Respected cryptography authority Bruce Schneier this week told a security conference that most products and systems that use cryptography are insecure and most commercial cryptography doesn't perform as advertised.
Instead, he recommended that companies use strong random number generators and published nonproprietary algorithms and cryptographic protocols.
Schneier, who is president of Counterpane Systems in Minneapolis, author of Applied Cryptography and inventor of the Blowfish, Twofish and Yarrow algorithms, noted that it's difficult to distinguish bad cryptography from good cryptography in security products. Experienced security testing is needed to uncover bugs, but products are often shipped without this type of evaluation, he told the audience at the Black Hat Briefings. "Beta testing can never uncover security flaws," Schneier said.
According to Schneier, flaws can be found almost anywhere: in the design, the algorithms and protocols, the implementation, the configuration, the user interface, the usage procedures and other locations in the design of products.
There is usually no reason to use a new or unpublished algorithm in place of an older and better analysed one, Schneier said. "There is no need ever for proprietary algorithms," he added.
Insecure random number generators can also compromise the security of entire systems since the security of many algorithms and protocols assumes good random numbers, Schneier said. He noted that random numbers are critical for most modern cryptographic applications including session keys, seeds for generating public keys and random values for digital signatures.
Security consultants at the conference said they took Schneier's suggestions to heart. "I would suggest that no one ever purchase proprietary encryption products if it's protecting anything of value because someone can reverse-engineer it," said Byran Baisden, a software engineer at Edge Technologies. Edge designed the Nvision product for network management platforms and consults for the federal government.
Matthew Cramer, lead security practitioner at Armstrong World Industries, said Schneier does a good job pointing out flawed systems and helping companies evaluate products such as virtual private networks that use encryption. "The tough job is picking which ones are snake oil and which ones are real and Bruce provides a lot of information to the community to pick out which is which," Cramer said.