[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Snake Oil (from the Feb 99 Crypto-Gram)



                Snake Oil



The problem with bad security is that it looks just like good security.
You can't tell the difference by looking at the finished product.  Both
make the same security claims; both have the same functionality.  Both
might even use the same algorithms: triple-DES, 1024-bit RSA, etc.   Both
might use the same protocols, implement the same standards, and have been
endorsed by the same industry groups.  Yet one is secure and the other is
insecure.

Many cryptographers have likened this situation to the pharmaceutical
industry before regulation.  The parallels are many: vendors can make any
claims they want, consumers don't have the expertise to judge the accuracy
of those claims, and there's no real liability on the part of the vendors
(read the license you agree to when you buy a software security product).

This is not to say that there are no good cryptography products on the
market. There are.  There are vendors that try to create good products and
to be honest in their advertising.  And there are vendors that believe they
have good products when they don't, but they're just not skilled enough to
tell the difference.  And there are vendors that are just out to make a
quick buck, and honestly don't care if their product is good or not.

Most products seem to fall into the middle category: well-meaning but
insecure.  I've talked about the reason in previous CRYPTO-GRAM essays, but
I'll summarize: anyone can create a cryptography product that he himself
cannot break.  This means that a well-meaning person comes up with a new
idea, or at least an idea that he has never heard of, cannot break it, and
believes that he just discovered the magic elixir to cure all security
problems.  And even if there's no magic elixir, the difficulty of creating
secure products combined with the ease of making mistakes makes bad
cryptography the rule.

The term we use for bad cryptography products is "snake oil," which was the
turn-of-the-century American term for quack medicine.  It brings to mind
traveling medicine shows, and hawkers selling their special magic elixir
that would cure any ailment you could imagine.

For example, here is a paragraph from the most recent snake-oil
advertisement I received in e-mail: "Encryptor 4.0 uses a unique in-house
developed incremental base shift algorithm.  Decryption is practically
impossible, even if someone manages to reverse engineer our program to
obtain the algorithm, the decryption of a file depends on the exact
password (encryption key).  Even if someone is guessing the encryption key
the file will only be decrypted correctly if the encryption key is 100
percent correct.  See the IMPORTANT WARNING on our web site
http://ten4.com/encryptor."  I checked the website; the odds that this
product is any good are negligible.

Elsewhere I've talked about building strong security products, using
tried-and-true mathematics, and generally being conservative.  Here I want
to talk about some of the common snake-oil warning signs, and how you can
pre-judge products from their advertising claims.  These warning signs are
not foolproof, but they're pretty good.

Warning Sign #1: Pseudo-mathematical gobbledygook.  

In the quote above, notice the "unique in-house developed incremental base
shift algorithm."  Does anyone have any idea what that means?  Are there
any academic papers that discuss this concept?  Long noun chains don't
automatically imply security.

Meganet <http://www.meganet.com> has a beauty on their web site: "The base
of VME is a Virtual Matrix, a matrix of binary values which is infinity in
size in theory and therefore have no redundant value.  The data to be
encrypted is compared to the data in the Virtual Matrix.  Once a match is
found, a set of pointers that indicate how to navigate inside the Virtual
Matrix is created.  That set of pointers (which is worthless unless
pointing to the right Virtual Matrix) is then further encrypted in dozens
other algorithms in different stages to create an avalanche effect. The
result is an encrypted file that even if decrypted is completely
meaningless since the decrypted data is not the actual data but rather a
set of pointers.  Considering that each session of VME has a unique
different Virtual Matrix and that the data pattern within the Virtual
Matrix is completely random and non-redundant, there is no way to derive
the data out of the pointer set."  This makes no sense to even an expert.

US Data Security <http://www.usdsi.com> has another beauty: "From a
mathematical point of view, the TTM algorithm is intuitively natural and
less cumbersome to use than methods that are number-theory based."
SuperKrypt <http://www.superkrypt.com/> tries to impress with an acronym:
"SuperKrypt products utilize the DNGT bulk encryption method," whatever
that is.  And Cennoid <http://www.cennoid.com> just doesn't understand what
it's talking about: "Since key length and key structure vary and since the
encryption engine does not use any mathematical algorithms, reverse
engineering is impossible and guessing is not an option."

The point here is that, like medicine, cryptography is a science.  It has a
body of knowledge, and researchers are constantly improving that body of
knowledge: designing new security methods, breaking existing security
methods, building theoretical foundations, etc.  Someone who obviously does
not speak the language of cryptography is not conversant with the
literature, and is much less likely to have invented something good.  It's
as if your doctor started talking about "energy waves and healing
vibrations."  You'd worry.

Warning Sign #2: New mathematics.

Every couple of years, some mathematician looks over at cryptography, says
something like, "oh, that's easy," and proceeds to create an encryption
algorithm out of whatever he has been working on.  Invariably it is lousy.  

Beware cryptography based on new paradigms or new areas of mathematics:
chaos theory, neural networks, coding theory, zeta functions.  Cryptography
is hard; the odds that someone without any experience in the field can
revolutionize it are small.  And if someone does, let the academic
community have a few years to understand it before buying products based on
it.

Warning Sign #3: Proprietary cryptography.

I promise not to start another tirade about the problems of proprietary
cryptography.  I just include it here as a warning sign.  So when a company
like GenioUSA <http://www.geniousa.com/genio/> refuses to divulge what
algorithm they're using (they claim it's "world class secret key
encryption," whatever that means), you should think twice before using
their product (it's completely broken, by the way).

Another company, Crypt-o-Text <http://www.savard.com/crypt-o-text/>,
promises a "complex proprietary encryption algorithm" and that "there is
absolutely no way to determine what password was used by examining the
encrypted text."  It was completely broken in an InfoWorld review.

This kind of thing isn't exclusive to small companies.  Axent once tried to
pass XOR off as a real encryption algorithm.  It wasn't until some peeked
inside the compiled code that we discovered it.

Any company that won't discuss its algorithms or protocols has something to
hide.  There's no other possible reason.  (And don't let them tell you that
it is patent-pending; as soon as they file the patent, they can discuss the
technology.  If they're still working on the patent, tell them to come back
after they can make their technology public.)

Warning Sign #4: Extreme cluelessness.

Some companies make such weird claims that it's obvious that they don't
understand the field.  TriStrata says this about their encryption
algorithm:  "Since TriStrata's encryption scheme is so simple and of such
low computational complexity, the client portion can reside on a wide range
of systems -- from a server to a portable PC."  Don't they realize that
every encryption algorithm is small enough to fit on a portable PC, that
DES and RSA and SHA can fit on an 8-bit smart card, and that you can
implement some of the AES candidates in 17 clock cycles per byte or a few
thousand gates?

GenioUSA talks about why they don't use public-key cryptography in their
product): "Public Key encryption is exactly that, you are not the only
party involved in the generation, integrity, and security of all the
keys/passwords used to encrypt your e-mail, documents, and files.  Public
key encryption is great technology to use to exchange things with anyone
you won't trust with your secret key(s) and/or canít exchange secret key(s)
with.  We quote one sentence from a well known Web page, 'All known public
key cryptosystems, however, are subject to shortcut attacks and must
therefore use keys ten or more times the lengths of those discussed here to
achieve the an [sic] equivalent level of security.'"  So what?  This
company just doesn't get it.

Warning Sign #5: Ridiculous key lengths.

Jaws Technology <http://www.jawstech.com> boasts: "Thanks to the JAWS L5
algorithm's statistically unbreakable 4096 bit key, the safety of your most
valued data files is ensured."  Meganet takes the ridiculous a step further
<http://www.meganet.com>: "1 million bit symmetric keys -- The market
offer's [sic] 40-160 bit only!!"

Longer key lengths are better, but only up to a point.  AES will have
128-bit, 192-bit, and 256-bit key lengths.  This is far longer than needed
for the foreseeable future.  In fact, we cannot even imagine a world where
256-bit brute force searches are possible.  It requires some fundamental
breakthroughs in physics and our understanding of the universe.  For
public-key cryptography, 2048-bit keys have same same sort of property;
longer is meaningless.

Think of this as a sub-example of Warning Sign #4: if the company doesn't
understand keys, do you really want them to design your security product?

Warning Sign #6: One-time pads.

One-time pads don't make sense for mass-market encryption products.  They
may work in pencil-and-paper spy scenarios, they may work on the
U.S.-Russia teletype hotline, but they don't work for you.  Most companies
that claim they have a one-time pad actually do not.  They have something
they think is a one-time pad.  A true one-time pad is provably secure
(against certain attacks), but is also unusable.

Elementrix, now defunct, announced a one-time pad product a few years ago,
and refused to recant when it was shown that it was no such thing.  Ciphile
Software <http://www.ciphile.com> just tries to pretend: "Original Absolute
Privacy - Level3 is an automated pseudo one-time pad generator with very
sophisticated and powerful augmenting features."  Whatever that means.

More recently, TriStrata <http://www.tristrata.com> jumped on the world's
cryptography stage by announcing that they had a one-time pad.  Since then,
they've been thoroughly trounced by anyone with a grain of cryptographic
sense and have deleted the phrase from their web site.  At least they've
exhibited learning behavior.

Ultimate Privacy <http://www.ultimateprivacy.com> might actually use a
one-time pad (although they claim to use Blowfish, too, which worries me):
"The one time pad is a private key method of encryption, and requires the
safe and secure distribution of the pad material, which serves as the key
in our solution.  The security of the key distribution comes down to how
secure you want to be -- for communicating point-to-point with one other
person, we suggest a face-to-face hand-off of the pad material."  Remember
that you need to hand off the same volume of bits as the message you want
to send, otherwise you don't have a one-time pad anymore.

Warning Sign #7: Unsubstantiated claims.

Jaws Technologies says this about its new encryption technology: "This
scientifically acclaimed encryption product is the world's strongest
commercially available software of its kind."  Acclaimed by who?  The web
site doesn't say.  World's strongest by what comparison?  Nothing.

UBE98, at <http://www.parkie.ndirect.co.uk/>, stands for "unbreakable
encryption," or at least it did before someone took a day to break it.
It's website makes the same sort of ridiculous claims:  "One of the
Strongest Encryptions available in the UK in a program that everyone will
understand how to use!"  Wow.  SenCrypt <http://www.ionmarketing.com/> is
advertised to be "the most secure cryptographic algorithm known to
mankind."  Double wow.

Some companies claim "military-grade" security.  This is a meaningless
term.  There's no such standard.  And at least in the U.S., military
cryptography is not available for non-government purposes (although
government contractors can get it for classified contracts).

Other companies make claims about other algorithms that are "broken,"
without giving details.  Or that public-key cryptography is useless.  Don't
believe any of this stuff.  If the claim seems far-fetched, it probably is.
 If a company claims that their products have been reviewed by
cryptographers, ask for names.  Ask for a copy of the review.  Counterpane
Systems reviews many products, and our clients can give out the reviews if
they choose.

Warning Sign #8: Security proofs.

There are two kinds of snake-oil proofs.  The first are real mathematical
proofs that don't say anything about real security.  The second are fake
proofs.  Meganet claims to have a proof that their VME algorithm is as
secure as a one-time pad.  Their "proof" is to explain how a one-time pad
works, add the magic spell "VME has the same phenomenon behavior patterns,
hence proves to be equally strong and unbreakable as OTP," and then give
the results of some statistical tests.  This is not a proof.  It isn't even
close.

More subtle are actual provably secure systems.  They do exist.  Last
summer, IBM made a big press splash about their provably secure system,
which they claimed would revolutionize the cryptography landscape.  (See
<http://www.counterpane.com/crypto-gram-9809.html#cramer-shoup> for a
discussion.)  Since then, the system has disappeared.  It's great research,
but mathematical proofs have little to do with actual product security.

Warning Sign #9: Cracking contests.

I wrote about this at length last month:
<http://www.counterpane.com/crypto-gram-9812.html#contests>.  For now,
suffice it to say that cracking contests are no guarantee of security, and
often mean that the designers don't understand what it means to show that a
product is secure.

Conclusion: Separating the Good from the Bad

These snake-oil warning signs are neither necessary nor sufficient criteria
for separating the good cryptography from the snake oil.  Just as there
could be insecure products that don't trigger any of these nine warning
signs, there could be secure products that look very much like snake oil.
But most people don't have the time, patience, or expertise to perform the
kind of analysis necessary to make an educated determination.  In the
absence of a Food-and-Drug-Administration-like body to regulate
cryptography, the only thing a reasonable person can do is to use warning
signs like these as guides.


Further reading: The "Snake Oil" FAQ is an excellent source of information
on questionable cryptographic products, and a good way to increase the
sensitivity of your bullshit detector.  Get your copy at:
<http://www.interhack.net/people/cmcurtin/snake-oil-faq.html>.


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.

Counterpane Systems is a six-person consulting firm specializing in
cryptography and computer security.  Counterpane provides expert consulting
in: design and analysis, implementation and testing, threat modeling,
product research and forecasting, classes and training, intellectual
property, and export consulting.  Contracts range from short-term design
evaluations and expert opinions to multi-year development efforts.
 
http://www.counterpane.com/

Copyright (c) 1999 by Bruce Schneier
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com