Editing Snake oil (cryptography)

{{Short description|Fraudulent cryptography claim}}
{{Use dmy dates|date=February 2025}}

In [[cryptography]], '''snake oil''' is any cryptographic method or product considered to be bogus or fraudulent. The name derives from [[snake oil]], one type of [[patent medicine]] widely available in 19th century United States.

Distinguishing secure cryptography from insecure cryptography can be difficult from the viewpoint of a user. Many cryptographers, such as [[Bruce Schneier]] and [[Phil Zimmermann]], undertake to educate the public in how secure cryptography is done, as well as highlighting the misleading marketing of some cryptographic products.

The ''Snake Oil FAQ'' describes itself as "a compilation of common habits of snake oil vendors. It cannot be the sole method of rating a security product, since there can be exceptions to most of these rules. <nowiki>[...]</nowiki> But if you're looking at something that exhibits several warning signs, you're probably dealing with snake oil."<ref name="snakeoilfaq">{{cite web|archiveurl=https://web.archive.org/web/20211114090731/http://www.interhack.net/people/cmcurtin/snake-oil-faq.html|first1=Curtin|last1=Matt|title=Snake Oil Warning Signs: Encryption Software to Avoid|url=http://www.interhack.net/people/cmcurtin/snake-oil-faq.html|archivedate=14 November 2021}}</ref>

== Some examples of snake oil cryptography techniques ==
This is not an exhaustive list of snake oil signs.  A more thorough list is given in the references.

;Secret system: Some encryption systems will claim to rely on a secret algorithm, technique, or device; this is categorized as [[security through obscurity]].<ref name=Cryptogram /> Criticisms of this are twofold.  First, a 19th-century rule known as [[Kerckhoffs's principle]], later formulated as Shannon's maxim, teaches that "the enemy knows the system" and the secrecy of a cryptosystem algorithm does not provide any advantage. Second, secret methods are not open to public [[peer review]] and [[cryptanalysis]], so potential mistakes and insecurities can go unnoticed.<ref name="snakeoilfaq" />
;Technobabble: Snake oil salespeople may use "[[technobabble]]" to sell their product since cryptography is a complicated subject.<ref name=Cryptogram>{{cite web|url=https://www.schneier.com/crypto-gram/archives/1999/0215.html#snakeoil|title=Snake Oil|first1=Bruce|last1=Schneier|date=15 February 1999|work=Crypto-Gram}}</ref>
;"Unbreakable":Claims of a system or cryptographic method being "unbreakable" are always false (or true under some limited set of conditions), and are generally considered a sure sign of snake oil.<ref name="snakeoilfaq" />
;"Military grade": There is no accepted standard or criterion for "[[military grade]]" ciphers.<ref name="snakeoilfaq" />
;One-time pads: [[One-time pad]]s are a popular cryptographic method to invoke in advertising, because it is well known that one-time pads, when implemented correctly, are genuinely unbreakable. The problem comes in implementing one-time pads, which is rarely done correctly. Cryptographic systems that claim to be based on one-time pads are considered suspect, particularly if they do not describe how the one-time pad is implemented, or they describe a flawed implementation.<ref name=Cryptogram />
;Unsubstantiated "bit" claims: Cryptographic products are often accompanied with claims of using a high number of bits for encryption, apparently referring to the [[key length]] used.<ref name=Cryptogram /> However key lengths are not directly comparable between symmetric and asymmetric systems.<ref name=Cryptogram /> Furthermore, the details of implementation can render the system vulnerable. For example, in 2008 it was revealed that a number of [[hard drive]]s sold with built-in "128-bit [[Advanced Encryption Standard|AES]] encryption" were actually using a simple and easily defeated "[[XOR]]" scheme. AES was only used to store the key, which was easy to recover without breaking AES.<ref>{{cite web|url=http://www.h-online.com/security/features/Enclosed-but-not-encrypted-746199.html|title=Enclosed, but not encrypted|work=The H Security: News and Features|date=18 February 2008|author=Christiane Rütten}}</ref>

== References ==
{{reflist}}

==External links==
* [http://www.philzimmermann.com/EN/essays/SnakeOil.html Beware of Snake Oil] – by [[Phil Zimmermann]]
* [http://www.google.com/search?q=site:www.schneier.com%20%22The%20Doghouse:%22 Google Search results for "The Doghouse" in Bruce Schneier's Crypto-Gram newsletters] – the Doghouse section of the Crypto-Gram newsletter frequently describes various snake oil encryption products, commercial or otherwise.

[[Category:Cryptography]]
[[Category:Pejorative terms related to technology]]