On CryptographyThe focus on key length obscures the failures of cryptography
By Gary Hinson
Should companies continue sinking yet more money into cryptography? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that cryptography is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's obsessive fascination with crypto serves to obscure greater failings in security design.
In order to understand my argument, it's useful to look at cryptography's successes and failures. One area where crypto doesn't work very well is health. We are forever trying to secure health records using encryption. We apply the very finest mathematical and statistical trickery known to Man to scramble them beyond comprehension. But then medics go and decrypt them in order to use them, callously undoing our good work! What is it with this people? Don't they realize that plaintext health records can be read by anyone? Couldn't they at least give hexadecimal a go? There's a lot to be said for doctors hand-writing their notes, in Latin, with a quill.
Similarly, cryptography is an abstract "benefit" that gets in the way of using and enjoying the Internet. Good cryptographic practices might protect me from a theoretical attack by a marauding horde of keyboard-tapping monkeys at some time in the future, but they’re a bother right now, and I have more fun things to think about than how many rounds of Ess- and Pee-boxes are necessary. No one except cryptographers actually read and comprehend new cryptographic algorithms; for the rest of us, it's much easier to just click "OK" and start chatting with our friends. In short: crypto is not for Joe Public.
One reason crypto remains the domain of egg-heads is that cryptographers do their level best to make sure it is a dark, mysterious, magical art. We can train anyone in the basics -- even software developers -- with a simple reward mechanism: increase the key by one bit, double the effort required to brute force it. But instead we imply that crypto is not quite so easy. With smoke and mirrors, we seed those little germs of doubt. Is 'one more bit' enough? How many bits do you really need? Is each new bit worth the same as all those old bits? If you have too many bits, will you go to pieces? Is it your fault if someone breaks my beautiful algorithm by circumventing the random number generator that you thought was quietly factoring the least significant figures of pi?
Training laypeople in cryptography also isn't very effective: why is it that laypeople and IT professionals alike seem unable to make perfectly straightforward decisions concerning obscure parameters on oh-so-elegant algorithms when configuring their systems and browsers? Are they simply thick or are they being deliberately obstructive? Turns out that it's a bit harder than one might think to teach ordinary mortals advanced theoretical mathematics. We can't expect every motherf to have the knowledge of a cryptographer and we certainly can't expect him to become a crypto-expert when most of the advice he's exposed to comes from cryptographers' blogs. In cryptography, too, a lot of so-called expert advice comes from companies with products and services to sell, some of it good, some of it ... fantastic, according to their marketing anyway.
Talking of which, one area of cryptography that has been a tremendous commercial success is churn. Why release a cryptographic system that is provably secure for a zillion years when we can fool everyone into adopting a crippled variant that will fail within ten? Even better, let's publish its inner workings in explicit detail, and fund a ravenous mob of cryptanalysts to smash it to pieces in public like the statue of a deposed dictator so there is no choice but to deprecate it, discard an entire generation of broken software and replace it ... with ... something based on ... the next crippled variant. This points to a possible way that cryptography can succeed. Instead of trying to design ever more fantastically convoluted and beautiful machines, perhaps we ought to focus our efforts on making them usable and maintainable by ordinary mortals, greasy oiks armed with monkey wrenches instead of PhDs in astrophysics.
On the other hand, we still have trouble teaching some cryptographers to wash -- even though it’s easy, fairly effective, and simple enough to explain if we used diagrams with numbers. Notice the difference, though. The risks of cryptographic failure are huge, and the cause of the failure is obvious. The risks of not washing are low, and it’s not easy to prove personal hygiene is necessary in a formal model. Some might claim that the world of cryptography stinks. Is it any wonder that cryptographers are shunned by security architects?
Another illustration of the outright failure of cryptography is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test to be allowed to drive a car. We're even allowed to fill up by ourselves and some of us maintain our own vehicles. One reason that works is because we have car manuals with exploded parts lists and step-by-step instructions. Even though the technology of driving has changed dramatically over the past century, we don't have to worry ourselves over transposition functions and matrix algebra. You might have learned to drive and service a vehicle 30 years ago, but that knowledge is still relevant today. What use is a DES-expert now, eh? Triple-DES was the beginning of the end of that era. "It's no use," I told them, "hanging on to the thought of quad-DES. It's over I tell you, over."
To those who think that cryptography is a good idea, I want to ask: "Have you ever met an actual cryptographer, in the flesh?" They're not human, and we can’t expect them to become human. They inhabit a bizarre world populated by people called Alice and Bob who insist on chatting about their most personal secrets on phone lines despite knowing they are being tapped.
Even if we could invent a provably-effective cryptographic system (don't laugh - it has already been done), there's one last problem. Malware prevention training works because affecting what the average person does is valuable. Even if only half of the population practices safe hex, those actions dramatically reduce the spread of worms and Trojans. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, that's four-fifths who can thumb their noses at the bad guys. But there's no such thing as a four-fifths broken cryptosystem. Its all-or-nothing with crypto - a teeny weeny bit too little entropy and they fail spectacularly. As long as we continue to build cryptosystems with built-in-obsolescence, key escrow, raising the 'number of bits' won't make them more secure. It's the magician's diversion.
The whole concept of bit-length being a measure of the strength of cryptography demonstrates how the cryptographic industry has failed. We should be designing cryptosystems that don't care if users choose lousy passwords and don't mind what links a user clicks on. We should be designing cryptosystems that are provably unbreakable, not provably broken. And we should be spending money on personal hygiene for cryptographers. These are people who, with patience and understanding, can be taught the necessary skills in a safe changing-room environment, and this is a situation where reduced odor correlates with increase security.
If cryptographers would only do their job right, then IT users and administrators would not have to worry about the number of bits or "how complex is complex". Alice and Bob wouldn't have to plan on replacing their systems yet again because Eve knows their innermost secrets. That makes a whole lot more sense.
Gary Hinson is a cynic with a sense of humour (with a you). He researches and writes cost-effective security awareness materials by day and pragmatic books on security metrics by night. Despite appearances, he actually values cryptography, respects cryptographers and is simply reacting instinctively to a poke in the ribs from one of his idols.