How To

A Field Guide to Spotting Bad Cryptography

It takes an expert to determine whether a cryptographic system is truly secure, but CSOs can learn to spot red flags

By Simson Garfinkel

October 01, 2005CSO

To determine if a cryptographic protocol or system is actually secure takes an expert. And, even then, hidden flaws may be lurking.

Cryptography is the collection of techniques used to protect information from unauthorized disclosure or modification. These techniques are the basis of the secure sockets layer, or SSL, protocol used to secure e-commerce transactions over the Web, as well as digital signature schemes that make it possible for video game consoles to tell the difference between a game thats authorized and one thats not.

Although cryptography was originally the stuff of spooks and diplomats, it is becoming more important every year as other strategies for protecting information increasingly show their limits. For example, it was once possible to prevent electronic documents from getting into the wrong hands by keeping them on a computer that was not connected to a network. These days, its nearly impossible to keep a computer off the network, and even if you could, there is always a chance a document might leak out on somebodys USB memory stick. Enter cryptography in the form of digital rights management systems, which keep documents in their encrypted form and only release the decryption key when a document is being accessed by an authorized individual.

The problem with cryptography is that it is downright difficult to tell the difference between a system that is actually secure and one that merely provides the appearance of security. Case in point, those bicycle locks with the cylindrical keys that were used for more than 20 years before thieves realized locks could be picked with a ballpoint pen. There are probably thousands of unknown security flaws lurking in a popular PC software.

Fortunately, the converse is generally not true: Its relatively easy to look at a crypto system and know if it is probably not secure. Thats because there are a few red flags that usually indicate something inside is not kosher. These warning signs wont tell you for sure that a system is hopeless, but they will tell you further research is warranted.

Red Flag #1:

Keys That Are Too Small

The security of most cryptographic systems is based in part on the secrecy of its key. If an attacker can try every possible key and know for sure when he has found the correct one, the attacker can compromise the system. This is known as a brute force attack.

Keys are binary strings of 1s and 0s with a length thats almost always fixed. As with digits in a phone number, more bits means that there are more potential combinations for authorized users to choose from, and therefore more possible keys that an attacker needs to go through to try to find the one thats correct.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors