Essays Tagged "Information Security"

Page 4 of 4

Why the Worst Cryptography is in the Systems that Pass Initial Analysis

  • Bruce Schneier
  • Information Security
  • March 1999

Imagine this situation: An engineer builds a bridge. It stands for a day, and then collapses. He builds another. It stands for three days, and then collapses. Then, he builds a third, which stands for two weeks but collapses during the first rainstorm. So he builds a fourth. It’s been standing for a month, and has survived two rainstorms. Do you believe this fourth bridge is strong, secure and safe? Or is it more likely just another accident waiting to happen?

As bizarre as it may seem, this kind of design process happens all the time in cryptography, a field that is full of people who love to design their own algorithms and protocols. With so many aspiring cryptanalysts out there, however, there’s bound to be a lot of weak designs. The problem is this: Anyone, no matter how unskilled, can design an algorithm that he himself cannot break. Though a competent cryptanalyst can break most of this stuff after a short review, the rest of it survives, and in most cases is never looked at again (especially outside the military world). But just because an algorithm survives an initial review is no reason to trust it…

The 1998 Crypto Year-in-Review

  • Bruce Schneier
  • Information Security
  • December 19, 1998

1998 was an exciting year to be a cryptographer, considering all the developments in algorithms, attacks and politics. At first glance, the important events of the year seem completely unrelated: done by different people, at different times and for different reasons. But when we step back and reflect on the year-that-was, some common threads emerge—as do important lessons about the evolution and direction of cryptography.

New Algorithms

In June, the NSA declassified KEA and Skipjack. KEA is a public-key Key Exchange Algorithm, while Skipjack is a block cipher first used in the ill-fated Clipper Chip. The NSA wanted Fortezza in software, and the only way they could get that was to declassify both algorithms…

WORD IN EDGEWISE: Scrambled Message

Key recovery is like trying to fit a square peg into a round hole. No matter how much you finagle it, it's simply not going to work.

  • Bruce Schneier
  • Information Security
  • October 19, 1998

In the September issue of Information Security, Commerce Undersecretary William Reinsch suggests that U.S. crypto export policy hinges on the concept of “balance” (Q&A: “Crypto’s Key Man”).

For key recovery policy to be successful, he argues, it must achieve a balance between privacy and access, between the needs of consumers and the requirements of the law-enforcement community.

For those who have followed the key recovery debate, Reinsch’s comments will have a familiar ring. Ever since the Clipper chip first made headlines in 1993, the crypto community has debated the notion of key recovery (or key escrow, or data recovery, or trusted third party or any other marketing term used to describe the same concept)…

Sidebar photo of Bruce Schneier by Joe MacInnis.