I actually applaud auditors for wanting to know this information! Its
something they should know.
The irony is that auditors don't like to disclose information about the
tools they use to perform audits. In a lot of cases, they have built or
purchased tools which are based on known encryption algorithms, and they
can't run the tools without knowing a client's algorithm.
The safety of passwords does not (nor should it) depend on others not
knowing the process used. This is known as "security by obscurity" and
everyone knows that doesn't work!
The "security by obscurity" point tends to be misused a lot. It is usually
raised by vendors who have encryption API's for various language
environments, brute-force tools, tools which are used to expose weaknesses
in encrypted streams, tools which perform encryption and decryption.
Again, there is a huge industry based on products and services which rely
on the use of "known" algorithms. That includes promoters of conferences
where scientists expose weaknesses in known algorithms. Governments which
"need" to decipher encrypted streams using methods based on known
algorithms.
They have a point to a degree. Prior to the use of known algorithms, there
were a lot of amateur's that produced weak algorithms. But there are cases
where security is enhanced by experts developing unknown algorithms.
There is no way to prevent someone from
"learning" how a program does what it does.
The typical way of "learning" or "breaking" an algorithm is to repeated
push "known" streams through an encryption process and look for patterns
which can be viewed graphically. Begin with null streams, and work your way
through other character streams. Weak algorithms produce symmetrical
patterns. Strong algorithms produce random looking patterns.
The case against using known algorithms is simple, and algebraic. If C is a
product of A and B, and A and B are known, then you have a better
opportunity of discovering C.
Brute force techniques rely on known algorithms.
midrange.com
