Algorithms can be perfect and implementation sloppy. If you can review the code you might find the problem, but with proprietary code, fergetit.
I think you guys are missing the point. The term "Snake-Oil Crypto" refers to the algorithm and NOT the actual implementation. This is a "important" distinction. I am copying Matt Curtain (who maintains Snake-Oil Crypto FAQ) and Bruce Schneier so that they can correct me if I am wrong. We all know that many open crypto algorithms (like kerberos, AES) have been implemented in sloppy manner in both open-source and close-source world. Being open source doesn't necessarily mean that the implementation is secure. When is the last time you checked the code for the open source app that you "use", to make sure that it is written properly? saqib http://www.full-disk-encryption.net On 1/18/07, Allen <[EMAIL PROTECTED]> wrote:
Saqib Ali wrote: > Since when did AES-128 become "snake-oil crypto"? How come I missed > that? Compusec uses AES-128 . And as far as I know AES is NOT > "snake-oil crypto" Saqib, I believe you are correct as to the algorithm, but the snake-oil is in the implementation, As I have often said, "A misplaced comma in an English sentence will merely get you a bad reputation as a writer, however, a misplaced comma in a nuclear weapons project may leave an enduring mark on the world." > > Closed-source doesn't mean that it is "snake-oil". If that was the > case, the Microsoft's EFS, and Kerberos implementation would be "snake > oil" too. As I recall there have been a few problems with Kerberos in the past. Best, Allen --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
-- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]