And how would one expose the interface without exposing the algorithm?
Hosting an encryption web service came to mind. If network latency were a
concern, then maybe people could gather physically at a trusted site and be
given credentials to run analysis (hacking tools) on a server.
But how is that server secured?
Issue credentials. Grant authorities.
How do we know that they are of the highest competence? How do we know they
are of the highest integrity?
The question is whether an algorithm is easy, hard, or impossible to break?
Break in this context means discovering/disclosing the algorithm, which is
what you're advocating for in the first place. Have hackers report findings
and opinions. What did their tools and analysis reveal? I'm not sure
competency is relevant, but competency could be scored based on what the
hacking tools reveal (how hard an algorithm is to break).
how do we know that they haven't willfully,
reluctantly, or inadvertently put a backdoor into an otherwise
mathematically strong implementation?
Ironically, years ago the U.S. government pushed for mandatory back doors
into encryption algorithms sold outside the states. As far as I know, that
was never legislated.
A number of factors make back-doors impractical:
I don't think back doors are possible with strong, key-based algorithms,
unless the algorithm stores every key passed to it, and includes a
reference to it in the encrypted streams returned. Someone is likely to
figure that out.
Developers of the back-doors, wouldn't necessarily have access to your
system nor your data, and they did, they could be prosecuted for that, in
addition to fraud.
For those who have ever lost keys, they wished there had been a back door.
If we can't see that implementation for ourselves, how do we know?
The same question is often asked in regards to open-source software vs.
closed source. There are trade-offs.
midrange.com
