How To

A Field Guide to Spotting Bad Cryptography

It takes an expert to determine whether a cryptographic system is truly secure, but CSOs can learn to spot red flags

By Simson Garfinkel

October 01, 2005CSO

To determine if a cryptographic protocol or system is actually secure takes an expert. And, even then, hidden flaws may be lurking.

Cryptography is the collection of techniques used to protect information from unauthorized disclosure or modification. These techniques are the basis of the secure sockets layer, or SSL, protocol used to secure e-commerce transactions over the Web, as well as digital signature schemes that make it possible for video game consoles to tell the difference between a game thats authorized and one thats not.

Although cryptography was originally the stuff of spooks and diplomats, it is becoming more important every year as other strategies for protecting information increasingly show their limits. For example, it was once possible to prevent electronic documents from getting into the wrong hands by keeping them on a computer that was not connected to a network. These days, its nearly impossible to keep a computer off the network, and even if you could, there is always a chance a document might leak out on somebodys USB memory stick. Enter cryptography in the form of digital rights management systems, which keep documents in their encrypted form and only release the decryption key when a document is being accessed by an authorized individual.

The problem with cryptography is that it is downright difficult to tell the difference between a system that is actually secure and one that merely provides the appearance of security. Case in point, those bicycle locks with the cylindrical keys that were used for more than 20 years before thieves realized locks could be picked with a ballpoint pen. There are probably thousands of unknown security flaws lurking in a popular PC software.

Fortunately, the converse is generally not true: Its relatively easy to look at a crypto system and know if it is probably not secure. Thats because there are a few red flags that usually indicate something inside is not kosher. These warning signs wont tell you for sure that a system is hopeless, but they will tell you further research is warranted.

Red Flag #1:

Keys That Are Too Small

The security of most cryptographic systems is based in part on the secrecy of its key. If an attacker can try every possible key and know for sure when he has found the correct one, the attacker can compromise the system. This is known as a brute force attack.

Keys are binary strings of 1s and 0s with a length thats almost always fixed. As with digits in a phone number, more bits means that there are more potential combinations for authorized users to choose from, and therefore more possible keys that an attacker needs to go through to try to find the one thats correct.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development