Algorithms can be perfect and implementation sloppy. If you can
review the code you might find the problem, but with proprietary
code, fergetit.

I think you guys are missing the point. The term "Snake-Oil Crypto"
refers to the algorithm and NOT the actual implementation. This is a
"important" distinction.

I am copying Matt Curtain (who maintains Snake-Oil Crypto FAQ) and
Bruce Schneier so that they can correct me if I am wrong.

We all know that many open crypto algorithms (like kerberos, AES) have
been implemented in sloppy manner in both open-source and close-source
world. Being open source doesn't necessarily mean that the
implementation is secure.

When is the last time you checked the code for the open source app
that you "use", to make sure that it is written properly?

saqib
http://www.full-disk-encryption.net




On 1/18/07, Allen <[EMAIL PROTECTED]> wrote:


Saqib Ali wrote:
> Since when did AES-128 become "snake-oil crypto"? How come I missed
> that? Compusec uses AES-128 . And as far as I know AES is NOT
> "snake-oil crypto"

Saqib,

I believe you are correct as to the algorithm, but the snake-oil
is in the implementation,

As I have often said, "A misplaced comma in an English sentence
will merely get you a bad reputation as a writer, however, a
misplaced comma in a nuclear weapons project may leave an
enduring mark on the world."

>
> Closed-source doesn't mean that it is "snake-oil". If that was the
> case, the Microsoft's EFS, and Kerberos implementation would be "snake
> oil" too.

As I recall there have been a few problems with Kerberos in the past.

Best,

Allen

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to