Snake oil (cryptography)
|
Template:NPOV In cryptography, snake oil is a term used to describe commercial cryptographic methods and products which are considered bogus or fraudulent, and therefore insecure. The name derives from snake oil, one type of quack medicine widely available in 19th Century United States. Systems labelled as snake oil typically employ ciphers with excessively large key lengths or which need no keys at all, or secret algorithms and devices that claim to solve all security problems.
Distinguishing secure cryptography from insecure cryptography can be surprisingly difficult from the viewpoint of a user; for example, the output of both weak and strong encryption methods will typically resemble gibberish. It is rarely possible to measure the security of an encryption method from its output alone; and even when there is a trivial way to crack an encryption method, there are few effective methods known for finding such a technique from the method's description.
Common characteristics
Certain characteristics are often viewed as signs of snake oil cryptography:
- Reliance on a secret algorithm, technique, or device. Criticisms of this are twofold; firstly, a long-standing principle of cryptography is that "the enemy knows the system" — Shannon's Maxim (see also Kerckhoffs' law). The argument is based on the observation that some secrets are inevitably compromised in actual practice, therefore any secrets used by the system should be small and easily changeable — a key, rather than a critical algorithm. Secondly, secret methods are not amenable to public peer review and cryptanalysis and so to detection of mistakes by other eyes.
- "Technobabble". Sometimes a snake oil purveyor may offer a complicated description which is confusing, vague, or obscure, and using previously unknown concepts or breakthroughs. Since even high quality, very secure and legitimate cryptography descriptions can be complex and highly technical, it may be difficult to distinguish bogus nonsense from inevitable complication.
- Modification of standard algorithms. It is argued that a sign of bad cryptography is the use of a well-known and trusted cryptographic method that has been "improved" or "hardened" in some ad-hoc (perhaps secret) way; there is a risk that, and a considerable track record of, such alterations drastically weakening a cryptosystem.
- Very long key lengths. Critics suggest that the use of key lengths much larger than is typical (for example, a "million bit key") is a sign of snake oil cryptography. It is argued that key lengths of 128-bits are adequate (at least for symmetric ciphers), and that longer key lengths provide no additional practical security, and that a long key will not fix the weaknesses of a poor underlying algorithm.
- Cryptosystems based on one-time pads for which the key material 'pads' are generated or expanded by the software cryptosystem, by the operating system, or provided by the vendor. While the one-time pad has a proof of security, it is argued that a system based on the one-time pad would be too impractical to be of any use for most applications. The one-time pad requires large amounts of truly random key material, which then needs to be transferred securely to the recipient of the encrypted message. A truly random sequence cannot be identically reproduced, hence a pad generated at both ends, rather than generated at a single point and transferred, cannot be random. Moreover, it is also argued that many applications claiming to use the one-time pad are, upon close inspection, generating the key using deterministic methods, losing the proof of unbreakability.
- The cryptosystem is described as "absolutely unbreakable". There currently exists a mathematical proof of unbreakability only for the one-time pad (and further only under certain conditions), and it is argued that claiming other systems to be unbreakable is fraudulent.
- The cryptosystem has facilities for recovering lost keys. It is argued that if a legitimate user can recover a lost key, a sufficiently clever and determined attacker might be able to use the same method, thereby rendering all messages encrypted using that key entirely insecure. Even if the company or person who developed the cryptosystem keeps the recovery technique proprietary, it is quite possible that it might be discovered. The only exceptions are secret sharing and key escrow systems, and they are neither straightforward nor easy to securely implement. These systems still don't recover completely lost keys; they merely distribute secrets to other parties in particular ways.
- The cryptosystem vendor or developer claims that standard methods are insecure, or will become insecure. Critics of such claims argue that standard methods have been studied by a large body of experts, and the majority have no known drastic insecurities.
- The cryptosystem vendor/developer is unfamiliar with applicable legal restrictions. Governmental concern about the dangers of communication which cannot be known to security/intelligence personnel is a fact of cryptographic life. If the vendor/developer is innocent of this reality, one would be well advised to be wary of other cryptographic lacunae.
- The cryptosystem is described as "military grade" or "used by NSA", etc., without specifics. NSA does not discuss its systems with any commercial or private vendor; it certainly does not permit any to sell them outside the government. NSA develops cryptosystems for the use of the US government (military, diplomats, etc.) and it doesn't discuss them with or release them to others either. Similar constraints apply elsewhere (as in the case of the UK's GCHQ). In the case of such claims, the vendor/developer is either uninformed, lying, or is offering stolen government designs which will involve their users in much unpleasantness when that fact is discovered.
- The cryptosystem is described as "foolproof". Bruce Schneier has argued that "security is a process", and as is oft-quoted in cryptography and security circles, "a chain is as strong as its weakest link". In a respectable cryptosystem, the cryptographic algorithm used is almost never the weakest link. Trying to promote a new cryptographic algorithm by using a new "simple" cryptosystem shows a lack understanding of the hardness of making such a design. If a simple secure cryptosystem could be designed, it would be more secure to simply use one of the well established, analysed and tested algorithms (e.g., the Advanced Encryption Standard also known as Rijndael) in this setting. To this date, no cryptosystem is publicly known which cannot be misused by fools. Such a system might exist or be invented, but experience shows it would be very hard to design. Proving that such a design is foolproof would be impossible as it requires proving the negative.
- The cryptosystem is endorsed by "security experts", unknown or even anonymous, or by people who are not expert cryptographers (ex-hackers, business managers, etc.). Critics argue that cryptographic algorithms should be published and analysed in the academic literature. These claims, without the actual publication of the algorithms and the analysis of these algorithms, are essentially always merely sales babble. An athlete may well be able to use "his" brand of shoes on the field, and be personally satisfied of their quality. However, a user of a cryptosystem who feels that he cannot break it has exactly the same evidence as one who feels that Japanese is unbreakable because he cannot read it. Some other person, who speaks Japanese, can.
- The cryptosystem relies on some neglected backwater of mathematical theory, and brands their cryptographic use of it "revolutionary". While it's true that professional cryptographers often propose systems based on exotic math, these are intended for academic discussion, not practical deployment. It is impossible to make honest assertions of the security of a cipher based on math that's familiar to only a few researchers. The mathematics used for current cryptography is relatively well understood and well studied; its future is less likely to hold unpleasant surprises. Cryptography based on unfamiliar math (such as braid groups or multivariable cryptography) underwent years of study before professionals had enough confidence in them to use them for practical deployments.
External links
- Beware of Snake Oil (http://www.philzimmermann.com/EN/essays/SnakeOil.html) — by Phil Zimmermann
- The Snake Oil FAQ (http://www.interhack.net/people/cmcurtin/snake-oil-faq.html) by Matt Curtin and others.
- Google Search results for "The Doghouse" in Bruce Schneier's Crypto-Gram newsletters (http://www.google.com/search?q=site:www.schneier.com%20%22The%20Doghouse:%22) (the Doghouse section of the Crypto-Gram newsletter frequently describes various Snake Oil encryption methods).