“Impossible!” the man exclaimed, “I designed that encryption myself! No one can break it as fast as you claim!” I am John Tränkenschuh, a CISSP-ISSAP with 24 years experience in Information Security.
When asked to blog on cryptography, I reviewed the Cryptomathic website. I'm impressed. They get it. Cryptography is little more than an academic project if we don't consider the businesses increasingly pressured to implement cryptographic systems, systems once left to world governments and spy agencies. Yet who gets to make these work? What can go wrong?
Why do crypto projects fail and fail so often? After a few decades surviving them, I've narrowed down many of the problems to five very basic faults that cause cryptography implementations to fail. Maybe my findings are wrong, possibly misguided? You should count on registering your feedback at the website. Until we professionals can better understand why sophisticated projects like these fail, we risk losing the customers early.
Failure Defect #1: Obscurity Is All That is Needed.
The most maddening thing about professional cryptographers is their ability to make cryptography look so easy. Soon, everyone wants to be an amateur cryptographer.
Why do we need to pay such money when I can do it myself?
And if I use a few libraries without paying licensing costs, no one will ever know.
And that is the problem. Until a hacker quickly deciphers that list of credit card numbers on the company website, management trusts the data is secure because it's “encrypted”. Until your commercial product is proven to violate licenses, your company thinks encryption is free and easy.
Until an organization has encryption standards and an actual encryption strategy, then crypto projects, purchased systems, and new cryptography “skunkworks” are likely to fail. It's such a basic problem, few are aware of its existence. Only seasoned consultants to lead you out of the problems.
In the series of follow up blogs, we'll explore other defects that make cryptography fail. And while you may be tempted to assume that each defect has a singular solution, that short-sighted analysis skips the Gestalt of the situation. Is that answer as simple as hiring cryptography experts? Yes. And No. For now, assume the answer begins with hiring a company with highly credible cryptographers. And now realise so much more remains.
References and Further Reading
- Selected articles on Key Management (2012-16), by Ashiq JA, Chuck Easttom, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Matt Landrock, Peter Landrock, Steve Marshall, Torben Pedersen and more
- Modern Cryptography: Applied Mathematics for Encryption and Information Security (2015), by Chuck Easttom,
Photo: Linux password file courtesy of Christiaan Colen (CC BY-SA 2.0)