Users warned of "dubious" crypto appsBy Chris Williams. Published: 4th Jan 2004, 23:14:45 | Permalink | Printable
Don't believe everything you readPGP advocate and developer of security and privacy related software, Dr. Nat Queen, has this month published an informative article on modern cryptography. The article is a gentle introduction to anyone interested in exploring and using today's cryptographic techniques and covers public-key based encryption systems and the strength of modern ciphers. It also includes a section on 'snake oil', a term used in security circles that refers to "dubious encryption products" that cannot be trusted to ensure complete security and privacy.
Nat has also expressed his concern for "dubious encryption software [that] has been peddled recently, which may give some RISC OS users a false sense of security". He is, for instance, highly critical of the BCF cyrptosystem, which was developed by George Foot and Michael Brown and is distributed with new Castle Iyonix computers. George Foot was unavailable for comment at this time.
"The BCF Cryptosystem shows most of the warning signs for snake oil described in my article", Nat warned drobe.co.uk. "I'm sure that it would be fine for casual security, but George Foot keeps promoting it for high security, e.g. for businesses to protect their valuable secrets."
According to Nat, the warning signs for 'snake oil' are:
- Is the source code to the cryptography software closed? If the code is open and available to all, then the system can be openly reviewed and analysed by experts. The BCF system's source code is closed despite numerous requests for the source to be made open.
- Can the designer of the cryptography software be trusted and have they had their work published and peer-reviewed by experts? Nat explains in his article, "The design of a good cryptosystem cannot be entrusted to amateurs. There are many pitfalls, and even the professionals have made some serious blunders. All cryptosystems that are generally accepted in the world of cryptography have been created by experts whose work has been published in peer-reviewed journals of international standing."
The BCF system has yet to be publically documented in such a way and even if it relies on an existing cryptosystem, Nat reminds us that, "It is well known that even the smallest modification of a good cryptosystem can render it insecure."
- Does the cryptography software boast crazy key lengths but provides no mathematical evidence as to why this is needed? As Nat explained to drobe.co.uk, "The documents for BCF make a special point of emphasising that it allows a huge number of keys, presumably to try to impress the reader, but this by itself is no guarantee of security."
- Does the software claim to use a 'one-time pad', which is a sequence of random numbers as long as the message itself? "BCF has some similarities to a one-time pad, which is indeed secure, but impractical for everyday use", Nat explained to drobe.co.uk. "In fact, it's based on a little-known theoretical system involving a huge "pad" of random numbers, which is believed to be secure *provided* that certain conditions are satisfied. But those conditions are virtually impossible to achieve in practice, and BCF certainly violates them."
For anyone interested in using PGP (yes, it really does stand for 'pretty good privacy') based encryption and security, Nat's introduction to PGP guide is particularly painless but be prepared for some bed time reading. PGP is the trusted standard cryptography software used worldwide on many, many computer platforms.
For the less paranoid who are wondering what's the point in all this crypotgraphy, PGP can be used to encrypt emails and files from invasive, prying eyes - hackers, the government, bored sysadmins, you name it. It can also be used to digitally sign files and emails so it can be proved that the data originated from you and hasn't been tampered with.
PGP and related apps for RISC OS
Previous: Good bye AU, hello Qercus
Next: Star Fighter 3000 Review
DiscussionViewing threaded comments | View comments unthreaded, listed by date | Skip to the end
Please login before posting a comment. Use the form on the right to do so or create a free account.
Search the archives
Today's featured article
Archive booklets review part three
Ovation Pro, VirtualRiscPC and hardware tips
Discuss this. Published: 4 Feb 2006
Simtec USB stack updated
Minor speedups and enhancements
5 comments, latest by piemmm on 20/10/03 4:14PM. Published: 22 Sep 2003
News and media:
RISCOS Ltd •
RISC OS Open •
MW Software •
Advantage Six •
CJE Micros •
Liquid Silicon •
Chris Why's Acorn/RISC OS collection •
The Register •
The Inquirer •
Apple Insider •
BBC News •
Sky News •
Google News •