Sunday, May 13, 2007

"Proprietary" encryption

Every security professional I know has heard the dreaded phrase "we use proprietary encryption" at least once in their career. Here are some of the best lines I've heard.

One vendor cited their "64 bit encryption plus three extra bits of proprietary security". Yes, they added three bits. Why stop there? Well, that was enough, right? They really, really hyped those extra bits - after all, three bits is better than two bit encryption.

Another vendor offered "proprietary encryption technologies that our programmers assure us are the very best in the industry" - however, they were completely uninterested in peer review, and would not document in any detail how their encryption was superior.

My all time favorite proprietary encryption line? "We didn't use the standards based encryption libraries included in our IDE because our programmers wrote a far superior 56 bit encryption scheme".

We didn't buy that product.

When vendors throw you lines like these, it is handy to have an acceptable encryption policy like the SANS example.

What are your best "proprietary encryption" stories?

No comments: