A great article by undisputed information security authority Bruce Schneier on questionable cryptographic products and a good way to increase the sensitivity of your hack detector.

Canaan balm

“Encryptor 4.0 uses a unique incremental base shift algorithm of its own design. Decryption is almost impossible; even if someone decompiles our program and finds out the algorithm, decryption of the file depends on precise knowledge of the password (encryption key). Even if someone picks up the encryption key, the file will be decrypted correctly only if the encryption key is 100% the same as the original one. Read theIMPORTANT WARNING on our website.”

I looked at their website; the chance that this product represents even minimal value is zero. Earlier I talked about building robust defenses, using proven mathematical methods, and conservative ways of thinking. Here I want to talk about some common symptoms that characterize Canaan balm, and how you can get an idea of a product from its advertising. These symptoms are not absolute truths, but allow you to form a fairly accurate opinion.

Symptom #1: Pseudo-mathematical clucking In the above quote, note the “unique incremental base shift algorithm of its own design”. Does anyone understand what this means? Are there any scientific papers discussing this algorithm? Lots of clever words in a row doesn’t mean reliable protection at all. Meganet has the following perl on its website:

“The VME is based on a virtual matrix, a binary matrix whose size is theoretically infinite and thus has no redundancy. The encrypted data is compared with the data in the virtual matrix. Once a match is found, a set of pointers is created to show how to find that location in the virtual matrix. This set of pointers (which carries no information if the corresponding virtual matrix is unknown) is then encrypted by many different algorithms at different stages to achieve an avalanche effect. The result is an encrypted file that, even if decrypted, would not contain real information but only a set of pointers. Given that each VME session has a unique, different virtual matrix from the previous ones, and that the arrangement of data within the virtual matrix is completely random and non-redundant, there is no way to determine the original information from the pointer set.”

It doesn’t even make sense to an expert. US Data Security has another pearl: “Mathematically, the TTM algorithm is intuitive and less burdensome to use than methods based on number theory.” SuperKrypt tries to impress with an acronym: “SuperKrypt products use the DNGT bulk encryption method,” whatever that means. And Cennoid just doesn’t understand what he’s talking about: “Since the key length and key structure change, and since the encryption mechanism doesn’t use any mathematical algorithms, the original data recovery is impossible, and so is the picking.” The point is that, like medicine, cryptography is a science. Cryptography has some body of knowledge, and scientists are constantly adding to it: developing new and cracking existing cryptographic methods, creating theoretical foundations, etc. Anyone who is clearly not fluent in the language of cryptography will not be able to make sense of the existing cryptographic literature, and is very unlikely to invent anything worthwhile. It looks about the same as if your doctor suddenly starts talking about “energy waves and healing vibrations”. You should be worried.

Symptom #2: New Mathematical Methods Every couple of years, there is a mathematician who looks at cryptography and says something like, “Oh, that’s very simple,” and creates an encryption algorithm right out of what he is currently working on. Such algorithms invariably end up with holes. Beware of cryptographic methods based on new areas of mathematics: chaos theory, neural networks, coding theory, zeta functions. Cryptography is complex, and the chances that anyone without the slightest experience in the field can revolutionize it are very small. Even if someone succeeds, give the academic community a few years to understand and evaluate this method before buying products based on it.

Symptom #3: Closed Cryptography I promise not to give another speech about the problems associated with cryptographic methods that their developers keep secret. I just consider it one of the warning signs. So when a company like GenioUSA refuses to tell you what algorithm they use (they claim it’s a “world class symmetric encryption algorithm” whatever that is), you should think twice before using their product (by the way, it’s currently fully cracked). Another company, Crypt-o-Text, promises “a sophisticated encryption algorithm of its own design”, and that “there is absolutely no way to know which password was used by examining the ciphertext”. It was fully cracked in a review by InfoWorld. It’s not just small companies that are different. Axent once tried slipping in XOR as an encryption algorithm. The trick worked until someone analyzed the compiled code and that’s when it was discovered Any company that doesn’t want to openly discuss its algorithms and protocols has something to hide. There can be no other reason. (And don’t take their claims that the technology is patented seriously – from the moment they apply for a patent, they can open up the technology. And if they aren’t ready to apply for a patent yet, send them away until they can publish it.)

Symptom #4: Exceptional ignorance Some companies make such terrible claims that it becomes obvious that they simply don’t understand anything about the field. TriStrata claims about their encryption algorithm, “Because TriStrata’s cryptographic scheme is very simple and has very low computational complexity, the client side can be hosted on a wide variety of systems, from servers to laptops.” Do they realize that almost any encryption algorithm requires very few resources and can fit on a laptop, that DES, RSA and SHA can be implemented in 8-bit smart cards, that some AES candidates require only 17 CPU cycles per byte and can be implemented in hardware using a few thousand fans? GenioUSA explains why they don’t use public key cryptosystems in their product:

“Public key encryption means that you are not alone in generating, enforcing the integrity of, and protecting all keys and passwords used to encrypt your emails, documents, and files. Public key encryption is a great technology to share information with those who you can’t trust your secret keys to and/or can’t exchange secret keys with. We will quote one sentence from a well-known web page: “All known public key cryptosystems, however, are vulnerable to certain types of attacks and thus must use keys dozens of times longer than those previously discussed in order to achieve the same level of security.”

What are the conclusions? This company just didn’t get the point.

Symptom #5: Ridiculous key lengths Jaws Technology boasts: “Thanks to the statistically unbreakable 4096-bit key of the JAWS L5 algorithm, you can be sure that your most valuable files are secure. Meganet went even further, “Symmetric keys are 1 million bits long – competitors only offer 40-160 bits!!!” The longer the key, the better, but only up to a certain limit. AES will support keys of 128, 192 and 256 bits in length. That’s a lot more than we’ll need for the foreseeable future. As a matter of fact, we cannot even imagine a world in which it is possible to completely brute force all keys of 256-bit length. This would require some fundamental discoveries in physics and in our understanding of the universe. Public key cryptosystems have an analogous property to keys 2048 bit long: longer keys make no sense. This should be seen as a special case of Symptom #4: do you want to entrust the development of a cryptographic tool to a company that does not understand what the key length means?

Symptom #6: Disposable notepads Disposable notepads are completely useless for commercial cryptography. They’re good for spies armed only with pencil and paper, they’re good for a telegraph hotline between the US and Russia, but they’re completely useless for you. The vast majority of companies claiming they are implementing a disposable notepad are wrong. What they are actually implementing is something that they believe is a disposable notepad. A true disposable notepad can be proven to be absolutely secure (against certain types of attacks), but it’s also completely impractical. Elementrix, now defunct, announced a product implementing a disposable notepad several years ago, and refused to comment when it was shown that no disposable notepad was in its product. Ciphile Software is simply trying to mislead: “Original Absolute Privacy – Level3 is an automated pseudo disposable notepad generator with very advanced and powerful additional features.” What would that mean? TriStrata later jumped onto the global crypto bandwagon by announcing that it had implemented a disposable notepad. After that, she was kicked around by anyone with a modicum of cryptographic common sense, and she eventually removed the phrase from the website. That’s a good thing: at the very least, she demonstrated the ability to learn. Ultimate Privacy may indeed be using a one-time pad (although they claim to use Blowfish as well, which makes me wary):

“One-time pad is a symmetric key encryption method, and it requires secure and reliable transmission of the cryptographic notepad itself, which in our solution plays the role of the key. The degree of protection of the key must be at least as high as the degree of protection you want to achieve – for exchanging information with only one correspondent, we recommend a personal hand-to-hand transfer of the cipherpad.”

Remember that you need to pass from hand to hand a cipher notebook of the same size as all the messages you want to pass, otherwise it won’t be a disposable notebook anymore.

Symptom #8: Defense Proofs There are two varieties of quack proofs. The first are real mathematical proofs, which, however, have nothing to do with the real level of security. The second are fake proofs. Meganet claims that there is proof that their VME algorithm has the same persistence as a one-time pad. Their “proof” is an explanation of how the disposable notepad works, the magic spell “VME has similar empirical patterns of behavior that prove it is just as persistent and unbreakable as the disposable notepad” and some statistical test results. That doesn’t even remotely resemble proof. A more subtle issue is systems whose security can be proven for real. Such exist. In the summer of 1998, IBM made a big fuss in the press about their provable secure system, which they claimed could revolutionize the world of cryptography. (You can find the discussion here.) You haven’t heard anything about that system since then. It was really great scientific work, but unfortunately the mathematical proof has little to do with the security of specific products.

Symptom #9: The hack prize I wrote on this topic in December 1998. Suffice it to say here that announcing a prize for breaking a security system does not at all guarantee that it is unbreakable, and usually means that the developers do not understand what should be done to show that the system is well protected. Conclusion: What is ‘good’ and what is ‘bad’ These symptoms, which warn of quack tools, cannot be seen as criteria to distinguish a good cryptographic tool from a Canaan balm. A highly vulnerable product can bypass all of these warning signs, and just as a perfectly good product can look very similar to a Canaan balm. But most people don’t have enough time, patience and knowledge to do the analysis required to make an informed choice on their own. In the absence of a body that controls cryptographic products (like food and medicines), the only thing a sensible user can do is to pay attention to these or similar warning signs.

Bruce Schneier

card dump sites