Search390.com Web Enabling Tip May 16, 2001 ======================================================== GET THE INFO YOU WANT TODAY What do YOU want in your e-mailbox? How about FREE info and offers about computers, networking, wireless devices, finance and lots more? Visit http://search390.techtarget.com/postmasterDirect/ , choose the topics that interest you, and you'll get the e-mail you want. ======================================================== TODAY'S WEB ENABLING TIP: ======================================================== Is Encrypt-o-matic MoJo (powerful magic) or snake oil? By Jim Keohane This is for the "Big Iron" folks out there. No, not Heavy Metal. Big Iron! You were brought up in an OCO (object code only) world where vendors seldom supplied source code to their products. Mainframe vendors typically divulge very little of the inner workings of their products. Your web-enablement plans call for privacy and security measures when communicating with the outside world. You investigate the myriad data-scrambling products on the market. Beware if a product claims unbreakable but proprietary encryption algorithms! >From http://www.dictionary.com snake oil (n). A worthless preparation fraudulently peddled as a cure for many ills. Speech or writing intended to deceive; humbug. Any of various liquids sold as medicine (as by a traveling medicine show) but medically worthless. In cryptography circles "snake oil" refers to products, services, claims, etc. that may initially impress but, after careful examination, are found wanting. Mainframers, in my experience, are somewhat more prone to accept at face value such exaggerated claims. Here are some assertiveness training steps they should take when approached by a vendor of encryption products: 1. Ask what encryption algorithms are used. If told they are proprietary, send the vendor packing. He's asking you to place your trust in him and not in known algorithms that have been pounded upon by the world's best cryptanalysts and found to be computationally-unbreakable*. Remember, if users of the vendor's software become a worthwhile target to crackers, those crackers will certainly be able to disassemble the software and determine the underlying logic. If the enemy will be able to figure out the logic, what reason can the vendor have for keeping the logic from the customer? 2. Ask to see the encryption source code. The vendor could demur saying the source code, even though implementing a known algorithm, is nevertheless coded for optimal performance and so the vendor wishes to keep it secret. In that case, you should at least be able to run his software alongside another program (same algorithm) to confirm identical results. You can also ask for non-optimized source code that can be either tested standalone or in the full product as a replacement of the optimized code. 3. Ignore claims of "my key size is bigger than theirs." Larger key size does tend to make encryption less susceptible to brute force deciphering (many dedicated, powerful computers working in tandem). However, current public algorithms are secure enough with reasonable key sizes (i.e. 128 to 256-bit for private key, 512 to 2048-bit for public key). Increasing key size just wastes cpu resources. 4. Show obfuscators the door. If the salesperson is too heavy on buzz words and too short on clear explanations, then be cautious. Go to all meetings accompanied by a seeing-eye crypto-geek. 5. Cast a jaundiced eye towards contests and challenges. The vendor may point to a limited period during which a prize, often very sizable, was offered to anyone who could break their encryption. No winners, he brags. Examine closely the parameters of the contest. Known algorithms that have survived the test of time (years, not weeks) have been found secure even when (1) algorithm is known and (2) original cleartext is known and (3) encrypted ciphertext is known and (4) some information about the key is known. Contrast that with a so-called hacker challenge that sets a short contest length and provides only the encrypted text. Here's the JimKeo Hacker Contest. Prize is One Million Pazoozas, ah yes! Encrypted ciphertext is "now is the time for all good" What was original cleartext? What was the algorithm? What was the key? Contest ends soon. Give up? When Joe Isuzu shows up at your door lauding his revolutionary new encryption software, just do like Beatle John Lennon and say "OCO? NO-NO!" For extra credit: Visit http://www.counterpane.com/crypto-gram-9902.html#snakeoil. Visit http://www.interhack.net/people/cmcurtin/snake-oil-faq.html. Visit http://www.counterpane.com/crypto-gram-9812.html#contests. *Computationally-unbreakable means the encryption can be broken but only by use of an inordinate number of powerful computers over an unacceptably long period. Jim Keohane ([EMAIL PROTECTED]) is president of New York consulting company Multi-Platforms, Inc. His company specializes in commercial software development/consulting with emphasis on cross-platform and performance issues. ======================================================= DID YOU LIKE THIS TIP? Why not let us know? Email your comments to mailto:[EMAIL PROTECTED], or scroll to the bottom of http://ttcma.techtarget.com/ttCMAv2/Production_Center/Preview_Form_v2/1,2563,,00.html You can also visit our tips page and submit one of your own: http://search390.techtarget.com/tipsIndex/0,289482,sid10_tax286022,00.html. ======================================================== ======================================================== Additional Resources: * For a list of the latest Web enabling tips on Search390.com, go to http://search390.techtarget.com/tipsIndex/0,289482,sid10_tax286022,00.html * Got a specific Web integration question? Why not try to stump our expert at http://search390.techtarget.com/ateQuestion/0,289624,sid10_tax285032,00.html * What technical issues are important to you? Do you have an idea or a tip you'd like to share with other S/390 pros? Let us know. E-mail us at mailto:[EMAIL PROTECTED]. * Do you have a time-saving short cut, trick, or hint that you want to share with other 390 pros? Then send it to us! search390 is having a tips contest. Here's how it works: Tips are tallied after the last day of every month. The winning Tip of the Month is based on the highest average rating (as rated by registered search390.com users), the number of votes, and final assessment by our panel of experts. The winning tip's author will receive a Palm Vx. So what are you waiting for? Send us that tip! http://search390.techtarget.com/tipsSubmit/1,289485,sid10,00.html ======================================================== ======================================================== The Learning Zone Related Book ======================================================== Learn Encryption Techniques with Basic and C++ By Gil Held http://www.digitalguru.com/dgstore/product.asp?isbn=1556225989&ac_id=54 Encryption is the process of coding software so that the message is not easily discernible. Learn Encryption Techniques with BASIC and C++ provides readers with a step-by-step examination of the development of encryption techniques from the Caesar Cipher through modern-day public and private key encryption methods. Numerous encryption techniques are first explained in detail, followed by the development of program modules that illustrate how the data is coded. The program modules are then used to develop Windows-based programs that illustrate encryption and decryption of data. Thus, this book provides experienced programmers and developers with detailed, practical, hands-on information and coding examples that illustrate how messages, files and notes can be programmed with different levels of security. ========================================================= If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://search390.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
