Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Snake oil (cryptography)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Some examples of snake oil cryptography techniques == This is not an exhaustive list of snake oil signs. A more thorough list is given in the references. ;Secret system: Some encryption systems will claim to rely on a secret algorithm, technique, or device; this is categorized as [[security through obscurity]].<ref name=Cryptogram /> Criticisms of this are twofold. First, a 19th-century rule known as [[Kerckhoffs's principle]], later formulated as Shannon's maxim, teaches that "the enemy knows the system" and the secrecy of a cryptosystem algorithm does not provide any advantage. Second, secret methods are not open to public [[peer review]] and [[cryptanalysis]], so potential mistakes and insecurities can go unnoticed.<ref name="snakeoilfaq" /> ;Technobabble: Snake oil salespeople may use "[[technobabble]]" to sell their product since cryptography is a complicated subject.<ref name=Cryptogram>{{cite web|url=https://www.schneier.com/crypto-gram/archives/1999/0215.html#snakeoil|title=Snake Oil|first1=Bruce|last1=Schneier|date=15 February 1999|work=Crypto-Gram}}</ref> ;"Unbreakable":Claims of a system or cryptographic method being "unbreakable" are always false (or true under some limited set of conditions), and are generally considered a sure sign of snake oil.<ref name="snakeoilfaq" /> ;"Military grade": There is no accepted standard or criterion for "[[military grade]]" ciphers.<ref name="snakeoilfaq" /> ;One-time pads: [[One-time pad]]s are a popular cryptographic method to invoke in advertising, because it is well known that one-time pads, when implemented correctly, are genuinely unbreakable. The problem comes in implementing one-time pads, which is rarely done correctly. Cryptographic systems that claim to be based on one-time pads are considered suspect, particularly if they do not describe how the one-time pad is implemented, or they describe a flawed implementation.<ref name=Cryptogram /> ;Unsubstantiated "bit" claims: Cryptographic products are often accompanied with claims of using a high number of bits for encryption, apparently referring to the [[key length]] used.<ref name=Cryptogram /> However key lengths are not directly comparable between symmetric and asymmetric systems.<ref name=Cryptogram /> Furthermore, the details of implementation can render the system vulnerable. For example, in 2008 it was revealed that a number of [[hard drive]]s sold with built-in "128-bit [[Advanced Encryption Standard|AES]] encryption" were actually using a simple and easily defeated "[[XOR]]" scheme. AES was only used to store the key, which was easy to recover without breaking AES.<ref>{{cite web|url=http://www.h-online.com/security/features/Enclosed-but-not-encrypted-746199.html|title=Enclosed, but not encrypted|work=The H Security: News and Features|date=18 February 2008|author=Christiane Rütten}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)