HOME

TheInfoList



Click Here for Items Related To - Snake Oil (cryptography)
OR:
Snake Oil (cryptography) on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
, snake oil is any cryptographic method or product considered to be bogus or fraudulent. The name derives from
snake oil Snake oil is a term used to describe deceptive marketing, health care fraud, or a scam. Similarly, "snake oil salesman" is a common expression used to describe someone who sells, promotes, or is a general proponent of some valueless or fraudu ...
, one type of
patent medicine A patent medicine, sometimes called a proprietary medicine, is an over-the-counter (nonprescription) medicine or medicinal preparation that is typically protected and advertised by a trademark and trade name (and sometimes a patent) and claimed ...
widely available in 19th century
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 U.S. state, states, a Washington, D.C., federal district, five ma ...
. Distinguishing secure cryptography from insecure cryptography can be difficult from the viewpoint of a user. Many cryptographers, such as
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Ce ...
and
Phil Zimmermann Philip R. Zimmermann (born 1954) is an American computer scientist and cryptographer. He is the creator of Pretty Good Privacy (PGP), the most widely used email encryption software in the world. He is also known for his work in VoIP encryptio ...
, undertake to educate the public in how secure cryptography is done, as well as highlighting the misleading marketing of some cryptographic products. The ''Snake Oil FAQ'' describes itself as, "a compilation of common habits of snake oil vendors. It cannot be the sole method of rating a security product, since there can be exceptions to most of these rules. ../nowiki> But if you're looking at something that exhibits several warning signs, you're probably dealing with snake oil."


Some examples of snake oil cryptography techniques

This is not an exhaustive list of snake oil signs. A more thorough list is given in the references. ;Secret system: Some encryption systems will claim to rely on a secret algorithm, technique, or device; this is categorized as
security through obscurity Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. History An early opponent of security through ob ...
. Criticisms of this are twofold. First, a 19th century rule known as
Kerckhoffs's principle Kerckhoffs's principle (also called Kerckhoffs's desideratum, assumption, axiom, doctrine or law) of cryptography was stated by Dutch-born cryptographer Auguste Kerckhoffs in the 19th century. The principle holds that a cryptosystem should be se ...
, later formulated as Shannon's maxim, teaches that "the enemy knows the system" and the secrecy of a cryptosystem algorithm does not provide any advantage. Second, secret methods are not open to public
peer review Peer review is the evaluation of work by one or more people with similar competencies as the producers of the work ( peers). It functions as a form of self-regulation by qualified members of a profession within the relevant field. Peer revie ...
and cryptanalysis, so potential mistakes and insecurities can go unnoticed. ;Technobabble: Snake oil salespeople may use "
technobabble Technobabble (a portmanteau of ''technology'' and ''babble''), also called technospeak, is a type of nonsense that consists of buzzwords, esoteric language, or technical jargon. It is common in science fiction. See also * Academese * Bullshi ...
" to sell their product since cryptography is a complicated subject. ;"Unbreakable":Claims of a system or cryptographic method being "unbreakable" are always false (or true under some limited set of conditions), and are generally considered a sure sign of snake oil. ;"Military-grade": There is no accepted standard or criterion for "military-grade" ciphers. ;One-time pads:
One-time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a r ...
s are a popular cryptographic method to invoke in advertising, because it is well known that one-time pads, when implemented correctly, are genuinely unbreakable. The problem comes in implementing one-time pads, which is rarely done correctly. Cryptographic systems that claim to be based on one-time pads are considered suspect, particularly if they do not describe how the one-time pad is implemented, or they describe a flawed implementation. ;Unsubstantiated "bit" claims: Cryptographic products are often accompanied with claims of using a high number of bits for encryption, apparently referring to the
key length In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastes ...
used. However key lengths are not directly comparable between symmetric and asymmetric systems. Furthermore, the details of implementation can render the system vulnerable. For example, in 2008 it was revealed that a number of
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...
s sold with built-in "128-bit
AES AES may refer to: Businesses and organizations Companies * AES Corporation, an American electricity company * AES Data, former owner of Daisy Systems Holland * AES Eletropaulo, a former Brazilian electricity company * AES Andes, formerly AES Gener ...
encryption" were actually using a simple and easily defeated "
XOR Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , , ...
" scheme. AES was only used to store the key, which was easy to recover without breaking AES.


References

{{reflist


External links


Beware of Snake Oil
— by
Phil Zimmermann Philip R. Zimmermann (born 1954) is an American computer scientist and cryptographer. He is the creator of Pretty Good Privacy (PGP), the most widely used email encryption software in the world. He is also known for his work in VoIP encryptio ...

Google Search results for "The Doghouse" in Bruce Schneier's Crypto-Gram newsletters
— the Doghouse section of the Crypto-Gram newsletter frequently describes various snake oil encryption products, commercial or otherwise. Cryptography Pejorative terms related to technology