Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Crypto Snake Oil

ScuttleMonkey posted more than 7 years ago | from the never-trust-a-man-selling-something dept.

215

An anonymous reader writes "Luther Martin of Voltage Security has published an article about the perception of cryptography today with regards to quality and honesty in vendors. From the article: 'Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography. Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.'"

cancel ×

215 comments

Snake Oil (5, Informative)

Anonymous Coward | more than 7 years ago | (#16032041)

Snake oil is a traditional Chinese medicine used for joint pain. However, the most common usage of the words is as a derogatory term for medicines to imply that they are fake, fraudulent, and usually ineffective. The expression is also applied metaphorically to any product with exaggerated marketing but questionable or unverifiable quality.

'nuff said

Re:Snake Oil (2, Insightful)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#16032126)

...any product with exaggerated marketing but questionable or unverifiable quality.

Like a religion?!

Re:Snake Oil (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16032680)

OMF,

Why did you bring up religion? I thought you were obsessed with math?

regards,
gerry [who imagines he enjoy math, too]

Re:Snake Oil (-1, Offtopic)

DittoBox (978894) | more than 7 years ago | (#16033068)

'Insightful?' Shouldn't this be modded troll or at least off-topic? There's nothing about this post that as anything to do with Snake Oil or Cryptography. It's just begging for flames. I thought slashdot was about evaluting the world by what it does and not what it says it does. If that's true then blanket statements and generalizations about religion would be left 'out there,' and we'd stick to the facts. But instead many slashdotters are so religous (spiteful, rude, hateful and intolerent) about being anti-religous that it's quite hard to see the difference between the nutjobs that claim 'God hates fags' and the nutjobs that claim 'religions are bads!!'

Zen doesn't teach these things. Nor did Jesus. Don't throw out the real followers with the bad ones. Don't throw out the baby with the bathwater.

I dislike the average judgementalist religous types as much as the next slashdotter but comments like these in completely different forums simply shouldn't be here, let alone modded 'insightful.' There's at least one mod who isn't doing his job, lest that'd have been modded 'off-topic.'

Article taken from Wikipedia??? (3, Interesting)

transporter_ii (986545) | more than 7 years ago | (#16032245)

So did he write the article and then post it on wikipedia, or did he swipe it from wikipedia and post on his site?

http://en.wikipedia.org/wiki/Snake_oil [wikipedia.org]

Not trying to troll, I just couldn't figure out which it was and I don't have a lot of time to investigate.

Transporter_ii

Re:Article taken from Wikipedia??? (1)

gEvil (beta) (945888) | more than 7 years ago | (#16032333)

Or it could possibly be neither, since the definitions given in both are generally accepted and don't match up word for word (assuming you're trying to insinuate plagiarism). Yes, they're similar, but they are not identical. Anyone familiar with the term or its history would write something very similar if asked to...

Still not too bad (3, Interesting)

legoburner (702695) | more than 7 years ago | (#16032047)

Even though in many cases this might be true, and product prices are increased because of it, weak encryption is a lot better than no encryption at all. There are many people out there who might go as far as casual data theft (eg; taking someone at their school's USB memory stick), but even a weak layer of encryption will stop all but those who know what encryption is and where to start breaking it.

Re:Still not too bad (4, Interesting)

TCM (130219) | more than 7 years ago | (#16032055)

I'm not so sure. Once a flawed implementation has been broken, there will be tools to crack it.

Take WEP for example. I personally wouldn't know how to crack it. But others do. They develop tools. Et voila, today it's trivial to download some tool and break WEP, even for novices.

Weak encryption is never good and should be strongly discouraged.

Re:Still not too bad (4, Insightful)

Panaflex (13191) | more than 7 years ago | (#16032059)

WEP is still a great example... it's enough of a pain that if given the choice between breaking a WEP connection and using an open WAP - well, you'll choose the open one.

In that case, WEP really does work for most people.

Re:Still not too bad (1)

jimmypw (895344) | more than 7 years ago | (#16032138)

When you dont find an open WAP theres only WPA and WEP encrypted...
Why would you want to use WEP when on most routers WPA v1 or v2 is available and is no harder to set up?!?

In that case, WEP really DOESN'T work for most people.

Re:Still not too bad (2, Insightful)

Panaflex (13191) | more than 7 years ago | (#16032179)

Ok, lets say you're strolling around and looking to hook some free internet connection, eh?

In the amount of time it takes to walk to the nearest open WAP, you probably couldn't grab enough packets to break WEP.

But if your intentions are, ohh I don't know.. say DARKER. Then yes, WEP is not going to protect the target of your GRISLY, ABYSMAL ABOMINATION of h4x0ring.

I leave my WAP open.. because it reminds me that no communication is secure unless I MAKE it secure. I don't rely on the router or anything else to protect me - only well tested protocols and applications.

Re:Still not too bad (3, Informative)

nxtw (866177) | more than 7 years ago | (#16032249)


Why would you want to use WEP when on most routers WPA v1 or v2 is available and is no harder to set up?!?


Because WPA is inconvenient when you're using a device that doesn't support it.

Re:Still not too bad (4, Interesting)

Snarfangel (203258) | more than 7 years ago | (#16032066)

I'm not so sure. Once a flawed implementation has been broken, there will be tools to crack it.

Plus, if there is *no* encryption, people are less likely to put sensitive information in the application.

To use an analogy, consider two locker rooms. Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

Re:Still not too bad (1)

eMbry00s (952989) | more than 7 years ago | (#16032241)

Both!

You don't go bathing with your wallet.

(sorry)

Re:Still not too bad (3, Funny)

Anonymous Coward | more than 7 years ago | (#16032336)

behind the fire extinguisher in the hall between room A and room B. Security through obscurity!

Re:Still not too bad (3, Insightful)

Phleg (523632) | more than 7 years ago | (#16032480)

In which one is a person more likely to leave their wallet?
Am I the only person who thinks the correct answer to this question is in his pocket?

Re:Still not too bad (2, Insightful)

k98sven (324383) | more than 7 years ago | (#16032492)

To use an analogy, consider two locker rooms. Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

I take it you're implying the correct answer would then be "Neither". And I'd agree.

Problem is, it's not a relevant point. The context here is consumer's ignorance on the performance of crypto products. If someone is buying a crypto product, they must have determined that they need one. Or to continue your analogy: They have already decided that they're going to leave their wallet in a locker. The problem is that they can't tell the difference between a locker room where all the locks have the same combination, and the safer locker room where they don't.

And given that assumption (that they're going to put their wallet in a locker anyway), the poster who claimed that weak encryption is still better than none is right: If you're going to put your wallet in a locker, it's better to put it in one with a bad lock than none at all.

Continuing the analogy: With no lock, any casual bypasser with no particular knowledge at all can easily and quickly check the lockers for any valuables. "Opportunity makes the thief" as they say. Whereas if you at least had a bad lock, finding your wallet would at least require some knowledge of locks. It would also impede the person searching the lockers, which increases the likelyhood of them being discovered before they find your wallet. All in all, a safer situation.

Now obviously, a good and proper lock is better than a bad one. The problem here is that the consumer can't tell the difference when making the choice between the good and bad ones.

But the option of "don't store valuables in it" simply isn't on the table: They've already determined that they're going to store valuables in it, because that's why they wanted a lock in the first place.

Re:Still not too bad (2, Funny)

BobNET (119675) | more than 7 years ago | (#16032645)

Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

Put the wallet in your sneaker. I put it down by the toe, they never look there!

Re:Still not too bad (5, Interesting)

Lord Ender (156273) | more than 7 years ago | (#16032082)

I would say that there is an inverse relation (at least somewhat) between price of crypto software and real security.

The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness. The more open the software, likewise.

Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.

I recently was asked to recommend a way for my CEO and several other executives to securie thier IMs. I recommended gaim + gaim-encryption because it was all open source and free, so if there were a flaw in the crypto implementation, it would likely have been discovered already.

I also made sure the CEO knew that he was using open source software, and I told him why. He was totally down with it :-)

Re:Still not too bad (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16032159)

Unfortunately this is a flawed approach. A million people may have read it, but if none of them were cryptographers than it was no better than if nobody had read it. What's really important is _who_ has read the code, not how many.

Re:Still not too bad (2, Informative)

abhi_beckert (785219) | more than 7 years ago | (#16032165)

Peer reviewed does not equal security. It could be there are several known flaws in something that's had "peer reviews", or it could be the system is totally open but hasn't been around long enough to be tested thoroughly, or maybe it's been around forever but is now using a faster alogorithm that hasn't been proven to be secure...

If you want security, ask an authority on the matter rather than basing it on inderect things like price, openness, etc.

Re:Still not too bad (1)

Jsprat23 (148634) | more than 7 years ago | (#16032430)

Given that gaim-encryption is currently based off of Mozilla's NSS and NSPR libraries, I think it's pretty safe to assume that the "right people" have looked at them. Most of g-e is an interfacing layer between gaim and the underlying encryption that also prevents replay attacks by inserting nonces into the stream.

Re:Still not too bad (2, Informative)

Lord Ender (156273) | more than 7 years ago | (#16032983)

Peer reviewed does not equal security. It could be there are several known flaws in something that's had "peer reviews"...

Yes, "it could be" that many unlikely things are true. But they are still unlikely.

Are you new to cryptogology? It seems you are unfamiliar with the fundamental tenet of cryptography: "If lots of smart people have failed to solve a problem, then it probably will not be solved anytime soon."

You seem to think peer review doesn't have much to do with cryptography, but I would argue that it is the most important thing. If you expect an algorithm to be "provably" secure, then the only algorithm you have any business using is OTP.

Because it is unreasonable to expect you to hire "lots of smart people" to review any crypto you use, the next best thing is to go for using a solution that lots of people (in general) use, and assume that a subset of those people were smart :-)

You really should pick up this book [amazon.com] as a basic intro to crypto.

Re:Still not too bad (1)

Jeremi (14640) | more than 7 years ago | (#16033033)

If you want security, ask an authority on the matter rather than basing it on inderect things like price, openness, etc


Of course, the authority's opinion on the product might be mistaken also. What we really need is a way for laypeople to test a program's security themselves.... some sort of auto-hacker-in-a-box software, perhaps. I have no idea if that's even remotely feasible, but it would be really useful.

Re:Still not too bad (2, Interesting)

RoboSpork (953532) | more than 7 years ago | (#16032431)

gaim-encryption is flawed in that it is a weak encryption scheme. Off The Record [cypherpunks.ca] is a far superior gaim plugin providing a much stronger encrytion, authentication, deniability, and secrecy into the future. Read how it compartes to gaim-encryption on their website. Their whitepaper [cypherpunks.ca] is really good introduction to what can make encryption strong vs what can make it weak, definitely worth a read for anyone new to crypto. And besides all that, open source != secure. That is a really bad assumption to make.

Re:Still not too bad (2, Informative)

Ernesto Alvarez (750678) | more than 7 years ago | (#16032647)

Would you please explain why gaim-encryption is weak?

OTR might be a better choice for social communications, as explained in the paper, but that does not make gaim-encryption (or PGP, etc) weak. For its intended purpose both PGP and gaim-encryption seem strong.

If I wanted to authenticate and keep a message secret from eavesdroppers, I would have no problems using gaim-encryption. At work, non-repudiation is really not a problem, and if my key was compromised, IM compromise would be my smallest problem (assuming that with that key, my SSH and PGP ones were compromised too).

If you know gaim-encryption is weak, I'd like to hear about it. But it looks to me that it is strong, provided you know what you're getting into.

Re:Still not too bad (1)

duplo1 (719988) | more than 7 years ago | (#16032207)

I disagree. While weak encryption and other security services might offer short-term benefits, one often starts to take it for granted and consider it to be highly secure. This creates a false sense of security and perhaps even a level of hubris that can be devestating when exploited.

Re:Still not too bad (1)

vidarlo (134906) | more than 7 years ago | (#16032221)

Even though in many cases this might be true, and product prices are increased because of it, weak encryption is a lot better than no encryption at all. There are many people out there who might go as far as casual data theft (eg; taking someone at their school's USB memory stick), but even a weak layer of encryption will stop all but those who know what encryption is and where to start breaking it.

If you don't think, you'll agree that weak crypto is better than none crypto. The problem is if you believe the crypto to be strong crypto, and behaves careless. If you imagine something is uncrackable, like pgp pretty much is, but in reality is ROT13, and trivial to crack, you can get a serious backslash.

You would normally not carry the credit card number and all details with you on a usb drive. But what if you used ACME MegaCrypt v2.0 for it? Woudnt you feel safe? Then what if it was not safe? You could end up without a single cent. Even though you had it encrypted...

THat is the problem. Weak encryption might be sufficient if you *know* it is weak encryption and judge it to be enough. If you, however, believe your encryption is foolproof, whilst it is not, then you have a big gaping problem.

Re:Still not too bad (2, Informative)

inviolet (797804) | more than 7 years ago | (#16032476)

If you imagine something is uncrackable, like pgp pretty much is [. . .]

Cracking PGP is still a Hard Problem, but the times they are a'changin'. It may succumb to quantum computing. Or, it may fall under the combined assault of the army of mathematicians who are studying integer factorization. Nobody knows for sure, but the NSA has been telling people for years now to not rely on RSA. They suggest switching over to Elliptic Curve or other advanced algorithm.

Re:Still not too bad (1)

Purdah (587096) | more than 7 years ago | (#16032240)

weak encryption is a lot better than no encryption at all

There are many schools of though on this subject, but in general this train of thought will generally mean LESS security rather than more security.

The reason is that the sort of people who DO NOT know how to choose effective security measures in the first place, will also not be aware [wikipedia.org] of other security measures [wikipedia.org] required to really protect the data.

What this means in practice is that someone who believes the snake oil claims of a particular product will, under a false sense of security, be more reckless with the data, ie leaving it on laptops which get stolen etc.

This is kind of like believing that as my car has a good imobiliser I can leave it unlocked. This is of course great until someone steals the wheels on your car because the key to your wheel locking nuts was left in the glovebox. In this case you still have your car but you are still unable to use it.

Obligatory SoaP reference (1, Funny)

Conanymous Award (597667) | more than 7 years ago | (#16032053)

Samuel L. Jackson's favorite dish: Snakes in Oil! Probably virgin oil at that.

Re:Obligatory SoaP reference (0)

Anonymous Coward | more than 7 years ago | (#16032068)

I think you wanted to post that on Fark. Last month.

Re:Obligatory SoaP reference (1)

Conanymous Award (597667) | more than 7 years ago | (#16032094)

Guess I should have. Burn karma burn...

Then use OSS!! (4, Insightful)

JimBowen (885772) | more than 7 years ago | (#16032056)

If you are worried about the honesty of vendors, this is exactly why you should be using free cryptography software in the first place, because you know that is going to be strong, and trustworthy, because otherwise someone would have changed it by now. :)
It is also much easier to verify strength by reading the source rather than by reading the binary or by cryptanalysis.

or (4, Interesting)

xmodem_and_rommon (884879) | more than 7 years ago | (#16032093)

or you could just take the common sense approach and use products that rely on algorithms that are open, widely tested and reviewed, and known secure. Algorithms like Blowfish, AES, etc. I use Apple's built-in Filevault protection to encrypt my Powerbook's hard disk, in the event that it is ever stolen. It uses AES-128, which means I know that no-one is getting in without my password.

Any vendor that relies on a custom algorithm for their encryption technology shouldn't be trusted.

Re:or (5, Interesting)

TCM (130219) | more than 7 years ago | (#16032112)

Any vendor that relies on a custom algorithm for their encryption technology shouldn't be trusted.
Of course.

But even then there are vendors who claim to be using AES and end up introducing implementational flaws that are not obvious to the user. It's not just algorithms that need to be reviewed but complete implementations.

Nice read: http://www.schneier.com/crypto-gram-9902.html#snak eoil [schneier.com]

Re:or (2, Interesting)

swelke (252267) | more than 7 years ago | (#16032810)

...use products that rely on algorithms that are open, widely tested and reviewed, and known secure.

Just because the algorithm is widely tested and known to be secure doesn't make the software based on it secure. It's very easy to take a secure algorithm like AES and make a totally insecure program by, for example, not encrypting all of the data it should, or by selecting the encryption key poorly so that it's easy to "guess",meaning you might only have to check 2^20 keys to decrypt that email of yours instead of 2^128, like you're supposed to have to. So instead of being secure against years of hard cracking, your data is compromised in seconds. Besides that, there are other ways to build a crappy program that I'm not a good enough cryptographer to know.

Re:Then use OSS!! (1)

cduffy (652) | more than 7 years ago | (#16032139)

Using OSS is not a guarantee of strong crypto.

See Peter Gutmann's analysis of open source VPNs [auckland.ac.nz] back in 2003. To be sure, the situation was not as dire as he described it to be in all these cases -- in some cases such issues were arguably not readily exploitable or were documented as recognized tradeoffs -- but it nonetheless raises a point that even having a substantial group of folks looking at the source doesn't necessarily help as much as it generally does if recognizing the bugs requires special knowledge which most developers don't have.

Re:Then use OSS!! (2, Funny)

portmapper (991533) | more than 7 years ago | (#16032210)

See Peter Gutmann's analysis of open source VPNs back in 2003.

That has the following great suggestion:

Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment. Replacing the SSL/SSH data channel is marginally justifiable, although usually just running SSL/SSH over UDP would be sufficient. Replacing the SSL/SSH control channel is never justifiable - even the WAP guys, with strong non-SSL/SSH requirements, simply adapted SSL rather than trying to invent their own protocol.

Re:Then use OSS!! (1)

cduffy (652) | more than 7 years ago | (#16032482)

Is there a point you're trying to make via that quote?

Re:Then use OSS!! (1)

portmapper (991533) | more than 7 years ago | (#16032499)

Did you read that article you linked to?

that's when the fun bit comes in (0)

solevita (967690) | more than 7 years ago | (#16032057)

>Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.

Which is why everyone should enjoy themselves trying to break the encryption on any product they buy; be it wifi access point, USB memory stick, or a file encrypted with some PC software; trying to break the encryption is enjoyable and vital to continuing security.

Re:that's when the fun bit comes in (0)

Anonymous Coward | more than 7 years ago | (#16032061)

Today's encryption is so highly mathematical, that the average admin - let alone any user - is hopelessly lost were they to try breaking a blob of random data, even if they know the algorithm.

Hell, even programmers of cryptographic software often enough make mistakes. There really has to be a lot of trust into the word of cryptologists these days.

Re:that's when the fun bit comes in (0)

Anonymous Coward | more than 7 years ago | (#16032124)

Which is why everyone should enjoy themselves trying to break the encryption on any product they buy; be it wifi access point, USB memory stick, or a file encrypted with some PC software; trying to break the encryption is enjoyable and vital to continuing security.


That's just the way to get a false sense of security. Even if you can't break it, doesn't mean that someone else can't.

Re:that's when the fun bit comes in (1)

heinousjay (683506) | more than 7 years ago | (#16033052)

That works for a very limited subset of everyone.

Particularly the enjoyable part.

Crypto is scary stuff (3, Interesting)

smilindog2000 (907665) | more than 7 years ago | (#16032076)

So, for example, with a post like this, will somebody in a dark suit and glasses show up at my door tomorrow?

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it? SHA-1 for example... And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data. Also, public key is great, but secret key can be easily shown NP-hard to crack (in terms of secret key length) with semi-reasonable assumptions, while public key has no such simple proof. I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good. However, I do believe it's probably true.

It seems any time you start talking about crypto, you get assailed by experts telling you just how full of it you are. Consider something simple, like generation of random numbers. Just claiming you can do a good job brings nay-sayers out of the woodwork. See:

        http://linux.slashdot.org/comments.pl?sid=193904&c id=15899118 [slashdot.org]
        http://www.billrocks.org/rng [billrocks.org]

for how to do it well. Any child could do it (well at least my geeky 6-year-old).

Everything about crypto is scary... Are we being manipulated into using weak encryption? Is there some invisible line, which if crossed, bad things can happen? The scary part is the unknown.

--

Just because your paranoid doesn't mean the world isn't out to get you.

Re:Crypto is scary stuff (3, Interesting)

Anonymous Coward | more than 7 years ago | (#16032099)

Is there some invisible line, which if crossed, bad things can happen? The scary part is the unknown.
That's exactly what it is, I think. Crypto is so complex that, unless you are absolutely sure wtf you're doing, you're better off NOT trying to implement your own crypto algorithm, random number generator and whatnot. Without the mathematical knowledge, you can never completely assess side effects, for example.

A nice page about how novice understandig of crypto can turn into horribly insecure software: http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_v pn.txt [auckland.ac.nz]

Re:Crypto is scary stuff (4, Interesting)

Realistic_Dragon (655151) | more than 7 years ago | (#16032123)

sci.crypt is a good read if you are interested in Crypto. However it does tend to get a bit antagonistic towards newbies - and it's not hard to see why.

Approximatly every 12.5 minutes someone turns up claiming to have invented a new:

Random number generator
Unbreakable encryption method
Implimentation of old methods that makes them unbreakable
Proof that shows that all crypto is worthless

The percentage of loons is *so* high that anyone who does have an interesting idea (and who doesn't publish in reputable journals) is dismissed out of hand.

For example, here is a typical conversation from the one sane new poster (posted somewhere between the 999,999 people trying to sell "200000 bit quantum crypto based on the randomness of STARS!!!!!"):

<i>** Hi, I'd like to find out if there's a RNG sandbox somewhere so I can play about with some ideas.</i>

<i>* ARGH! Dont impliment your own RNG! It'll be crap! Here, use product X.</i>

Well, yes, that's true. When it comes to crypto there is a 99% chance that what you impliment will not work properly and as a result will be insecure... but stoping on someone who wants to try some ideas out is just plain wrong. All research doesnt have to take place in academic institutions.

Government incompetance is scary stuff (1)

dbIII (701233) | more than 7 years ago | (#16032147)

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive.
Considering that an agency that thinks polygraphs give absolutely perfect proof of lies is enforcing this sort of stuff - yes we are being manipulated into weak encryption by a bunch of incompetant clowns that have already been taken in by snake oil and are seen internationally as bumbling fools. US intelligence doesn't rate as highly as newspaper articles these days. Also due to strange laws the encryption work has to be done offshore to be useful for anything other than purely domestic communication.

Re:Crypto is scary stuff (2, Insightful)

Panaflex (13191) | more than 7 years ago | (#16032155)

Well, I think the facts(haha - ahem - as far as is publically known) are this:

I've heard from a claimed friend of one of the inventors of RSA that [it was cracked years ago].
1. RSA is not known to be cracked and in general is still considered HARD - though the rapidly increasing amount of free and cheap CPU time will eventually defeat most of today's common length keys in 35-50 years (who knows?). That said, it may be possible that RSA gets cracked next week - I wouldn't be surprised. I too have a few friends that studied with RSA founders and ashamedly, they have not let me in on the secret crack yet, either. (Need more beer)

[Friend who does factoring moves to Numerics]
That could be anything - really - from "professional jealousy", "national secret", or "I didn't get the right vibe."

Quantum computers
Ahh, shake and bake computing at it's finest. Unortunatly, qubits are pesky little critters that tend to get bored and entangled in relationships during the course of research. Some qubits have been known to file their own myspace profile and entangle with Japanese qubits! Oh, the little horrors!

Seriously though - you don't have to make wild guesses and claims here. When somone really does crack RSA it will be widely known. The only scary stuff with crypto is wild claims and dishonesty.

Re:Crypto is scary stuff (3, Insightful)

gkhan1 (886823) | more than 7 years ago | (#16032158)

Boy, you don't know that much about cryptography, do you ;)

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

That's complete BS. It hasn't been cracked, and it wont be for a long time. Just remember to use big keys and your stuff is safe. As for who you are supposed to trust, you're supposed to trust the huge mathematical community that every day is pounding and pounding and pounding on this problem. They are honest academics, and if there is even a hint of progress it will become public.

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

I'm not entirely sure what the hell you are saying. Are you saying that your friends mother is a genius mathematician who published a few papers about factoring and was somehow forced to leave the field? That's completely ridiculous, lots of people publish papers on factoring every year. Either you are lying or you have completly misunderstood the matter.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

This is a common misconception, that quantum computers will be like a regular computer, "but way faster". This is not so, a quantum computer works in a fundamentally different way, a way that makes it possible to invent algorithms that are way faster than anything on a classical computer. Many of these new algorithms are made for cryptanalysis, namely Shor's algorithm (integer factorization in polynomial time, breaks RSA), the discrete logarithm algorithm (breaks Diffie-Hellman) and Grovers algorithm (would speed up standard brute forcing cracking, but only a quadratic amount which means that you can just double your key length, and it's still as hard).

As for complexity, the decision-problem form of integer factorization ("Is there a factor of M smaller than N?") is indeed in NP, but the specific class is an unresolved problem. Most people doubt that it is in either P or NP-Complete which would most certainly make it NP-hard (unless P=NP ofcourse, but that's a whole 'nother discussion ;) Maybe you are thinking of primality testing, which has very recently been proven to be in P. The whole village rejoiced.

Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it? SHA-1 for example...

Has been a problem in the past, but we've learned our lesson. 256 bit AES will (very possibly) never be cracked by an ordinary computer. A quantum computer might, but it would have to be one bad-ass quantum computer. 256 bit AES is completely safe.

And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data.

It doesn't matter one iota whether a block has known data or not. You still need the key to have any idea what is in there or not (that is, imagine you suspect a block of data Y has encrypted X, there is no way you can prove that if you don't have the key). There is something called chosen plaintext attack which you can do a similar thing in public key cryptography, but it is only works in bad implementations of it.

Also, public key is great, but secret key can be easily shown NP-hard to crack (in terms of secret key length) with semi-reasonable assumptions, while public key has no such simple proof. I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good. However, I do believe it's probably true.

I understand what the individual words are, but put them together and I have no idea what the hell you are saying.

Everything about crypto is scary... Are we being manipulated into using weak encryption? Is there some invisible line, which if crossed, bad things can happen? The scary part is the unknown.

No we're not being manipulated into using weak cryptography! If you want to encrypt data for all time without anyone cracking it, there is TrueCrypt. If you want email someone an encrypted mail, there is GPG. Both open source, both readily available, and both uncrackable.

Re:Crypto is scary stuff (1)

dhasenan (758719) | more than 7 years ago | (#16032399)

"Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard."

There is no proof that it is and no reason to think that it is. We just have no fast algorithm for it.

"Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it?"

That's largely a matter of key sizes. We choose them according to the hardware we have to brute-force the key; we want our data to be secure for a certain amount of time. And the rest is a matter of the difficulty of finding exploitable weaknesses in the algorithm--that takes time, so the longer the algorithm is used, the more likely it is to be cracked.

"And, why do we encrypt one small block at a time."

If you don't like block ciphers, use a stream cipher. Or create an encryption algorithm that operates on an arbitrary amount of data at once; I just hope you have twice as much RAM as anything you want to encrypt. Simply put, block ciphers are the simplest method we have of scaling an encryption algorithm.

"Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data."

If the block has known data, then you only need to try different keys until you get that data rather than trying keys until you get sensical data and then trying the key in question on multiple other blocks, but it's only going to be a minor decrease in the amount of time required to crack it. And any worthwhile algorithm will be proof against known plaintext attacks.

"I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good."

Take it on a case-by-case basis. Develop exploits for a large number of public key cryptography systems. You might not prove that all public key systems are secure, but you'll definitely destroy confidence in public key cryptography. A pity, though; it's quite useful.

"It seems any time you start talking about crypto, you get assailed by experts telling you just how full of it you are. Consider something simple, like generation of random numbers."

Well, you're not an expert, so you actually are full of it. Hardware RNGs aren't difficult to make; it's just that no computer company has found it worthwhile to market them on a large scale; DPRNGs are difficult to make, but since we don't deploy hardware RNGs on a large scale, they are necessary.

Don't like it? Use Linux, get a hardware RNG, and direct its input to /dev/random. Then modify your software to use that rather than its cryptographically secure DPRNG.

Re:Crypto is scary stuff (2, Informative)

YoungHack (36385) | more than 7 years ago | (#16032508)

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

I'm a professional mathematician and have had the opportunity to work with and become friends with some big names in number theory and factoring. No one can know for certain, but my friends were of the general opinion that RSA was probably okay.

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

The US government was very serious about suppressing the publication of some of the early factoring results, but the mathematicians that I know are still working in that field (for over 10 years) after having published anyway. It seems almost surreal now that they were getting calls from the NSA, because the academic cryptography field has grown so much since then. They're still in the field and still publishing.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

I can't give any response to this. You may be right.

Re:Crypto is scary stuff (2, Insightful)

Tack (4642) | more than 7 years ago | (#16032893)

And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data.

They're only independent if you use ECB, and anyone using ECB deserves what they get. Cipher modes like CBC or CTR solve these problems.

Re:Crypto is scary stuff (1)

Lord Ender (156273) | more than 7 years ago | (#16033042)

You really do sound paranoid. Unless you are totally ignorant, you must know that any math/copsci student who could show a well-established crypto system is easily breakable would have his career set for life.

So you must think it is possible that every time one of these students publishes a paper on a fast way to factor large numbers, he vanishes, never to be seen again. How many people vanished from the math dept. of your school? That just doesn't happen. Unlless "they" (meaning all of academia) are also in on it.

Come on, think it through. It's unreasonable.

Re:Crypto is scary stuff (1)

Atrus5 (537814) | more than 7 years ago | (#16033123)

On the topic of complexity classes ... Currently, the decision problem form of factorization is known to be in NP, co-NP, and BQP. Because it's within NP, it can not be NP-hard without being NP-complete. If it were shown to be NP-complete or co-NP-complete, that would imply that NP = co-NP, which is currently believed to to be false.

BQP is "bounded-error, quantum, polynomial" and represents what quantum computers are capable of. It is known to contain P and BPP, and to lie within PP and PSPACE.

Your claim that quantum computers should be able to solve NP-hard problems (presumably in polynomial time) doesn't make sense ...

I believe that your formulation of the problem, "any public key cryptosystem", makes it impossible to prove anything. I think you should at least make a list of problems that are currently used as the basis of various public key systems and start hacking at them ...

I'm sorry, but your post borders on incoherent, so it's difficult to comment on more of it.

Snake oil that uses AES (4, Insightful)

Paul Crowley (837) | more than 7 years ago | (#16032077)

Many Slashdot readers are savvy enough to know that when a software product advertises itself as using, say, secret encryption algorithms with 10,000 bit keys, it's probably snake oil. But I'm seeing increasing amounts of snake oil that uses the Advanced Encryption Standard, AES, and it can be just as weak.

AES itself of course is nigh-on as trustworthy a cryptographic primitive of its kind that we have. But just because you've used the right primitive, doesn't mean you've built a secure product. You have to consider what chaining mode to use, how to handle passphrases if they exist, how to keep your secrets secret, defense against side channel attacks, and more.

What I look for is a product that provides enough information that I can actually assess its security - what attacks they've considered and how they've built the product to defend against them. What I see disturbingly often is a bald declaration that the product is secure, because it uses AES.

Check the certification (1)

gr8dude (832945) | more than 7 years ago | (#16032698)

http://cs-www.ncsl.nist.gov/cryptval/aes/aesval.ht ml [nist.gov]
NIST maintains a list of those who passed the tests successfuly, and were certified to use AES in their products.
So, besides making sure that all the things mentioned by the parent were done right, check out whether the algorithm itself was properly implemented.

That list doesn't seem to help (1)

Paul Crowley (837) | more than 7 years ago | (#16032818)

From what I can see, this checks only that what the product is using really is AES; it doesn't check that it's being used correctly or that the product is secure as a result.

Did you just mention Skype? (0)

Anonymous Coward | more than 7 years ago | (#16032923)

Skype is the #1 "free" voip application around, both in features and amount of users. They claim to be using "very heavy duty crypto stuff, 256 bits this and that blabhlah". Yet there are no indication of a robust PKI scheme being in place (in fact, it's virtually impossible) which reduces their products security closer to zero. What they use is some auto-enrolling service that is protected by user account credentials. (Which are often weak.)

It's good enough against amateurs, and even professionals that can't get well enough into your network. However against anyone with proper resources it's simply trash. Furthermore they fail to mention that even if anyone can't eavesdrop your connection it is possible to determine other things from your usage - you are not completely safe. They've caught stuff like fugitives that have been stupid enough to use Skype already. Think about that.

It requires expensive... blah blah blah (2, Insightful)

melted (227442) | more than 7 years ago | (#16032078)

>> It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography

No. It requires reading a couple of good, inexpensive books and understanding of what the heck you're doing. Math behind the whole thing can be complicated. But you don't really need to understand the math 100% here. All you need to know is whether an algorithm is considered "strong" by today's standards, understand a few key concepts, guard your keys, and aproach security related coding with a healthy amount of paranoia.

In other words, a decent developer can get a pretty good understanding of this all in two weeks or less. And these skills need to become "common" already.

No, it's much harder than you think. (4, Insightful)

Paul Crowley (837) | more than 7 years ago | (#16032086)

If you believe that, no wonder so much insecure stuff is being written. I have been called upon to review code written by developers with your level of knowledge in crypto. They do things like use RSA without proper padding, or use predictable IVs in CBC mode, or fail to properly authenticate the message. They also add totally unnecessary complexity to the system in the mistaken belief that their improvements make it more secure. I shudder when I see a copy of "Applied Cryptography" on the shelves because it is just enough knowledge to be dangerous.

Even the experts make errors in cryptographic protocol design and implementation - I've been doing this for ten years and I've made at least one howler myself. Why do you think, contrary to the advice of pretty much everyone who really knows their stuff, that people with a couple of week's worth of knowledge can get this stuff right?

Re:No, it's much harder than you think. (1)

zolaris (963926) | more than 7 years ago | (#16032310)

I agree entirely. I did quite a bit of crypto study (both the math and the protocol) for my masters. A vast majority of crypto protocols are broken in some form or another. Granted this is usually a minor flaw that gets fixed in version 2, 3 etc. (a la SSL) or something that just gets changed in name to add in the guy that figured it out. Which kind of demonstrates your point,

Even the experts make errors in cryptographic protocol design and implementation... .

I think the best part of a presentation was when one of my classmates at the end of his PowerPoint had one slide. That slide said "Crypto is hard.". We all laughed but it's very true. From a conceptual standpoint it's difficult to grasp why something is insecure. However it is very easy for someone to believe something is secure. So the end result of that is someone not finding a flaw and believing that his/her data is protected.

I also heard a story (not sure if it was true or not) about Bruce Scheiner saying something at a conference or maybe in a book of "I am writing this book to show all of the people who read Applied Cryptography that if they only read that book they don't know anything about Cryptography." And that statement amuses me because it will probably always be true.

Re:No, it's much harder than you think. (1)

Bishop (4500) | more than 7 years ago | (#16033046)

Scheiner wrote that book. It is Secrets & Lies [schneier.com] . This quote from the preface [schneier.com] sums it up:

The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The AnswerTM. I was pretty naïve.

Re:No, it's much harder than you think. (0)

Anonymous Coward | more than 7 years ago | (#16032712)

I am one of those developers using predictable IVs having only read Applied Cryptography. Can you recommend any further reading? Any help would be much appreciated.

Re:No, it's much harder than you think. (2, Informative)

Paul Crowley (837) | more than 7 years ago | (#16032815)

Er. To that specific question, I recommend using EAX or GGM modes, which are much easier to implement and to use correctly; they include authentication as well as encryption. However, to the more general point, the answer is to try to use existing crypto protocols rather than rolling your own wherever you can, and to get expert help if you can't. I haven't read it but I'm told Ferguson and Schneier's "Practical Cryptography" is aimed at people in your situation.

and what if... (1)

YesIAmAScript (886271) | more than 7 years ago | (#16032881)

What happens if I use predictable IVs in CBC mode?

I just finished up a system where I do use (very) predictable IVs in CBC mode (with AES128).

From what I could tell, an IV really only helps with preventing parallel dictionary attacks. That is, like people use against the UNIX crypt function (in passwd files). Since there won't be more than about 30 things ever encrypted with this key, I figured I didn't need the additional security IV gives me.

And besides, the IV has to be in the code or data somewhere, as it is one of the bits of data needed to decrypt. Most people just store it next to the cyphertext.

Re:and what if... (1)

Paul Crowley (837) | more than 7 years ago | (#16033114)

IVs are public after encryption. However, in CBC mode an attacker must not be able to predict the IVs before encryption takes place. This is a pain; you're better off using CTR mode, for which your IVs need only be different from each other, and predictability is not a problem. Or better yet, EAX or GGM mode so you get authentication too. Why are you hand-rolling your crypto? Why did you use CBC rather than CTR mode? What are you using for authentication?

Your guess about what the IV is for is mistaken. For a simple example, think of what happens if you don't use an IV in a Vernam cipher (like RC4): this is trivially weak.

Re:It requires expensive... blah blah blah (2, Interesting)

zolaris (963926) | more than 7 years ago | (#16032324)

Yeah sure they can get a great understanding of crypto... with inexpensive books. Just curious do you know how many crypto courses at top level universities rely on textbooks for teaching crypto? I'd suggest discounting any books where the professor is the author. But even with that, it will probably be very small. There are recommended books but in my crypto classes (granted Johns Hopkins isn't exactly the number one crypto school in the country or world but I'd like to think we are half way decent) we never cracked a textbook. Sure we read a bit of papers but is average Joe developer really going to read through any crypto papers? I know I wouldn't unless I had to.

[Sarcasm captioning*]On a side note, let me know what project you are working on where developers employ crypto after about two weeks of reading some books.[/sarcasm captioning]

*Sarcasm captioning provided for cya purposes only and not for any public benefit.

Re:It requires expensive... blah blah blah (2, Insightful)

canuck57 (662392) | more than 7 years ago | (#16032970)

No. It requires reading a couple of good, inexpensive books and understanding of what the heck you're doing.

That is an understatement.

Reminds me of the time I watched a finance person use PGP to encrypt a very sensitive file they sent via email. They did everything right except for one critical part.

After the file was encrypted, they deleted the original one as per instructions. Trouble was it was in the "Recycle" bin a readable.

How is this different from any other product? (4, Informative)

njdj (458173) | more than 7 years ago | (#16032088)

Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography.

Can you distinguish, by inspection, between a reliable automobile and a piece of junk that will barely last 2 years? I certainly can't. So I rely on reviews by people I trust when I buy a new car.

In the field of cryptography there are several people who have written peer-reviewed books about cryptography, are trusted in the community, and who occasionally review products. Bruce Schneier [schneier.com] is one (there are others, use Google, this is not mean to be a puff for Schneier or his company).

There are also open-source cryptographic programs [gnupg.org] , which are peer-reviewed and definitely not snake-oil.

Re:How is this different from any other product? (0)

Anonymous Coward | more than 7 years ago | (#16032171)

There is also the obvious: given human fallibility, it's almost impossible to prove any program bug free. Writing good code is HARD - and it ends up with bugs. Understanding the principles behind cryptography is hard: you then have to find someone who can read and understand your code AND find the bugs to prove your code is good, you understand the algorithm and you've implemented it correctly with no obvious bugs.

Don't use weak ROT-13 (4, Funny)

CrazyJim1 (809850) | more than 7 years ago | (#16032108)

Get creative, use Rot-14 or something.

Re:Don't use weak ROT-13 (0)

Anonymous Coward | more than 7 years ago | (#16032125)

"Get creative, use Rot-14 or something."

Rot-14 is weak, but tripe-Rot-14 is safe (for now). For maximum security, write in Chinese, and use Rot-2453

Re:Don't use weak ROT-13 (0)

Anonymous Coward | more than 7 years ago | (#16032135)

Please! ROT-14 is almost as bad as ROT-13. I hear there's a machine in the basement of the NSA that can crack any of ROT-13 through ROT-18 in less than two days!

No, use ROT-26, that's like two times as strong as ROT-13 and your secrets should be safe for at least a hundred years.

Re:Don't use weak ROT-13 (1)

cortana (588495) | more than 7 years ago | (#16032180)

We need a feature addition to Slashcode that does that repeated-plunging-of-penis-shaped-sound-wave thing into the head of anyone who rehashes the thired, old ROT-13 joke in one of their posts.

At least '1, 2, ???, profit', 'I, for one...' and 'haha it says nothing to see here OMGWTFBBQAOLCIA' are finally being retired.

Re:Don't use weak ROT-13 (1)

maxwell demon (590494) | more than 7 years ago | (#16032219)

1. I for one welcome our new rot13 joke fighting overlords.
2. ??? (Nothing to see here, please move along)
3. Profit!

SCNR :-)

Re:Don't use weak ROT-13 (1)

cortana (588495) | more than 7 years ago | (#16032228)

I guess I asked for it, didn't I? :)

Re:Don't use weak ROT-13 (1)

kestasjk (933987) | more than 7 years ago | (#16032277)

I know it's a joke, but I thought I'd clear up a common misconception; ROT-13 by definition isn't encryption. Encryption requires a key to decrypt, you can know the encryption algorithm but can't know the data without the key. Encoding only requires an algorithm.
ROT-13 is encoding; ROT by an unknown amount, where the unknown amount is the key, is encryption.

Re:Don't use weak ROT-13 (1)

noamsml (868075) | more than 7 years ago | (#16032342)

Ha! I use ROT-26 to encrypt MY messages!

Use ROT-12 (1)

swelke (252267) | more than 7 years ago | (#16032762)

Use ROT-12 to decrypt. Well, either that, or use ROT-14 twenty-five more times. It depends how much your time is worth to you.

Some insights about the article (4, Interesting)

owlstead (636356) | more than 7 years ago | (#16032109)

It's pretty well known that there are many snake oil products that deploy cryptography. Bruce Sneier frequently displays snake-oil cryptography products in his newsletter, for instance. And these are just the really obvious ones.

Some time ago, I tried to evaluate if a Enterprise Service Bus (intercomponent communication) was fit enough to be put into a production environment. It said that it had AES encryption build in. When I looked at the manual, it displayed a pop up window where you could choose the key-size. It listed exactly all key sizes that were *not* possible for AES. This was a very short evaluation, I can tell you. This also shows a very important thing about cryptography: the algorithms used say very little about the security of an application.

Generally, the manual for cryptographic services is easy to find. This is simply because cryptography is added at the end of the development lifecycle. This is logical because cryptography is not part of the main functionality of most applications (e.g. mime encryption in email products). It's something that was added after the products main functionality was finished. So just look at the last paragraph, or Appendix Z and you are looking at it.

Sometimes it is easy to see why so many products contain bad cryptography. Take XML signatures for instance. XML signatures themselves contain *references* to the data that is signed and the cryptographic techniques used. If you are to verify an XML digital signature, you *must* check if these are not altered. Furthermore, you must keep the XML schema-definitions on your own disk, and not retrieve them from the internet. Nevertheless, I've not seen any API-documentation even mentioning this rather obvious cryptographic insight. You can rest assured that there will be many implementations that will get this wrong.

Cryptography is hard.

The real insight of this story is the listing of the products into "credence goods". If you can call this new insight. Otherwise, it's just stating the well known/obvious.

Re:Some insights about the article (1)

rbannon (512814) | more than 7 years ago | (#16032224)

You said, "The real insight of this story is the listing of the products into "credence goods". If you can call this new insight. Otherwise, it's just stating the well known/obvious." And I agree, but we also need an infrastructure where encryption is a given and is transparent to all users. For example, I believe https works, but I don't really need to do anything special. This of course largely depends on an infrastructure where certain certificates are trusted. Now for email, s/mime works, but to many it looks scary and requires users to think.

BTW, thawte [thawte.com] offers free s/mine email certificates.

Truecrypt (4, Interesting)

urikkiru (801560) | more than 7 years ago | (#16032130)

This is something I've often considered about commercial encryption software. There's just no way to be sure of their validity, as they are closed source implementations. Open source solutions like Truecrypthttp://truecrypt.sourceforge.net/ [sourceforge.net] are at least somewhat more trustworthy, in that they can be openly reviewed by anyone. Despite the fact that I know jack all about the specific math behind AES and such, at least I can read some simple explanations of the concepts, read the source, and decide if I want to trust my data to it. Honestly, unless we get down to the fraction of the population that actually does understand these bits at a deep level, that's the best any of us can do really.

Sure, large clusters of powerful servers working in tandem(or quantum computing) may render the factoral math behind crypto obsolete. A nice thing though, is that those kind of solutions are limited to those that can afford them. Still, even if it's all true, and I'm wasting my time encrypting things, what better solutions do we have?

Re:Truecrypt (3, Interesting)

kasperd (592156) | more than 7 years ago | (#16032144)

I agree TrueCrypt is well documented, and in addition to that the source is available. I have the necesarry knowledge to actually review such a design, and in the case of TrueCrypt I must say it is not the worst I have seen, but it is certainly not perfect either. There are some subtle watermarking attacks if you can get access to different encryptions of the same sector. Still in spite of that I'd much rather rely on TrueCrypt than some closed source products. So far all storage encryption products I have seen have had some weakness, I'd much rather use one where I know what it is and to what extend it could be a problem to me.

The Safe Option (1)

noamsml (868075) | more than 7 years ago | (#16032168)

In other words, for crypto-dummies of the likes of myself, it's probably better to stick with peer-reviewed, time-tested Open Source programs.

Classic snake oil: Blitzkrieg! (2, Interesting)

WWWWolf (2428) | more than 7 years ago | (#16032185)

Anyone remember the Blitzkrieg server [attrition.org] , which seems like the solution to all of the world's security needs? The expression Bruce Schneier used was "just too bizarre for words". I don't know if this was an elaborate trolling attempt or an actual real honest scam to deceive the terminally dumb, but it's fun to read, still, just for the amazing technobabble and ludicruous claims.

Not snake oil. (0)

Anonymous Coward | more than 7 years ago | (#16033045)

In fact, I am the Blitzkrieg server. Your attack has been logged. Your house will be destroyed in the next few minutes.

You have been warned.

Not in the ciphers stoopid... (1)

Kaptain_Korolev (848551) | more than 7 years ago | (#16032411)

All too often when people talk about their security solution they talk only about the cipher they are using, the length of keys and the time required to crack it.

Nowadays this is moot.

Security is in the protocol, how you exchange keys amongst parties and more importantly how you store the keys locally on the client and server.

I don't give a shit how strong your cipher is if your keys are negotiated in an in-appropriate fashion or stored in the clear on your machine. I'll do a dump of your memory and analyse the result for random looking data runs, chances are it's crypto related. Knowing the key and block lengths of your cipher getting past your security will not present a tremendous difficulty.

Unfortunately with security, you are not making something that will either work or it will not, you are adding protection to something that works. Hence it's pretty easy to hack together something that works but fail stands up to even basic analysis.

Real security lies in trusted platforms ( here we go...! ) and data hiding techniques using obfuscation. Unfortunately this sort of thing, data obfuscation in particular is difficult to explain to Joe public and can't be used to advertise you product.

Oh well, and Bruce, if you're reading this, how about a 2nd ed. of Practical Cryptography.

honesty in vendors .. (1)

rs232 (849320) | more than 7 years ago | (#16032442)

It isn't a matter of honest vendors. It can generally assumed that most/all cryptography companies are owned and run by the various security services. For decades a US/Swiss/Israli firm Crypto AG [aci.net] sold a cryptology machine with a secret built in backdoor [spray.se] . At least until Pres. Reagan announced on television that they were reading [orlingrabbe.com] Gaddafi's coded messages.

There has also been speculation why Windows requires three unique signing keys [cryptome.org] . The disengenious reason given being that in case the first one got lost in a fire.

5,000 bit unbreakable crypto!!!!! (0)

Anonymous Coward | more than 7 years ago | (#16032543)

While I was searching for a crypto solution for my thumbdrive, which will work under Windows and OSX (and source for UNIX'a'likes would be nice), I came across some site that claimed something like, "5,000 bit unbreakable encryption!". I chuckled and then moved on without even reading what they had to say for themselves. Simply because just making some crypto scheme x,xxx bits is not a magic bullet. In fact, any company which relied on such a silly idea MUST by definition be peddling weak crypto. Even if they don't know it.

There are people in the World who think they know crypto. A very small subset of those actually do and then a very small subset of those can actually implement crypto properly and securely. I would guess that of all the big vendors putting out crypto products, you could probably count on one hand those which are doing a decent job of it. The World over.

How many poor bastards fall for the x,xxx bit crypto bullshit and fork over their money for that dubious security?

The audience (1)

Plutonite (999141) | more than 7 years ago | (#16032553)

To protect yourself truly, you must know the people who theoretically can sniff your sessions and have access to your files: call them the "audience".

Your audience are either script kiddies with tools who want your CC number, or professoinal mathematicians hired to break access codes to your military research.

For the former audience, use google to make sure no tools are lying around ready to ruin your shit. Inventing your own scheme is actually a good idea.

For the latter, hire professional assistance, don't use your own coded-over-the-weekend scheme, and don't mess with the Russians.

Try This... (2, Informative)

thebdj (768618) | more than 7 years ago | (#16032684)

If you are truly concerned about the validity of cryptography provided by the vendor, then try to find products that have been certified under the FIPS 140-2 standard [wikipedia.org] . The only problem might be that a lot of those products are usually commercial grade items meant for use by government agencies; however, some of the items that have received approval are reasonably available to consumers. The products are reviewed by independent labs, and then the CMVP [nist.gov] reviews the labs results. (The site was down earlier this morning.)

These products have been reviewed by independent labs, who review their implementation to verify that cryptographic mechanisms are implemented properly. This includes reviewing source code and/or hardware designs. Just a thought for anyone who is truly concerned that their hardware or software be compliant. (Note: If you want a "secure" operating system, look into CC Evaluation.)

Is Voltage on the NIST list? (0)

Anonymous Coward | more than 7 years ago | (#16032844)

If the author of the article is bringing this up, what does it say about his employer's products? I checked out the product at their http://vsn.voltage.com/ [voltage.com] on-line service and it looks interesting. They also have http://developer.voltage.com/ [voltage.com] a free toolkit for integrating their Identity Based Encryption (IBE) into applications.

an old problem (3, Interesting)

v1 (525388) | more than 7 years ago | (#16032767)

I worked for sevearal years on a programming language called REALbasic. In the latter releases that I saw, it featured "encryption". A compiler is basically a tool that takes human readable commands and turns them into a program that a computer can run. This process is not easily reversable, and once compiled, it's difficult at best to make changes to the progam.

Encryption was added to RB so that it was possible for you to give away portions of your program's "source code" (the human readable part) without anyone actually being able to READ it. They could incorporate your souce into their new project and use it normally, they could just not read it or make changes to it.

This sounds like a nice idea, until you realize that when you get someone's "encrypted" source code and add it to your program, the compiler has to be able to read the source code, because it needs to translate it for your new program. This means one thing: the encryption is not secure because the compiler itself must somehow posess a "master key" of sorts so that it can read the source code to do its thing. So... when you select the module and try to open it to look at it, it's not that it can't read it.. it's that it won't read it. A sufficiently skilled programmer could go into the compiler and flip a switch inside it and basically say "ignore that", and you would have unrestricted access to the so called "encrypted" informataion.

I assisted with a project where we found out how this information was encrypted. In short, a fixed key was used to encrypt the project data. Then a different fixed key was used to encrypt the passcode you would use to "protect" the project. Thus, the compiler could ask you for the password if you wanted to read your own project, and it could verify you typed in the correct passcode. If you did, it would decrypt the project for you to view. So you see, the compiler does not NEED the passcode, it simply WANTS it.

It took us about a week to write a program that would read in the projects, decrypt them using the fixed key and completely ignoring the passcode thing, and saved an unprotected naked project file that anyone could edit or view.

This is probably not too far from the mark on how a LOT of programs "protect your privacy". In reality they are only protecting you from the casual inspection. Anyone that really wants your data can get it, all too easily. Be sure that with any program you are certain that the program NEEDS the passcode to unlock your data. If it only WANTS it, (is there a password reset option available?) then you know it's "security through obscurity", and we know how totally worthless that is.

You thought your windows or OS X keychain was secure? You have auto login turned on? Does the computer need your password? Think about it.

Try Voltage Security Network (0)

Anonymous Coward | more than 7 years ago | (#16033007)

Check out the author's company's product at the Voltage Security Network [voltage.com] .

This FP for GNAA (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16033143)

continues toChew Battled in court, Impaired its th3 BSD license,
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...