On Jan 25, 2008, at 4:27 PM, Perry E. Metzger wrote:
However, you should be very skeptical when someone claims that they
"need" to use a home grown crypto algorithm or that they "need" to
use a home grown protocol instead of
a well proven one.
I'm beginning to suspect that more often than not, this nonsense is a
result of market forces rather than idiot technologists. In my
experience, senior decision-maker types outside of the computer
industry (and even within it, but perhaps a tad less so) are
sufficiently non-technical as to never have heard of Kerckhoffs'
principle -- and to disbelieve it when they do, since it opposes their
intuition of what makes for secure systems. Various companies (or
departments) then emerge peddling their home-grown crypto and
trumpeting the fact that it's proprietary as a feature, commonly going
hand in hand with stupidly large key sizes.
Some number of these muppets approached me over the last couple of
years offering to donate a free license for their excellent products.
I used to be more polite about it, but nowadays I ask that they Google
the famous Gutmann Sound Wave Therapy[0] and mail me afterwards.
I've never heard back.
[0] Last paragraph, http://diswww.mit.edu/bloom-picayune/crypto/14238
--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]