Monday, August 04, 2003

Security: Snake Oil Warning Signs

Here is a useful overview of security with pointers to the right FAQs and articles. An excerpt will give you the flavor...

Snake Oil Warning Signs: Encryption Software to Avoid

"Trust Us, We Know What We're Doing''
Perhaps the biggest warning sign of all is the ``trust us, we know what we're doing'' message that's either stated directly or implied by the vendor. If the vendor is concerned about the security of their system after describing exactly how it works, it is certainly worthless. Regardless of whether or not they tell, smart people will be able to figure it out. The bad guys after your secrets (especially if you are an especially attractive target, such as a large company, bank, etc.) are not stupid. They will figure out the flaws. If the vendor won't tell you exactly and clearly what's going on inside, you can be sure that they're hiding something, and that the only one to suffer as a result will be you, the customer.

If the vendor's description appears to be confusing nonsense, it may very well be so, even to an expert in the field. One sign of technobabble is a description which uses newly invented terms or trademarked terms without actually explaining how the system works. Technobabble is a good way to confuse a potential user and to mask the vendor's own lack of expertise...

Secret Algorithms
Avoid software which uses secret algorithms. This is not considered a safe means of protecting data. If the vendor isn't confident that its encryption method can withstand scrutiny, then you should be wary of trusting it.

A common excuse for not disclosing an algorithm is that ``hackers might try to crack the program's security.'' While this may be a valid concern, it should be noted that such ``hackers'' can reverse-engineer the program to see how it works anyway. This is not a problem if the algorithm is strong and the program is implemented properly.

Using a well-known trusted algorithm, providing technical notes explaining the implementation, and making the source code available are signs that a vendor is confident about its product's security. You can take the implementation apart and test it yourself. Even if the algorithm is good, a poor implementation will render a cryptography product completely useless. However, a lock that attackers can't break even when they can see its internal mechanisms is a strong lock indeed. Good cryptography is exactly this kind of lock...

Revolutionary Breakthroughs
Beware of any vendor who claims to have invented a ``new type of cryptography'' or a ``revolutionary breakthrough.'' True breakthroughs are likely to show up in research literature, and professionals in the field typically won't trust them until after years of analysis, when they're not so new anymore.

The strength of any encryption scheme is only proven by the test of time. New crypto is like new pharmaceuticals, not new cars. And in some ways it's worse: if a pharmaceutical company produces bogus drugs, people will start getting sick, but if you're using bogus crypto, you probably won't have any indication that your secrets aren't as secret as you think...

Experienced Security Experts, Rave Reviews, and Other Useless Certificates
Beware of any product that claims it was analyzed by "experienced security experts'' without providing references. Always look for the bibliography. Any cipher that they're using should appear in a number of scholarly references. If not, it's obviously not been tested well enough to prove or disprove its security...

Some vendors will claim their software is "unbreakable.'' This is marketing hype, and a common sign of snake oil. No algorithm is unbreakable. Even the best algorithms are susceptible to brute-force attacks, though this can be impractical if the key is large enough...

"Military Grade''
Many crypto vendors claim their system is ``military grade.'' This is a meaningless term, since there isn't a standard that defines ``military grade,'' other than actually being used by various armed forces. Since these organizations don't reveal what crypto they use, it isn't possible to prove or disprove that something is ``military grade.''


Post a Comment

<< Home