The Doghouse: Xavety

It's been a long time since I doghoused any encryption products. CHADSEA (Chaotic Digital Signature, Encryption, and Authentication) isn't as funny as some of the others, but it's no less deserving.

Read their "Testing the Encryption Algorithm" section: "In order to test the reliability and statistical independency of the encryption, several different tests were performed, like signal-noise tests, the ENT test suite (Walker, 1998), and the NIST Statistical Test Suite (Ruhkin et al., 2001). These tests are quite comprehensive, so the description of these tests are subject of separate publications, which are also available on this website. Please, see the respective links."

Yep. All they did to show that their algorithm was secure was a bunch of statistical tests. Snake oil for sure.

Posted on March 15, 2005 at 11:00 AM • 6 Comments

Comments

ArikMarch 15, 2005 12:40 PM

How can you say that?! They use "the chaos function of the Logistic Equation"! How can that not be secure?

-- Arik

Israel TorresMarch 15, 2005 12:48 PM

A lot more could be said by simply exposing their algorithm and implementation of said algorithm.

In fact no idea why crypto companies that sell "snake oil" (whom don't wish to be labeled as such) don't disclose this on their front page...

Israel Torres

Timm MurrayMarch 15, 2005 1:29 PM

On their 'Limitations' page (http://www.xavety.com/Limitation.htm):

"Starting with a bit-length of 56 in 1978, nowadays a bit-length of 1024 at least is recommended. The 576-bit key version (RSA-576) has been broken recently (RSA [1]) by a team (J. Franke and T. Kleinjung) at the German Federal Agency for Information Technology Security, BSI."

Classic handwaving over the difference between linear and exponential growth.

However, I think we can learn something from their approach to advocacy. On their homepage:

"Our Xavety-Law encryption software allows lawyers to operate under the rules of ethical conduct. Law firms using our encryption technology effectively distinguish their firm from others who do not."

While their product may be snake-oil, advocating the practical benefits of encryption in a way that talks to business people (such as the above) is something the security community at large should be doing more.

AnonymousMarch 15, 2005 4:50 PM

Aren't fractal systems with their inherent recursions viable candidates for cryptography nevertheless? They're being studied for decades and have useful properties for cryptography. While I wouldn't even encrypt spam mail with an poorly- or unknown algorithm, what is being done to evaluate new principles underlying encryption? I'd like to see some news not just about broken hashes and new standards, but also about significant research work. Couldn't hurt to throw the occasional noteworthy publication at people with just amateur curiosity in cryptography like me - even if it's only the abstract I understand.

RichMarch 17, 2005 8:26 AM

"the solution domain of possible variations cannot be checked by no machine within universe's lifetime"

That's sure not no double negative.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..