Cryptography Reference
In-Depth Information
Interoperability
. It is much easier to adopt and implement publicly known
algorithms in open networks. If an organisation wishes to regularly secure
communications with external clients then use of a proprietary algorithm
means that all the clients will either have to be given the algorithmspecification,
or the software or hardware necessary to run it.
Transparency
. Businesses may find it easier to convince a trading partner
that their systems are secure if the security techniques that they employ,
which includes the cryptographic algorithms, are open to assessment by their
partners. If an algorithm is proprietary then partners may want to perform
independent evaluations of its strength.
WHAT HAPPENS IN PRACTICE?
The different advantages and disadvantages associated with proprietary and
publicly known algorithms mean that their adoption is application dependent.
In practice, both proprietary and publicly known algorithms are used in modern
information systems.
Proprietary algorithms are normally only adopted by organisations (such
as governments) that are large enough to be able to employ their own high-
quality cryptographic design teams. They are also typically only used in closed
environments where interoperability issues are less problematic.
The vast majority of applications of cryptography use publicly known
algorithms. Indeed, in any commercial environment it is probably unwise to
rely on the security of any cryptosystem that claims to use a proprietary algorithm
unless the source of the cryptosystem design can be identified and is regarded as
being highly reputable.
1.5.4
Use of publicly known algorithms
We have just observed that one possible advantage of publicly known algorithms
is that a wide range of experts will have had the chance to evaluate such
algorithms. However, designing cryptographic algorithms requires a great deal of
knowledge, experience and skill. Many well-qualified (and less-qualified!) people
have designed cryptographic algorithms, but very few ever gain sufficient public
confidence to become recommended for use in real applications. It is thus very
important to appreciate that:
• just because an algorithm is publicly known does not imply that it
has
been
studied by a wide range of experts;
• even if a publicly known algorithm has been fairly well scrutinised, it may not be
wise to deploy it in an application from a security perspective (for example, the
level of scrutiny may not be sufficient);
• relatively few publicly known algorithms are actually deployed in applications;
• very few publicly known algorithms are widely supported across different
applications.
