly bad sign. Cryptography is a highly developed field with an extensive literature; anyone claiming technical competence or making claims for the strength of some new system should back those claims up with appropriate references.

"Cracking contests" that offer huge prizes but provide neither the details of the cipher nor any plaintext are another bad sign. A real attacker will very likely have both, so demonstrating that the cipher is secure against attackers with neither proves almost nothing. The main reason for such contests is to produce yet more marketing copy.

References to one-time pads are suspicious. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. In particular, anyone who claims to generate something "just like a one-time pad" from a key has a basic misunderstanding. One-time pads absolutely require a truly random key as long as the messages; no algorithm can possibly generate that from a smaller key. A system that generates its keying material is not a one-time pad; it is a stream cipher based on a random number generator. Secure stream ciphers and secure random number generators certainly exist (see the links for details), but snake oil vendors often have weak ones.

The next generation: Naughahyde?

Such warning signs are far from infallible. Peter Gutmann [2] writes:

The determined programmer can produce snake oil using any crypto tools.

What makes the new generation of dubious crypto products more problematic than their predecessors is that the obvious danger signs that allowed bad crypto to be quickly weeded out are no longer present. A proprietary, patent-pending, military-strength, million-bit-key, one-time pad built from encrypted prime cycle wheels is a sure warning sign to stay well clear, but a file encryptor that uses Blowfish with a 128-bit key seems perfectly safe until further analysis reveals that the key is obtained from an MD5 hash of an uppercase-only 8-character ASCII password.

He suggests "naugahyde crypto" as the appropriate term for such things .

Examples of this actually do turn up in practice [3].

External links

Matt Curtin's Snake Oil FAQ [4] is the commonest reference.

References

  1. Bruce Schneier (February 1999). Snake Oil. Counterpane Inc..
  2. Peter Gutmann (2002). Lessons Learned in Implementing and Deploying Crypto Software.