Revolutionary Breakthroughs

Beware of any vendor who claims to have invented a ``new type of
cryptography'' or a ``revolutionary breakthrough.'' True breakthroughs are
likely to show up in research literature, and professionals in the field
typically won't trust them until after years of analysis, when they're not
so new anymore.

The strength of any encryption scheme is only proven by the test of time.
New crypto is like new pharmaceuticals, not new cars. And in some ways it's
worse: if a pharmaceutical company produces bogus drugs, people will start
getting sick, but if you're using bogus crypto, you probably won't have any
indication that your secrets aren't as secret as you think.

Avoid software which claims to use `new paradigms' of computing such as
cellular automata, neural nets, genetic algorithms, chaos theory, etc. Just
because software uses a different method of computation doesn't make it more
secure. (In fact, these techniques are the subject of ongoing cryptographic
research, and nobody has published successful results based on their use
yet.)

Also be careful of specially modified versions of well-known algorithms.
This may intentionally or unintentionally weaken the cipher.

It's important to understand the difference between a new cipher and a new
product. Engaging in the practice of developing ciphers and cryptographic
products is a fine thing to do. However, to do both at the same time is
foolish. Many snake oil vendors brag about how they do this, despite the
lack of wisdom in such activity.

Experienced Security Experts, Rave Reviews, and Other Useless Certificates

Beware of any product that claims it was analyzed by ``experienced security
experts'' without providing references. Always look for the bibliography.
Any cipher that they're using should appear in a number of scholarly
references. If not, it's obviously not been tested well enough to prove or
disprove its security.

Don't rely on reviews in newspapers, magazines, or television shows, since
they generally don't have cryptographers to analyze software for them.
(Celebrity ``hackers'' who know telephone systems are not necessarily crypto
experts.)

Just because a vendor is a well known company or the algorithm is patented
doesn't make it secure either.

Unbreakability

Some vendors will claim their software is ``unbreakable.'' This is marketing
hype, and a common sign of snake oil. No algorithm is unbreakable. Even the
best algorithms are susceptible to brute-force attacks, though this can be
impractical if the key is large enough.

Some companies that claim unbreakability actually have serious reasons for
saying so. Unfortunately, these reasons generally depend on some narrow
definition of what it means to ``break'' security. For example, one-time
pads (see the next section) are *********ly unbreakable as far as secrecy
goes, but only if several difficult and important conditions are true. Even
then, they are trivially vulnerable to known plaintext attacks on the
message's integrity. Other systems may be unbreakable only if one of the
communicating devices (such as a laptop) isn't stolen. So be sure to find
out exactly what the ``unbreakable'' properties of the system are, and see
if the more breakable parts of the system also provide adequate security.

Often, less-experienced vendor representatives will roll their eyes and say,
``Of course it's not unbreakable if you do such-and-such.'' The point is
that the exact nature of ``such and such'' will vary from one product to
another. Pick the one that best matches your operational needs without
sacraficing your security requirements.

One-Time-Pads

A vendor might claim the system uses a one-time-pad (OTP), which is provably
unbreakable. *********ly, the encrypted output of an OTP system is equally
likely to decrypt to any same-size plaintext. For example,

5*8v *$_+~ xCtMB0

has an equal chance of decrypting to any of these:

the answer is yes
the answer is no!
you are a weenie!

Snake oil vendors will try to capitalize on the known strength of an OTP.
But it is important to understand that any variation in the implementation
means that it is not an OTP and has nowhere near the security of an OTP.

An OTP system works by having a ``pad'' of random bits in the possession of
both the sender and recipient, but absolutely no one else. Originally, paper
pads were used before general-purpose computers came into being. The pad
must be sent from one party to the other securely, such as in a locked
briefcase handcuffed to the carrier.

To encrypt an n -bit message, the next n bits in the pad are used as a key.
After the bits are used from the pad, they're destroyed, and can never be
used again.

The bits in the pad cannot be generated by an algorithm or cipher. They must
be truly random, using a real random source such as specialized hardware,
radioactive decay timings, etc. Some snake oil vendors will try to dance
around this issue, and talk about functions they perform on the bit stream,
things they do with the bit stream vs. the plaintext, or something similar.
But this still doesn't change the fact that anything that doesn't use real
random bits is not an OTP. The important part of an OTP is the source of the
bits, not what one does with them.

OTPs are seriously vulnerable if you ever reuse a pad. For instance, the
NSA's VENONA project [4], without the benefit of computer assistance,
managed to decrypt a series of KGB messages encrypted with faulty pads. It
doesn't take much work to crack a reused pad.

The real limitation to practical use of OTPs is the generation and
distribution of truly random keys. You have to distribute at least one bit
of key for every bit of data transmitted. So OTPs are awkward for general
purpose cryptography. They're only practical for extremely-low-bandwidth
communication channels where two parties can exchange pads with a method
different than they exchange messages. (It is rumored that a link from
Washington, D.C., to Moscow was encrypted with an OTP.)

Further, if pads are provided by a vendor, you cannot verify the quality of
the pads. How do you know the vendor isn't sending the same bits to
everyone? Keeping a copy for themselves? Or selling a copy to your rivals?

Also, some vendors may try to confuse random session keys or initialization
vectors with OTPs.

Algorithm or product X is insecure

Be wary of anything that claims that competing algorithms or products are
insecure without providing evidence for these claims. Sometimes attacks are
theoretical or impractical, requiring special circumstances or massive
computing power over many years, and it's easy to confuse a layman by
mentioning these.

Recoverable Keys

If there is a key-backup or key-escrow system, are you in control of the
backup or does someone else hold a copy of the key? Can a third party
recover your key without much trouble? Remember, you have no security
against someone who has your key.

If the vendor claims it can recover lost keys without using some type of
key-escrow service, avoid it. The security is obviously flawed.

Exportable from the USA

If the software is made in the USA, can it be exported? Strong cryptography
is considered dangerous munitions by the United States and requires approval
from the US Bureau of Export Administration, under the US Department of
Commerce, before it can leave the country. Various interested government
agencies serve as consultants to the Bureau of Export Administration when
evaluating such requests. (The U.S. isn't alone in this; some other nations
have similar export restrictions on strong cryptography.) Chances are, if
the software has been approved for export, the algorithm is weak or
crackable.

If the vendor is unaware of export restrictions, avoid their software. For
example, if they claim that the IDEA cipher can be exported when most
vendors (and the US Government!) do not make such a claim, then the vendor
is probably lacking sufficient clue to provide you with good cryptography.

Because of export restrictions, some decent crypto products come in two
flavors: US-only and exportable. The exportable version will be crippled,
probably by using smaller keys, making it easy to crack.

There are no restrictions on importing crypto products into the US, so a
non-US vendor can legally offer a single, secure version of a product for
the entire world.

Note that a cryptosystem may not be exportable from the US even if it is
available outside the US: sometimes a utility is illegally exported and
posted on an overseas site.