Snake oil (cryptography)

In cryptography, snake oil is a term used to describe commercial cryptographic methods and products which are considered bogus or fraudulent, and therefore insecure. The name derives from snake oil, one type of quack medicine widely available in 19th Century United States. Systems classified as snake oil typically employ ciphers with excessively large key lengths or which need no keys at all, or secret algorithms and devices that claim to solve all security problems.

Distinguishing secure cryptography from insecure cryptography can be surprisingly difficult from the viewpoint of a user; for example, the output of both weak and strong encryption methods will typically resemble gibberish. It is rarely possible to measure the security of an encryption method from its output alone; and even when there is a trivial way to crack an encryption method, there are few effective methods known for finding such a technique from the method's description.

Common characteristics

Certain characteristics are often viewed as signs of snake oil cryptography:

• Reliance on a secret algorithm, technique, or device. Criticisms of this are twofold; firstly, a long-standing principle of cryptography is that "the enemy knows the system" — Kerchoffs law. The argument is based on the observation that some secrets are inevitably compromised, therefore any secrets used the system should be small and easily changeable — a key, rather than critical algorithms. Secondly, secret methods are not amenable to public peer review and cryptanalysis.
• "Technobabble". Sometimes a snake oil purveyor may offer a complicated description which is confusing, vague, or obscure, and using previously unknown concepts or breakthroughs. Since even high quality, very secure and legitimate cryptography descriptions can be complex and highly technical, it may be difficult to discern bogus nonsense.
• Modification of standard algorithms. Another sign of bad cryptography is the use of a well-known and trusted cryptographic method that has been "improved" or "hardened" in some ad-hoc (perhaps secret) way. There is a risk that arbitrary alterations can drastically weaken a cryptosystem.
• Very long key lengths (either as modifications to existing systems, or in "clever" new ones). Assuming the underlying mathematics of common systems like AES and RSA are sound, their key lengths are more than adequate. Longer key lengths provide no more practical security, and a long key will not fix the weaknesses of a poor underlying algorithm.
• The cryptosystem is described as "absolutely unbreakable". While there does exist a mathematical proof of unbreakability for the one-time pad, many systems described as one-time pads are more accurately described as stream ciphers. Only one encryption method has been mathematically proven to be maximally difficult to break, the one time pad. It is unbreakable only if several difficult assumptions are met, and it is rarely used in practice in consequence. However, the proof is tempting and much snake oil cryptography is built around supposed one time pad algorithms.
• Cryptosystems based on one-time pads for which the key material 'pads' are generated or expanded by the system, or provided by the vendor. The one time pad always requires large amounts of truly random key material, which then needs to be transferred securely to the recipient of the encrypted message. A truly random sequence cannot be identically reproduced, hence a pad generated at both ends, rather than generated at a single point and transferred, cannot be random.
• The cryptosystem has facilities for recovering lost keys. If a legitimate user can recover a lost key, a sufficiently clever and determined attacker could use the same method, thereby rendering all messages encrypted using that key entirely insecure. Even if the company or person who developed the cryptosystem keeps the recovery technique proprietary, it is extremely likely to be rediscovered. The only exceptions are secret sharing and key escrow systems, and they are neither straightforward nor easy to securely implement. These systems still don't recover completely lost keys; they merely distribute secrets to other parties in particular ways.
• The cryptosystem vendor/developer claims that 'standard' methods are insecure. Indeed some widely used standard methods are insecure in some circumstances under certain (believed to be difficult to achieve for some) conditions. That some (improper) uses of 'standard' cryptographic methods renders them insecure is unfortunate and reflects poorly on the state of the cryptographic art, but does not make a vendor's alternative method secure nor necessarily any better – or any good at all. In fact, this is an example of a widely used logically fallacious sales technique.
• The cryptosystem vendor/developer is unfamiliar with applicable legal restrictions. Governmental concern about the dangers of communication which cannot be known to security/intelligence personnel is a fact of cryptographic life. If the vendor/developer is innocent of this reality, one would be well advised to be wary of other cryptographic lacunae.
• The cryptosystem is described as "military grade" or "used by NSA", etc., without specifics. NSA does not discuss its systems with any commercial or private vendor; it certainly does not permit any to sell them outside the government. NSA develops cryptosystems for the use of the US government (military, diplomats, etc.) and it doesn't discuss them with or release them to others either. Similar constraints apply elsewhere (as in the case of the UK's GCHQ). In the case of such claims, the vendor/developer is either uninformed, lying, or is offering stolen government designs which will involve their users in much unpleasantness when that fact is discovered.
• The cryptosystem is described as "foolproof". As the notable cryptographer Bruce Schneier noted many times: "Security is a process", and as is well known in cryptography and security circles: "A chain is as strong as its weakest link". In a respectable cryptosystem, the cryptographic algorithm used is almost never the weakest link. Trying to promote a new cryptographic algorithm by using a new "simple" cryptosystem shows a lack understanding of the hardness of making such a design. If a simple secure crytosystem could be designed, it would be more secure to simply use one of the well established, analysed and tested algorithms (e.g., the Advanced Encryption Standard also known as Rijndael) in this setting. To this date, no cryptosystem is publicly known which cannot be misused by fools. Such a system might exist or be invented, but experience shows it would be very hard to design. Proving that such a design is foolproof would be impossible as it requires proving the negative.
• The cryptosystem is endorsed by "security experts", unknown or even anonymous, or by people who are not expert cryptographers (ex-hackers, business managers, etc.). Critics argue that cryptographic algorithms should be published and analysed in the academic literature. These claims, without the actual publication of the algorithms and the analysis of these algorithms, are essentially always merely sales babble. An athlete may well be able to use "his" brand of shoes on the field, and be personally satisfied of their quality. However, a user of a cryptosystem who feels that he cannot break it has exactly the same evidence as one who feels that Japanese is unbreakable because he cannot read it. Some other person, who speaks Japanese, can.
• The cryptosystem relies on some neglected backwater of mathematical theory, and brands their cryptographic use of it "revolutionary". While it's true that professional cryptographers often propose systems based on exotic math, these are intended for academic discussion, not practical deployment. It is impossible to make honest assertions of the security of a cipher based on math that's familiar to only a few researchers. The mathematics used for current cryptography is relatively well understood and well studied; its future is less likely to hold unpleasant surprises. Cryptography based on unfamiliar math (such as elliptic curve cryptography and integer factorization) underwent years of study before professionals had enough confidence in them to use them for practical deployments.