Schneier on Security

In the field of cryptography, a secretly planted “backdoor” that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesn’t mean cryptographers don’t appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than others—in stealth, deniability, and even in protecting the victims’ privacy from spies other than the backdoor’s creator.

In a paper titled “Surreptitiously Weakening Cryptographic Systems,” well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spy’s view to the problem of crypto design: What kind of built-in backdoor surveillance works best?…

For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.

PRNGs generate numbers based on a variety of factors, such as a user’s mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key. PRNGs fail, insists Schneier, because hackers can intercept the entropy source and thus predict the output. His response is Yarrow, a new PRNG with an expanded source that creates a larger, less predictable pool. “We’ve added new randomness,” says Schneier of Yarrow’s unique entropy pool, “like radio noise, arrival times of network packets, and disk-drive latency. Even if the source is turned off,” he says, “it still works.”…

A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.

Twofish, the sequel to Schneier’s 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.

Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a “secret key” and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware…

Listen to security expert and consultant Bruce Schneier and he’ll tell you that Windows NT’s security mechanism for running virtual private networks is so weak as to be unusable. Microsoft counters that the issues Schneier points out have mostly been addressed by software updates or are too theoretical to be of major concern.

Schneier, who runs a security consulting firm in Minneapolis, says his in-depth "cryptanalysis" of Microsoft’s implementation of the Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed security techniques that dramatically compromise the security of company information…

When Thomas Paine published Common Sense in 1776 – arguing that the American cause was not merely a revolt against unfair taxation, but a demand for independence – he had no idea that more than 200 years later, the struggle for freedom would be waged between privacy advocates and the national-security establishment. This time, the dispute is over not taxation without representation, but communication without government intervention.

One of today’s crypto revolutionaries is Bruce Schneier, the neatly dressed, ponytailed author of Applied Cryptography…