[Cryptography] I broke a cipher this week.
Ray Dillinger
bear at sonic.net
Mon May 25 23:39:58 EDT 2015
On 05/23/2015 03:29 AM, ianG wrote:
> There's obviously something wrong with the message that is out there.
> Why is it that an apparently good engineer doesn't get the message that
> it's better to work with the known good stuff?
>
> This is a seriously interesting question, in that we keep coming back to
> it. If we can't even convince the programming world that something like
> AES is orders of magnitude more secure than a home-built cipher, ...
> what does this say about slightly more complicated decisions?
There is a lot of Fear, Uncertainty, and Doubt involved.
Most companies lack the ability to really examine and vet
cryptographic code, and they've been hearing that the NSA
and other actors are regularly breaking suites that depend
on known, widely published, reviewed ciphers. So there is
suspicion that these widely published ciphers are somehow
the point of vulnerability: some sort of trap to ensure
that their product is breakable.
Absent the ability to fully analyze and test cryptographic
attacks on these ciphers, there's little evidence to the
contrary that's really acceptable to them.
Crypto pros see that the breaks are in badly designed
protocols, in buffer overflows in completely different
programs giving an attacker root, in social engineering
or botnet hacking that gets customers' passwords, in
poor implementations putting stuff into unencrypted
buffers or an unencrypted swap partition, etc... And
not in the crypto algorithms themselves.
But from the "birds eye view" of management they only see
"...used AES... got broken... customer records stolen ...
... company lost millions... "
And the press doesn't tend to help much. They edit out
the technical details no one is interested in.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150525/94df5eab/attachment.sig>
More information about the cryptography
mailing list