Avoid security through obscurity

Home

When you are considering buying a crypto product demand that you get a clear written description of the cryptographic essentials of the product - this can be a number identifying a patent or another written description. The purpose of this is to enable the verification of the claimed cryptographic properties. Also when new crypto attacks become known their effectiveness against the product can be checked via the description. The software vendor will also be more willing to improve the defenses when the newly discovered vulnerabilities are publicly known.

The hiding of the security design principles is not a good idea – this is called security through obscurity. In cryptography it must be assumed that eventually the design will become known to the opponent and it is much better if the design has been analyzed by many people before this happens.

Essential things:

The general workflow, how the keys are derived, standards used, used ciphers and their modes of operation.

Home