Blog

I just came across an interesting discussion on LinkedIn. Here's what someone from a security vendor said:

While I’m unable to delve into our patented technology without an NDA, needless to say all data to and from our gateway solution uses a proprietary transport encryption solution that secures transactions at an effective security level of 320 bits, which is 200 times more secure than SSL3 using 128-bit encryption.

A proprietary encryption solution that a vendor won't tell you about unless you sign an NDA is almost certainly a sign that something's not right. There are essentially two approaches that are generally accepted for validating encryption technology. In one case you let people try to find problems with it, and if they don't find anything after several years then you have some level of assurance that there aren't any problems with it. Or if you have a peer-reviewed proof of security, that's another option.

The wait-and-see approach isn't as good as having a proof. It's really a legacy approach that was used before the work of Phil Rogaway and Mihir Bellare on provable security transformed cryptography from an art into a science. But since lots of people don't quite understand the proofs of security for cryptographic schemes and protocols, we're likely to see the wait-and-see approach well into the future.

In any case, neither of these approaches is one that benefits from keeping your cryptography secret, so it's not clear why a serious security vendor would want to keep the details of their encryption protocol secret.

But what struck me as odd about this particular vendor's statement was the fact that 320-bit encryption was claimed to be 200 times more secure that 128-bit encryption.

Is there any way at all to interpret this vendor's statement in a way that makes sense?

If both the 320 bits of security and 128 bits of security are both key lengths of ideal symmetric ciphers, then 320 bits is way stronger that 128 bits. It's stronger by a factor of 2(320-128) =  2192 = 6,277,101,735,386,680,763,835,789,423,207,666,416,102,355,444,464,034,512,896. That's so much bigger than 200 that it seems very unlikely that someone would try to approximate it as 200, so this explanation doesn't seem to make sense.

Could the 320 bits be from an elliptic-curve scheme? In that case, 320 bits could give you 160 bits of cryptographic strength. But such a key is stronger than a 128-bit AES key by a factor of roughly  2(160-128) = 232 = 4,294,967,296. That's still so much bigger than 200 that almost nobody would approximate it as 200.

Maybe a few politicians would. It's easy to imagine some of them saying things like, "Our projected budget deficit is approximately \$200 this year"  when they're really spending billions more than they're getting in revenue. Cryptographers tend to be more precise.

Or those 320 bits could be the size of an RSA modulus or a similar value (DH modulus, etc.). But if the 320 bits comes from something like an RSA modulus, then they'd actually be giving you much less than 128 bits of strength. That means that you'd never actually claim that using the 320-bit key was stronger, so that explanation doesn't seem to make sense either.

A final possibility is that this vendor noticed that 320 – 128 = 192, so they thought that 320 bits of strength is 192 times better than 128 bits of strength. Round the 192 up to 200 and you're done.  That makes absolutely no sense at all, of course, and it's a mistake that nobody who's selling security products should ever make.

So I'm left wondering exactly what's going on with this vendor's cryptography. And why they won't tell you exactly how it works. And exactly how that 320-bit key is used.