x
Home
Search
Topics
Almanac
Science
Nature
People
History
Society
Signup
Login
HOME
TOPICS
ALMANAC
SCIENCE
NATURE
PEOPLE
HISTORY
SOCIETY
PHILOSOPHY
Snake oil (cryptography)
Topic Home
Discussion
0
Encyclopedia
In cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

, snake oil is a term used to describe commercial cryptographic methods and products which are considered bogus or fraudulent. The name derives from snake oil
Snake oil
Snake oil is a topical preparation made from the Chinese Water Snake , which is used to treat joint pain. However, the most common usage of the phrase is as a derogatory term for quack medicine...

, one type of quack medicine widely available in 19th century
19th century
The 19th century was a period in history marked by the collapse of the Spanish, Portuguese, Chinese, Holy Roman and Mughal empires...

 United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

.

Distinguishing secure cryptography from insecure cryptography can be difficult from the viewpoint of a user. Many cryptographers, such as Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...

 and Phil Zimmermann
Phil Zimmermann
Philip R. "Phil" Zimmermann Jr. is the creator of Pretty Good Privacy , the most widely used email encryption software in the world. He is also known for his work in VoIP encryption protocols, notably ZRTP and Zfone....

, undertake to educate the public in how secure cryptography is done, as well as highlighting the misleading marketing of some cryptographic products.

The Snake Oil FAQ describes itself as, "a compilation of common habits of snake oil vendors. It cannot be the sole method of rating a security product, since there can be exceptions to most of these rules. [...] But if you're looking at something that exhibits several warning signs, you're probably dealing with snake oil."

Some examples of snake oil cryptography techniques

This is not an exhaustive list of snake oil signs. A more thorough list is given in the external articles linked in the section below.

Secret system : Some encryption systems will claim to rely on a secret algorithm, technique, or device; this is categorized as security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...

. Criticisms of this are twofold: first, a long-standing principle, Shannon's Maxim, states that "the enemy knows the system" and that secrecy does not afford the user any advantages. Secondly, secret methods are not open to public peer review
Peer review
Peer review is a process of self-regulation by a profession or a process of evaluation involving qualified individuals within the relevant field. Peer review methods are employed to maintain standards, improve performance and provide credibility...

 and cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...

 and so potential mistakes and insecurities can go unnoticed for great lengths of time.

Technobabble : Snake oil salespeople may use "technobabble
Technobabble
Technobabble , also called technospeak, is a form of prose using jargon, buzzwords, esoteric language, specialized technical terms, or technical slang that is incomprehensible to the listener...

" to sell their product since cryptography is a complicated subject.

"Unbreakable" : Claims of a system or cryptographic method being "unbreakable" are almost always false, and are generally considered a sure sign of snake oil.

One-time pads : One-time pad
One-time pad
In cryptography, the one-time pad is a type of encryption, which has been proven to be impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key of the same length as the plaintext, resulting...

s are a popular cryptographic method to invoke in advertising, because it is well known that one-time pads, when implemented correctly, are genuinely unbreakable. The problem comes in implementing one-time pads, which is rarely done correctly. Cryptographic systems that claim to be based on one-time pads are considered suspect, particularly if they do not describe how the one-time pad is implemented, or they describe a flawed implementation.

Unsubstantiated "bit" claims : Cryptographic products are often accompanied with claims of using a high number of bits for encryption, apparently referring to the key length used. However key lengths are not directly comparable between symmetric and asymmetric systems. Furthermore, the details of implementation can render the system vulnerable. For example, in 2008 it was revealed that a number of hard drives sold with built in "128-bit AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

 encryption" were actually using a simple and easily defeated "XOR" scheme. AES was only used to store the key, which was easy to recover without breaking AES.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
Silverdale Interactive © 2026. All Rights Reserved.
 
x
OK