It's a Presidential Mandate, Feds use it. How come you are not using FDE?

Saqib Ali docbook.xml at
Thu Jan 18 18:57:46 EST 2007

> Algorithms can be perfect and implementation sloppy. If you can
> review the code you might find the problem, but with proprietary
> code, fergetit.

I think you guys are missing the point. The term "Snake-Oil Crypto"
refers to the algorithm and NOT the actual implementation. This is a
"important" distinction.

I am copying Matt Curtain (who maintains Snake-Oil Crypto FAQ) and
Bruce Schneier so that they can correct me if I am wrong.

We all know that many open crypto algorithms (like kerberos, AES) have
been implemented in sloppy manner in both open-source and close-source
world. Being open source doesn't necessarily mean that the
implementation is secure.

When is the last time you checked the code for the open source app
that you "use", to make sure that it is written properly?


On 1/18/07, Allen <netsecurity at> wrote:
> Saqib Ali wrote:
> > Since when did AES-128 become "snake-oil crypto"? How come I missed
> > that? Compusec uses AES-128 . And as far as I know AES is NOT
> > "snake-oil crypto"
> Saqib,
> I believe you are correct as to the algorithm, but the snake-oil
> is in the implementation,
> As I have often said, "A misplaced comma in an English sentence
> will merely get you a bad reputation as a writer, however, a
> misplaced comma in a nuclear weapons project may leave an
> enduring mark on the world."
> >
> > Closed-source doesn't mean that it is "snake-oil". If that was the
> > case, the Microsoft's EFS, and Kerberos implementation would be "snake
> > oil" too.
> As I recall there have been a few problems with Kerberos in the past.
> Best,
> Allen
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list