Is Encrypt-o-matic MoJo (powerful magic) or snake oil?
By Jim Keohane

This is for the "Big Iron" folks out there. No, not Heavy Metal. Big Iron!

You were brought up in an OCO (object code only) world where vendors seldom supplied source code to their products. Mainframe vendors typically divulge very little of the inner workings of their products. Your web-enablement plans call for privacy and security measures when communicating with the outside world. You investigate the myriad data-scrambling products on the market. Beware if a product claims unbreakable but proprietary encryption algorithms!

From http://www.dictionary.com:
snake oil (n).
A worthless preparation fraudulently peddled as a cure for many ills. Speech or writing intended to deceive; humbug. Any of various liquids sold as medicine (as by a traveling medicine show) but medically worthless. In cryptography circles "snake oil" refers to products, services, claims, etc. that may initially impress but, after careful examination, are found wanting.

Mainframers, in my experience, are somewhat more prone to accept at face value such exaggerated claims. Here are some assertiveness training steps they should take when approached by a vendor of encryption products:

1. Ask what encryption algorithms are used. If told they are proprietary, send the vendor packing. He's asking you to place your trust in him and not in known algorithms that have been pounded upon by the world's best cryptanalysts and found to be computationally-unbreakable*. Remember, if users of the vendor's software become a worthwhile target to crackers, those crackers will certainly be able to disassemble the software and determine the underlying logic. If the enemy will be able to figure out the logic, what reason can the vendor have for keeping the logic from the customer?

2. Ask to see the encryption source code. The vendor could demur saying the source code, even though implementing a known algorithm, is nevertheless coded for optimal performance and so the vendor wishes to keep it secret. In that case, you should at least be able to run his software alongside another program (same algorithm) to confirm identical results. You can also ask for non-optimized source code that can be either tested standalone or in the full product as a replacement of the optimized code.

3. Ignore claims of "my key size is bigger than theirs." Larger key size does tend to make encryption less susceptible to brute force deciphering (many dedicated, powerful computers working in tandem). However, current public algorithms are secure enough with reasonable key sizes (i.e. 128 to 256-bit for private key, 512 to 2048-bit for public key). Increasing key size just wastes cpu resources.

4. Show obfuscators the door. If the salesperson is too heavy on buzz words and too short on clear explanations, then be cautious. Go to all meetings accompanied by a seeing-eye crypto-geek.

5. Cast a jaundiced eye towards contests and challenges. The vendor may point to a limited period during which a prize, often very sizable, was offered to anyone who could break their encryption. No winners, he brags. Examine closely the parameters of the contest. Known algorithms that have survived the test of time (years, not weeks) have been found secure even when (1) algorithm is known and (2) original cleartext is known and (3) encrypted ciphertext is known and (4) some information about the key is known. Contrast that with a so-called hacker challenge that sets a short contest length and provides only the encrypted text.

Here's the JimKeo Hacker Contest.
Prize is One Million Pazoozas, ah yes!
Encrypted ciphertext is "now is the time for all good"
What was original cleartext?
What was the algorithm?
What was the key?
Contest ends soon.
Give up?

When Joe Isuzu shows up at your door lauding his revolutionary new encryption software, just do like Beatle John Lennon and say "OCO? NO-NO!"

For extra credit:
Visit http://www.counterpane.com/crypto-gram-9902.html#snakeoil.
Visit http://www.interhack.net/people/cmcurtin/snake-oil-faq.html.
Visit http://www.counterpane.com/crypto-gram-9812.html#contests.

*Computationally-unbreakable means the encryption can be broken but only by use of an inordinate number of powerful computers over an unacceptably long period.

About the author
Jim Keohane (jimkeo@multi-platforms.com) is president of New York consulting company Multi-Platforms, Inc. His company specializes in commercial software development/consulting with emphasis on cross-platform and performance issues.

---

Related book

Learn Encryption Techniques with Basic and C++
Author : Gil Held
Publisher : Wordware Publishing
ISBN/CODE : 1556225989
Cover Type : Soft Cover
Pages : 350
Published : Nov. 1998
Summary:
Encryption is the process of coding software so that the message is not easily discernible. Learn Encryption Techniques with BASIC and C++ provides readers with a step-by-step examination of the development of encryption techniques from the Caesar Cipher through modern-day public and private key encryption methods. Numerous encryption techniques are first explained in detail, followed by the development of program modules that illustrate how the data is coded. The program modules are then used to develop Windows-based programs that illustrate encryption and decryption of data. Thus, this book provides experienced programmers and developers with detailed, practical, hands-on information and coding examples that illustrate how messages, files and notes can be programmed with different levels of security.