Re: Crypto implementation in consumer encryption software

From: BRG (
Date: 10/12/04

Date: Tue, 12 Oct 2004 11:11:35 +0100

David Wagner wrote:

> Gerard Morentzy wrote:
>>However, consumers are very limited when looking for software, which
>>**implements** strong cryptography -- that is open-source.
> I'm not sure. It seems to me some of the highest-quality cryptographic
> products out there are open source. It seems to me that the pattern
> is that high-quality crypto often comes out first in open source (while
> the competing closed source proprietary are lousy), and then eventually
> the high-quality crypto starts to be make its way into proprietary
> closed-source products, too.
> I'm thinking, for instance, of gpg, PGP, SSH, and open SSL/TLS and IPSec
> implementations, to name a few examples. All of these were way ahead of
> their closed-source competitors at the time (with the possible exception
> of SSL). Personally, I'd rate all of these fairly highly.
> Personally, I think a bigger issue is usability. The open source systems
> often aren't nearly as friendly to end users as typical commercial
> software products. There are exceptions, of course.

I am inclined to agree. The proportion of the source code in a typical
commercial security product that is comprised of direct cryptographic
and security components is almost always small compared to what is
needed for other aspects of its functionality. And while many technical
people are prepared to put up with poor useability in exchange for good
security, for most end users this choice is the other way round (even if
not consciously so).

In my own experience the interaction between open source developers and
commercial product developers can be effective and, as you suggest, for
many products there is a strong link between the early open source code
and the later commercial code (I use a BSD license rather than a GPL
license for my code quite deliberately in an effort to promote the use
of cryptography in commercial products).

But we are also starting to see open source products that combine good
security perfomance and good functionality.

Firstly, as you suggest, some free open source products and some free
(in the RS sense) products are now being delivered with good security
features and good useability (archivers are a good example here).

And, secondly, a number of commercial companies clearly know that it is
important not only to offer security but also to be seen to offer
security. Hence souce code is being made available for inspection.

In my view the latter is a poor second best when compared with widely
used GPL or free open source code (since the prospects of actual
inspection are low for most products). But it is better than closed

    Brian Gladman