|
I actually applaud auditors for wanting to know this information! Its
something they should know.
The irony is that auditors don't like to disclose information about the
tools they use to perform audits. In a lot of cases, they have built or
purchased tools which are based on known encryption algorithms, and they
can't run the tools without knowing a client's algorithm.
The safety of passwords does not (nor should it) depend on others not
knowing the process used. This is known as "security by obscurity" and
everyone knows that doesn't work!
The "security by obscurity" point tends to be misused a lot. It is usually
raised by vendors who have encryption API's for various language
environments, brute-force tools, tools which are used to expose weaknesses
in encrypted streams, tools which perform encryption and decryption.
Again, there is a huge industry based on products and services which rely
on the use of "known" algorithms. That includes promoters of conferences
where scientists expose weaknesses in known algorithms. Governments which
"need" to decipher encrypted streams using methods based on known
algorithms.
They have a point to a degree. Prior to the use of known algorithms, there
were a lot of amateur's that produced weak algorithms. But there are cases
where security is enhanced by experts developing unknown algorithms.
There is no way to prevent someone from
"learning" how a program does what it does.
The typical way of "learning" or "breaking" an algorithm is to repeated
push "known" streams through an encryption process and look for patterns
which can be viewed graphically. Begin with null streams, and work your way
through other character streams. Weak algorithms produce symmetrical
patterns. Strong algorithms produce random looking patterns.
The case against using known algorithms is simple, and algebraic. If C is a
product of A and B, and A and B are known, then you have a better
opportunity of discovering C.
Brute force techniques rely on known algorithms.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.