CryptoSurvey -- Results ..

From: General X (
Date: 01/10/04

  • Next message: General X: "CryptoSurvey -- Results .."
    Date: 10 Jan 2004 03:29:41 -0800

    My crypto surveys from 1996, 1997 and 2001 are as relevant today as
    they were at those times.




    Cryptographic Survey, May 2001, Markku J. Saarelainen




    The major societal development since the 1st and 2nd crypto surveys in
    1996 and 1997 has been the removal of many regulatory barriers for
    open trading of cryptographic products in the North America and
    globally. In addition, the number of cryptographic applications and
    component implementations has increased, while at the same time the
    variety of different types of solutions has risen. This does not
    necessarily mean the wider use of encryption in businesses and
    personal activities. Many same or similar behavioral barriers for the
    effective utilization of many security solutions still exist limiting
    the protection of communications, data storage and networking. In
    addition, the lack of the interoperability between solutions from
    different suppliers tends to decrease the number of effective
    cryptography users worldwide. It is clear that the awareness for
    encrypted communication and protected information activities has
    increased, while necessary regulatory changes for protecting entities
    from security vulnerabilities has enabled cryptographic product
    suppliers to satisfy market requirements in the U.S.A., in the North
    America and globally. However, regulatory and cultural differences
    exist from one nation or region to another creating a global
    unbalanced situation of the security use, which has the reducing
    effect on security practices and policy implementations of any global
    entity in different regions. This impacts on the interoperability of
    units of global entities. It is likely that there shall be greater
    competing drives in the information technology market place between
    different security strategies and approaches from different software
    and hardware product and security suppliers.

    QUESTION 1. In your opinion, what are the 5-10 most significant
    applications of encryption technologies currently in commercial

    1. HTTP over SSL (aka HTTPS) / SSL for credit card processing / SSL /
    Web-activity privacy (SSL)
    2. IPsec
    3. RSA Secure ID (maybe)
    4. Online Credit Card Processing & Financial Transfers
    5. VPNs / Virtual Private Networks for widely distributed offices /
    VPN for remote access to Intranet
    6. Email encryption (via PGP/GPG or SMIME) / Encrypted Messages /
    Email Privacy
    7. Digital signing authentication of messages
    8. Consensus and voting software (not now but give it 5 years)
    9. Encrypted file systems for sensitive data
    10. Signing software for installation
    11. Signing email messages to show official authority
    12. Wireless local area network encryption
    13. Password protection/access control
    14. Data protection
    15. Session protection (VPN's)
    16. Authentication and authorization / Customer authentication (e.g.
    PIN checking)
    17. Securing B2B file exchange
    18. PKI
    19. Remote secure teleworking
    20. Digital signatures
    21. Time-stamping

    QUESTION 2. In your opinion, what are 5-10 main barriers currently
    that may prevent the successful implementation and utilization
    of encryption technologies in commercial enterprises?

    1. Ignorance of risks prevents purchase
    2. Dishonest portrayal of product (i.e.: false security claims and
    blatant product holes in end-to-end protection) promotes distrust in
    the whole
    3. Most products are a waste of time because they are not a
    comprehensive solution - e.g.: why bother using PGP when there is
    nothing in any NAI products to protect against back-office-style
    electronic eavesdropping attacks?
    4. Many people do not care about cryptography and/or security products
    5. Having lived happily without serious protection for a long while,
    most customers believe there is no point retrofitting an expensive
    solution for a problem they do not have (and many of them are probably
    6. Lack of knowledge by decision-maker
    7. Low knowledge level of users
    8. Lack of knowledge by computer scientists
    9. Lack of complete standards (S/MIME to be extended, ...)
    10. Cost
    11. It is too hard to use / complexity / Not transparent enough and
    made user hard to use.
    12. Difficult and complex configurations.
    13. Diversity of enterprise
    14. Trained security personnel
    15. Commercial operating systems are too difficult to secure and hence
    there is no such thing as a rusted base
    16. No widely accepted standard for smart cards or tokens
    17. No facility for reading smart cards or tokens on mass market PCs
    18. Character limit on Microsoft passwords
    19. Bad advice on password generation
    20. Unjustified prices for non-commodity products
    21. Confused security market - lack of standards and best practices,
    everyone is trying to define their own market segment and different
    way to solve the same common problem.
    22. Protectiveness of public sector - local solutions are preferred
    23. No. 1 is the need of users training, as they tend not to
    understand too well what procedures are for encryption. This can mean
    huge resources/budgeting requirements and the aftermath of running
    Helpdesk support.
    24. Key distribution is also a major consideration for large user
    groups. PKI seems to address this problem but it brings forth more
    problems of its own. PKI is not simple to set up in a production
    environment and certificates rollout is a noted issue.
    Incompatibility issues with various PKI vendors' product may bring
    down the whole PKI project. Very often customers are forced into
    accepting single PKI supplier solution. PKI related standards abound
    but incompatibility is still with us. Also an issue is the
    insufficient supply of security professional to serve customers'
    25. Lack of PKI or alternative
    26. Expensive charges by digital certificate issuers
    27. Difficulty of users managing passwords
    28. Failures of interoperability between vendors implementing
    29. IS department sees encryption as a limit on its monitoring
    30. Users lack of security knowledge
    31. Interoperability between heterogeneous systems
    32. Not aware of the importance of security
    33. Complex key management
    34. Inefficiency
    35. Most existing Public Key infrastructures are based on deeply
    flawed models of trust. They abandon the idea of trust and aim to
    prove identity instead - but fail to do even that since Verisign, etc,
    do not adequately protect themselves from fraud.
    36. There are too few key authorities and the business has substantial
    barriers to entry. Basically, if you cannot get your root key into
    the default configuration of the majority browser (for which the
    software company that makes the majority browser will charge a very
    large amount of money) then your key authority is a non-starter. This
    creates a monopoly environment in which customers are being
    drastically overcharged and underserved for their key certificates,
    and also creates targets for hacking, fraud, or legal compromise,
    which would cause enormous damage if compromised.
    37. The non-centralized key authorities favored by PGP et al are a
    better trust model and don't suffer from the few-points-of-attack
    problem, but they are being killed by apathy. The "web of trust" is
    longer a web, it's a bunch of teeny bits of webbing blowing hither and
    38. Software Patents. Software patents have necessitated creating
    multiple incompatible versions of many things that ought to be public
    infrastructure and utilities by now. As long as users of one version
    of PGP can't read or verify messages created by another, due to
    software patents, all versions of PGP have diminished utility.
    39. Development practices. It is almost impossible to write secure
    code using what is now considered "ordinary" Object-oriented
    programming. GUI's and windowing systems have so many deep security
    flaws that security is nearly impossible unless these things are
    reimplemented from the ground up. In particular, every windowing
    system on the market makes it possible to monitor keystrokes intended
    for a different program, and none even have an option to "clear"
    memory of what's on the screen before releasing the memory back to the
    system where another program can allocate it.
    40. Protocol Impoverishment. There are many useful protocols that
    have been discussed and discovered, but very *VERY* few of them have
    ever seen a robust or publicly available implementation.

    QUESTION 3. What are activities and projects that can be initiated and
    taken to lower and reduce above barriers (see the question 2.)?

    1. Introduce a new government law which makes security companies 100%
    liable and responsible for all damage and losses that occur as a
    result of their software failing to perform the purpose it was sold
    for, and failing to live up to their advertised claims. This will
    force product vendors to revise their claims, remove the lies from
    their packaging, and cause them to have to print lengthy explanations
    of what threats their products can not withstand. This will give
    customers an opportunity to understand what risks they really face
    after using various products and an opportunity to seriously compare
    different products pre-purchase.
    2. Education and training
    3. Consulting or outsourcing of enterprise security
    4. More publicity
    5. Standardization
    6. Integration of security products into mass-market software
    7. There is little we can do about the end-users, I think time is the
    best cure here. Imagine asking the government or any organization to
    provide free training on security practices to all. Hopefully, users
    will see encryption
    is a tool to protect them and help them rather than something
    hindering their work and therefore must fight against. On the
    (encryption) technology side I believe the industry can do something
    to help the poor users and itself as a side bonus. It would be much
    easier for security integrators if different vendors work together
    making their solutions friendlier to each other. I notice this trend
    has started already but I think it is not enough. There should be
    some form of non-vendor affiliated body that run some certification
    scheme to endorse/state "what product from which vendor is compatible
    with who" sort of reference.
    8. Remove the barriers listed in Question 2
    9. Develop an alternate Internet based on secure technology.
    10. Education project to be launched in include cryptography in
    engineering and computer scientist basic school programs.
    11. A widely accepted, free certificate issuer would solve the PKI and
    certificate-expense problems. This could be a government service.
    12. Simplification of security standards and focusing on profiles,
    which represent limited but functional subsets will help with interop.
    13. Most security standards are too complex.
    14. Children should begin being trained in school to deal with network
    security throughout their lives. They should learn to memorize
    passwords and understand the basic functionality of two key
    15. Schools should prepare children for a life where crypto keys are
    tools they are as comfortable using as computers.
    16. Push a practical PKI for ease of use.
    17. Make interface more friendly and transparent to the users.
    18. Reduce human interactions.
    19. Make configuration easy.
    20. Public domain or public-license sw for an extended set of
    protocols ought to be developed. Software patents have become a
    "poison pill" to compatibility, so they ought to be avoided and it
    ought to be possible to completely avoid them. GPG and OpenSSH are
    the two premier examples of this, and their existence has a lot to do
    with the technologies they represent having finally become important.
    21. Public awareness of the probability and consequences of failure to
    keep data secure. This is sorely lacking now, although the IT
    departments of major companies are finally starting to "get it".
    22. Public Key authorities need to be much easier to set up.
    23. Crypto books aimed at kids and amateurs. The developers stuff is
    there already, but it's hard to draw new workers into the field beyond
    the stale "spy glamour" thing. Anyway, kids and amateurs are the
    future security pros who can solve the major problems with software
    and etc; we just need more people in the field who are willing to get
    their hands dirty and experiment with code. This is one of the most
    lopsided fields of software development, where we have *SCADS* of
    ideas from academics that no one has had time to properly implement
    yet. We need a lot of implementers to get really fired up about it.






       MAY, 1997

    Note: This survey summary contains raw survey results that have NOT
    analyzed, evaluated or prioritized. The results are based on comments
    and opinions (all of which may not be facts) that were received from
    many individuals who responded to the original (October 1996) survey.

    QUESTION 1: In your opinion, what are main developments in the
    of encryption technologies in commercial enterprises since October,

    "The continued government attempts to get 'key recovery', and a
    amount of reluctant willingness from business."

    "Purely for e-commerce reasons have there been any advancements. The
    rest of the encryption world (privacy/freedom etc.) have been
    appallingly backward and most governments will tend to hold them

    "Network Computers (NCs)."

    "Slight easing of export restrictions. Development of several payment
    protocols. Increasing adoption of retail commerce over the net as
    evidenced by recent IPO of"

    "There is some movement towards more advanced mathematics. The market
    is searching for patent free/royalty free encryption. Governments
    attempting to halt it, but are failing miserably."

    "Electronic payment via The Internet."

    "C2's bypass of the export regulations. The broader adoption of SSL.
    Eudora plugins for PGP."

    "-SSL has been widely used for the securing of data for a number of
    on-line Internet banks. -Encrypted tunneling products which extend
    corporate Intranet/LAN are now becoming widely available. -Smart cards
    are finally appearing in North America. In Canada alone Visa Cash,
    Exact (Proton?), and Mondex are going through trials. -SSL is now
    used to protect credit card transactions on a number of internet
    sites -The US government continues to support key escrow for exported
    encryption. -Major players (i.e. banks, IBM, MS, HP, VeriFone) are
    taking steps to integrate SET into their range of products. -Future
    browsers are going to allow smart cards to Interface with the

    QUESTION 2: In your opinion, what are 5-10 main barriers currently
    may prevent the successful implementation and utilization of
    technologies in commercial enterprises?

    "-Legislation and government intervention for strong encryption.
    -Unfamiliarity with the technology will produce mistrust of its
    reliability. -Safe key-management processes are difficult to achieve.
    This will reduce the security of cryptography and thus its usefulness
    for many applications. -Cryptography is not user-friendly right now.
    Until it becomes so than it is unlikely to achieve widespread usage.
    -Licensing fees for cryptographic algorithms are not cheap. Until
    patents expire for things like the RSA public key algorithm the costs
    of developing reliable cryptographic products will remain high. -
    are a large number of cryptographic products with no clear standards

    "Export regulations."

    "Lack of perceived need."

    "Lack of expertise among engineers and technicians."

    "a) Lack of interest in security b) Concentration on cost c) Lack of
    ready-to-use cheap tools d) Legislation and potential legislation e)
    Patents and licensing issues"

    "Government inadequacies in legislation, Vendors propensity to hand
    private keys to government (extrapolate that to insecurity when a
    working for a vendor is bribed to give out a private key), Costs,
    reluctance in encryption (FUD factor)"

    "Threats to roles of traditional players (e.g., SET's effect on card
    issuers)., Seamless integration into products., Education of users.,
    Regulatory obstacles. Widespread availability."

    "1) ease of use, 2) cost of real security, 3) an understanding of
    security details, 4) a lack of understanding the difference between
    cryptography and security 5) uncertainty as to what the government

    "- exportability (permissions are needed if a product implements
    cryptography, and 2 or more versions of the software has to be build),
    patents (can't exploit algorithms without negotiating royalties)"

    "The governments export restrictions on strong cryptographic

    " It is not a question of availability of software, but of
    interoperability between systems made/sold in different regions of the

    "Government FUD. Ease of use. Cost of training etc. Worry about
    of secrets."

    QUESTION 3: What are activities and projects that can be initiated and
    taken to lower and reduce above barriers (see the question 2.)?

    "a) Wider accurate publication of security lapses.
      b),c) Cheap tools fitted for a job. I just read a Sun catalogue
           where much of the software (including security software)
           has laughable prices. Get a straightforward Virtual
           Private Network from 100 pounds for a start.
    d) Do strong lobbying and occupy lawmaker's time with other stuff
           when they seem to be going in the wrong direction.
    e) Wait for some important expiry dates.
           Have more reasonable contact with license-holders.
           Bypass licenses by producing new methods that get less

    "Continued integration into key products such as Netscape and IE.
    Perhaps even into OSes."

    "Lowering the barriers to deploying certification authority
    infrastructures for use w/in intranets. (in terms of cost, ease of
    administration, etc.), Further efforts at deregulation."

    "Lobby governments, Do not place restrictions for vendor based key
    management, Push for totally private key systems"

    "A not for profit, global, public education group should be created
    whose purpose is to help educate businesses. Secondarily it should
    educate the public on the issues of privacy, but the primary goal
    be to get all businesses (mainly the small ones) to understand that
    simple pains can give a great deal of security, and that the cost is
    worth the money and time saved from fraud and theft."

    "An e-mail program that a "stoned hippy" could use and still not leak
    information is needed. It would not allow too much flexibility, but
    would give "the masses" a hands on feel for what security is and how
    crypto plays a role in their everyday life. Six year old kids and
    grandmothers could be using even this simple security level for
    It would go a long way because people will ask many questions, and
    will get many answers. It would more rapidly diffuse the information
    and education over the populace (world wide)."

    "Develop simple and user-friendly ways to use cryptography and manage
    keys effectively."

    "Reduce the ability for corporations to patent cryptographic
    key-management techniques, and anything other than completely unique
    cryptographic algorithms. We don't need research into new
    we need open access to refinements of what exists. If people can
    patent those refinements then it reduces the access people have to
    these new technologies at the expense of society at large."

    "Eliminate export barriers on strong encryption."

    "Education (public): crypto is used for authentication as well as
    privacy. It is *not* military or espionage technology. It is
    (required) enabling technology for tomorrow's information

    "Education (professional): principles of information security taught
    all relevant courses. (e.g. computing, telecom, electronics, etc)."

    ----- Results of the original survey in October, 1996 -------

            SURVEY SUMMARY: Encryption in Commercial Enterprises

                                            October, 1996


                                      M. J. Saarelainen

    SURVEY METHODS BRIEFLY: Three specific questions were sent to several
    mailing lists and news groups. The great number of responses was
    received. These responses were compiled as received to the list
    any priorities) below. No detailed analysis or evaluations were
    completed at this time. Please, review these questions and responses
    let me know, if you like to add, remove or change something. Thanks.


    QUESTION 1. In your opinion, what are the 5-10 most significant
    applications of encryption technologies currently in commercial

    RESPONSES (# of responses = 29) TO QUESTION 1:

    1. Secure E-Mail / Secure E-mail SMTP/POP3 mail client
    2. Secure Internet-Shopping
    3. Encrypt the entire internet ( encrypting routers etc. )
    4. Encrypted file systems - partition for laptops
    5. Encrypted voice (cellular, cordless, wireline, voice-over-internet)
    6. Secure FAX
    7. Point-to-point encrypted links, for corporations using the Internet
    as a WAN.
    8. EDI (both encryption & authentication), Electronic Data Interchange
    9. Secure FTP client/server software
    10. Secure FTP client only software
    11. Secure UNIX FTP server software
    12. Secure File based encryption for HD and Floppy
    13. Accounting departments need to ensure their data can't be changed
    14. Engineering needs to ensure competition doesn't easily steal ideas
    15. Secure login (and insecure, in the case of Unix)
    16. Network traffic encryption
    17. Local file/data protection (incl. backup protection)
    18. Protection of proprietary information while allowing company use
    19. Crypto applications as an element in the information security

    20. Regional and national electric power exchanges between companies
    21. Large investment banks who want to coordinate across their own
    organizations and others in significant numbers
    22. Healthcare cries out for encryption
    23. The military for sensitive non-classified information.
    24. Law enforcement is a natural for the internet, if they could agree
    on a common security solution.
    25. Online banking, online sales and commerce, data protection on
    commercial database servers, secure transfer of govt. information, ie.
    tax information on citizens.
    26. The most widely spread encryption technologies are pgp and
    proprietary hardware solutions by different providers like Cylink etc.
    SSL is now upcoming.
    27. Protection and storage of Archives
    28. Person to person communication within an organization.
    29. Secure remote communications (over the Internet)


    QUESTION 2. In your opinion, what are 5-10 main barriers currently
    may prevent the successful implementation and utilization of
    technologies in commercial enterprises?

    RESPONSES (# of responses = 22) TO QUESTION 2:

    1. Cryptic user interfaces
    2. ITAR regulations, Government regulation or restrictions of use of
    strong encryption, Government export restrictions for strong

    3. Ignorance ( pegasus provides REAL encryption )
    4. Lack of knowledge of resources available to Business.
    5. Misunderstanding that encryption is complicated.
    6. Misunderstanding that encryption is costly.
    7. General lack of knowledge as to how to write *strong* encryption
    8. Lack of integration of strong encryption so that the user must
    learn/know too much in order to use it properly
    9. General lack of understanding of the necessity of *strong*

    10. Difficult to use
    11. Slow speed
    12. Complexity makes choices difficult since no one can be a full

    13. Workers have to wait for a supervisor
    14. A lack of understanding of the technology
    15. The lack of good cost-benefit analysis data
    16. On the product development side, few companies have both the
    engineering and the marketing/industry expertise to successfully make
    good secure products which meet real market needs and demands
    17. Key Management. The ability for a user to gain authentification
    use of cryptographic programs, to access information for which that
    person is authorized. Passwords can be forgotten, or copied, verifying
    user easily is very difficult.
    18. Lack of standards, and most of all lack of good certification
    19. The second barrier derives from a missing standard interface in
    E-Mail, ftp ... transparently embed widely spread
    20. Lack of knowledge of encryption is a big hurdle to it's
    implementation. Non-technical people are required to evaluate the use
    of a technological product they may not understand completely. It's
    difficult to put your trust in an algorithm when you don't understand
    how it works.
    21. Many enterprises may not be aware of how easy it is to begin using
    encryption within their organization.
    22. Many organizations may not recognize the need to protect
    within their organization. Some may not be aware of how easy it is to
    tap into electronic communications.


    QUESTION 3. What are activities and projects that can be initiated and
    taken to lower and reduce above barriers (see the question 2.)?

    RESPONSES (# of responses = 27) TO QUESTION 3:

    1. Integrated mail reader with PGP capabilities, easy to use
    2. Spreading awareness of how useful strong crypto really is.
    3. Spreading awareness of exactly *why* governments seeks to prevent
    spread of crypto.
    4. Writing strong encryption software and placing it in the public
    5. Proving by actual demonstration that existing encryption is
    6. Encouraging wealthy crypto advocates to speak freely.
    7. Education of users and vendors of the issues
    8. Lobbying of governments by aforementioned enlightened users/vendors
    9. Different products need to be created which can interoperate
    transparently to the user, but not deliver data unless operator is

    10. Smart cards which attach to every terminal, the cards go with the
    person and they can validate themselves at any terminal
    11. Overcoming the complexity barrier requires patient teaching of
    12. A set of brochures and pamphlets needs to be created which
    most systems in use for a particular level of security
    13. A major project would be to simply educate the managers of most
    companies about crypto, to remove the magic and bring the whole thing
    down to earth
    14. Manufacturers need to go to more trouble talking with customers
    before designing products and be more creative in finding ways to meet
    market needs
    15. Security companies also need to audit themselves and demonstrate
    that they are trustworthy
    16. Better turnkey low-cost enterprise-wide solutions to common
    (network encryption, for example) are needed.
    17. Make applications easier to use, Build easy to use encryption into
    applications so that it is smooth or even transparent to users
    18. Universal standards for dual key encryption
    19. Reduce strength of encryption to increase speed
    20. Large groups of customers must get together and dictate standards
    the security industry.
    21. The first thing is to implement a transparent interface to
    encryption function to all data transfer services.
    22. The second would be to get all suppliers of encryption
    to confirm to this standard.
    23. I think the best thing is to initiate a workgroup at The Open
    responsible for encryption interfaces.
    24. Public Software such as PGP should be widely available. The more
    people are experienced with this software the more likely they are to
    use and trust it.
    25. Making software like PGP widely available means more than just
    making sure copies of it are accessible. It also means making it
    user-friendly enough.
    26. Education is also required. I find that very few people really
    about these issues.
    27. People need to promote awareness of the current situation.


  • Next message: General X: "CryptoSurvey -- Results .."

    Relevant Pages

    • CryptoSurvey -- Results ..
      ... Many same or similar behavioral barriers for the ... effective utilization of many security solutions still exist limiting ... applications of encryption technologies currently in commercial ... Many people do not care about cryptography and/or security products ...
    • [Full-disclosure] Critical security flaws in Nagios NRPE client/server crypto
      ... It's been a couple of years since I've had a look at NRPE, ... The Encryption is done using a set encryption routine of ... diffie-hellman parameters with autotools may not really improve security. ... i.e. for the US of A put a cryptography export notice ...
    • Critical security flaws in Nagios NRPE client/server crypto
      ... It's been a couple of years since I've had a look at NRPE, ... The Encryption is done using a set encryption routine of ... diffie-hellman parameters with autotools may not really improve security. ... i.e. for the US of A put a cryptography export notice ...
    • Re: How to encrypt/decrypt a file
      ... As an additional reading regarding I would recomend Goldwasser-Bellare Lecture Notes on Cryptography and Goldreich's Foundations of Cryptography. ... Any attempts of using precalculated IV that is not sent together with cipher is only decreasing security of CBC mode of operation. ... and even harmful since it is just unnecessary goo that distructs attention from the real task - secure encryption. ... even so your customer's requirement looks quite strange - the server is processing the data and the server is watching that this exact data is not stored on the server... ...
    • Re: OT - Kuwait
      ... > One place where I agree with you is that the scope of government intrusion ... > into the private matters of Americans is much greater than most Americans ... >>> strict security procedures to prevent unauthorized release of the keys. ... >> Feds Want to Control Encryption ...