Snake oil (cryptography)
In Cryptography, the term snake oil is often used to refer to various products which do not offer anything like the security their marketing claims.
This is, regrettably, remarkably common; the reasons are rather varied. As in any field, marketers exaggerate. Many purchasers do not know enough to evaluate a cryptosystem. Even experts in other technical areas often do not know this stuff.
Warning signs
A few things are warning signs that a product is bogus, or at least should be treated as suspect. We cover only the most conspicuous here; for more complete lists see the references.
One indicator is extravagant claims: "unbreakable", "revolutionary", "military-grade". "hacker-proof", "breakthrough".
Another indicator is a lack of technical details or references to research literature. This violates Kerckhoffs' Principle; no algorithm can be trusted until it has been published and analysed. If a vendor does not reveal all the internal details of their system so that it can be analysed, then they do not know what they are doing; assume their product is worthless. Any reason they give for not revealing the internals can be ignored. The only exception would be a large government agency who have their own analysts. Even they might get it wrong; Matt Blaze found a flaw [1] in the NSA's Clipper chip within weeks of its internals becoming public.
References to one-time pads. Real one-time pads are provably unbreakable for certain attacks, but snake oil often claims unbreakability for things that are not actually one-time pads. There is some current research suggesting that certain techniques may offer equivalent security, but if the claim "just like a one-time pad" is made without reference to the specific research, one may be well-advised to look for a snake charmer.
External links
- Matt Curtin's Snake Oil FAQ [2] is the commonest reference.