Schneier tears up crypto snakeoil

It's always fun to watch Bruce "Applied Cryptography" Schneier tear some security-snakeoil vendor a new asshole. This week, in his Crypto-Gram newsletter, he savages Meganet, a company that made a Slashdot splash (a splashdot?) last week by announcing an "unbreakable" system, with "million-bit keys" that uses "secret new mathematics."

Back to Meganet. They build an alternate reality where every cryptographic algorithm has been broken, and the only thing left is their own system. "The weakening of public crypto systems commenced in 1997. First it was the 40-bit key, a few months later the 48-bit key, followed by the 56-bit key, and later the 512 bit has been broken…" What are they talking about? Would you trust a cryptographer who didn't know the difference between symmetric and public-key cryptography? "Our technology… is the only unbreakable encryption commercially available." The company's founder quoted in a news article: "All other encryption methods have been compromised in the last five to six years." Maybe in their alternate reality, but not in the one we live in…

Reading their Web site is like reading a litany of snake-oil warning signs and stupid cryptographic ideas. They've got "proprietary technology." They've got one-million-bit keys. They've got appeals to new concepts: "It's a completely new approach to data encryption." They've got a "mathematical proof" that their VME is equal to a one-time pad. A mathematical proof, by they way, with no mathematics: they simply show that the encrypted data is statistically random in both cases. (The "proof" is simply hysterical to read; summarizing it here just won't do it justice.)

It's like an object lesson in Schneier's aphorism that "anyone can design a security system so secure that s/he can't imagine a way to break it."



(via Interesting People)