The wisdom of the ill informed
Perry E. Metzger
perry at piermont.com
Mon Jun 30 18:58:06 EDT 2008
"James A. Donald" <jamesd at echeque.com> writes:
> Arshad Noor wrote:
>> While programmers or business=people could be ill-informed, Allen,
>> I think the greater danger is that IT auditors do not know enough
>> about cryptography, and consequently pass unsafe business processes
>> and/or software as being secure.
>
> Committees of experts regularly get cryptography wrong - consider, for
> example the Wifi debacle. Each wifi release contains classic and
> infamous errors - for example WPA-Personal is subject to offline
> dictionary attack.
The initial WEP design was done without cryptography experts. The
design of subsequent generations of WiFi security was designed in the
face of backward compatibility constraints that severely limited the
space of possible designs.
I would claim that this is not an example of crypto experts getting it
wrong at all -- it is, in fact, an example of what can go wrong when
people who don't know what they're doing design cryptography into
something that's very widely deployed.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list