A Field Guide to Spotting Bad Cryptography

It takes an expert to determine whether a cryptographic system is truly secure, but CSOs can learn to spot red flags

There are two kinds of encryption algorithms: symmetric algorithms, like data encryption standard and advanced encryption standard, and public-key algorithms like RSA and Diffie-Hellman. Generally speaking, symmetric keys that are shorter than 128 bits are not considered secure and should not be used. Likewise, you should not use RSA keys that are shorter than 1,024 bits.

When the 802.11 wireless equivalent privacy (WEP) standard was released in the 1990s, the standard called for 40-bit encryption. Even before the first attacks against WEP were publicly disclosed, I was telling my clients not to trust WEP because the key was simply not long enough to ensure security. Since then, numerous other vulnerabilities have been discovered as well.

Red Flag #2:
Keys That Are Too Long

The U.S. governments advanced encryption standard (AES) supports keys that are 128, 192 and 256 bits long. If longer keys are more secure, then why stop at 256 bits? Wouldnt a 512 or 1,024-bit symmetric key be more secure still?

Surprisingly, the answer to this question is usually no. Given the limits of computers as we understand them, there is no reason to think that a 192-bit or 256-bit symmetric key will be any stronger than a 128-bit key for the foreseeable future. Thats because even the fastest computers mankind is likely to build within the next two or three decades will be unable to try all possible 128-bit keys to crack an encrypted message with a brute force attack, let alone all 192-bit or 256-bit keys. Although the additional bits confer more theoretical security, that additional security is meaningless.

Nevertheless, there has been a steady pressure on technologists to adopt longer and longer keys. Part of this pressure comes from history: In the 1990s, there were many cases in which successively longer keys were cracked by computer scientists. What people forget is that the industry at the time was using unreasonably short keys as a result of federal regulationregulations that have since been lifted. Unfortunately, the experience of the 1990s wrongly taught some technologists that key lengths need to be increased every few years. Another part of the push for longer keys is unbridled marketing: Longer keys just sound more secure than shorter ones, even if the security isnt relevant for computers likely to be manufactured in the 21st century. I suspect that its harder to sell a 128-bit encryptor when your competition is selling a spiffy something with 256 bits.

Nevertheless, you should be suspicious if a vendor tells you that it is selling something with 256-bit encryption because 128-bits is not secure. You should be especially suspicious if someone tells you that he is using 448-bit encryption or 10,000-bit encryption. This usually means the vendors salesman doesnt understand what he is talking about.