Nobody will doubt that it will be good to use Cryptosystem implemented in a right way, which means appropriate algorithm, enough key length, proper key management, well-designed protocols and etc.
Then how about using Cryptosystem implemented in a wrong way? Reduced key length, careless key management or poorly-designed protocols? Some people will say, "at least they are better than nothing, right?"
But I would say, "they are worse than nothing!" If people know that there are no encryption protecting their information, at least they will very caution on the information leakage as per the good old way. So very little information will be leaked out.
While as long as people start knowing that there is some encryption in place, no matter implemented in the right or wrong way, people will relax and assume information will be secured in any condition. So poorly encrypted information will be leaked out without setting people's alarms, and such encryption can barely be a challenge to adversaries.
Now people are smart enough and will not send their credit card number as plaintext in email. But there are some people, more than you can imagine, comfortably email highly confidential information using "PKZIP encryption" with 123456 as password. Guess how long will it take Eve to bruteforce the password?
In a word, the most dangerous thing is the false secruity brought by poorly implemented Crypto. It is NOT better than nothing. It is worse than nothing.
Then how about using Cryptosystem implemented in a wrong way? Reduced key length, careless key management or poorly-designed protocols? Some people will say, "at least they are better than nothing, right?"
But I would say, "they are worse than nothing!" If people know that there are no encryption protecting their information, at least they will very caution on the information leakage as per the good old way. So very little information will be leaked out.
While as long as people start knowing that there is some encryption in place, no matter implemented in the right or wrong way, people will relax and assume information will be secured in any condition. So poorly encrypted information will be leaked out without setting people's alarms, and such encryption can barely be a challenge to adversaries.
Now people are smart enough and will not send their credit card number as plaintext in email. But there are some people, more than you can imagine, comfortably email highly confidential information using "PKZIP encryption" with 123456 as password. Guess how long will it take Eve to bruteforce the password?
In a word, the most dangerous thing is the false secruity brought by poorly implemented Crypto. It is NOT better than nothing. It is worse than nothing.
posted by Joe at 9:46 AM
1 Comments:
uBlogging the Hurricane, Day 8: Updates on the Disaster, and the Media Coverage, All Day Monday
As we have done for the past week, we will provide updates all day on media reports from the disaster zone, mainly from local newspapers, blogs and readers' forums, latest news on top.
If you would like to follow up with your visitors here is a great site that will help; newsletter publishing I'm sure you will find it very useful.
Post a Comment
<< Home