Beware of Bad Crypto!

August 07, 2006

Beware of Bad Crypto - A Rant About Data Security
By: Gary Hammock

In today's financially gluttonous society, many people tend to make promises they can't deliver. In industry, a key component to success is in cryptology/encryption. Securing proprietary data, customer records, bank logs, etc. in a weak crypto system, is generally a very bad idea. With the recent rash of security data breaches due to negligence, theft, etc., it seems pertinent to re-enforce the issue concerning data security by encryption.

Be wary of the encryption methods you use. If you purchase software from a vendor/reseller, here are some warning signs that your investment may be for naught.

1.) Beware of "New" or "Revolutionary" encryption methods

While this may sound counter-intuitive, it really is sound advice. Let a security method weather the test of time first. Using laboratory bench tests are nothing compared to letting the scheme into the wild first. There have been encryption schemes through time that were sold as "unbreakable" that were hacked with relative ease shortly thereafter. Which brings me to the next point...

2.) Beware of "Unbreakable" crypto

The only "unbreakable" crypto method is a One-Time Pad (OTP) with truly random numbers. This is not a computer encryption method. THERE IS NO UNBREAKABLE COMPUTER ENCRYPTION. There are exceptionally difficult encryption methods. AES and RSA are two very difficult encryption methods to break. Truly RANDOM numbers are what makes an OTP unbreakable. Computers have PSEUDO-RANDOM number capability--not entirely random. Pseudo-random encryption equals pseudo-security.

3.) Beware of Labels Boasting "Used by ..."

If you're native tongue is sarcasm like mine, your first thought to these statements is "Am I supposed to care?"--the answer, no. Whether the label claims the product is used by a fortune 500 company or by 100,000 users, it really doesn't matter. Many fortune 500 companies back poor software. Many users use poorly written software. What does it matter? Make sure you know how secure the encryption is before you risk the security of your data with it--regardless of who or how many use it.

4.) Beware of "Unbreakability Challenges"

Unbreakability challenges are usually set up so that they always get the desired results. Remember the "Hack the Mac" challenge from February 2006 (vmunet.com), where a Mac Mini was "hacked"? The sponsor set up a user account for every participant. This means they had legitimate access to the machine in the first place. It wasn't as much of a "hack" as it was a "priviledge escalation". Just remember that anyone can skew test parameters enough to get the results they wanted in the first place. Hence "unbreakability challenges" are never an accurate test of what really happens to encryption schemes.

5.) Beware of Pseudo-Tech-Speak

Most users aren't cryptanalysts. Most users aren't mathematicians. So they may not care whether the encryption is "64 bit Elliptic Curve Cipher" or a "Digital Signature Block Cipher". But beware bogus tech speak like "Vectorized Bi-Cubic Gaussian Rounding Scheme" (now that I've typed that, the words are from a lot of image processing schemes). Do a little research into what the cipher actually does. Don't be intimidated by the size of the words and think, "Wow! No one can break that!"

Final Thoughts

While most producers of bogus crypto are out to make a quick buck off of the lay-user, it is also feasible that such software may exist as malware in hopes of debilitating a system with exploits.

With that, I'll leave you with a question. If someone pitches data security and encryption to you with the following sales pitch:

"This uses a NEW, REVOLUTIONARY, DEPARTMENT OF DEFENCE GRADE encryption scheme called EUCLIDIAN POLYALPHABETIC CRYPTOGRAPHY. It is THOUROUGHLY UNBREAKABLE as shown by our 'HACK-THIS SECURITY CHALLENGE 2006'. It is ENDORSED BY ACME SECURITY and its USERBASE IS 25000 STRONG. It works with Linux, Windows, and OS X--and it's the killer app of all time."

would you use it? I hope not...