In cryptography a simple but important rule applies, only open, documented and peer reviewed encryption schemes shall be used. The reason is simple, it is very hard to develop a new algorithm that is resistant against attacks, developing a new custom algorithm and keeping it undisclosed is a clear sign the vendor/author has not understood the basic principles of cryptography.

In other words : Don't use custom (i.e "we developed our own algorithm") ciphers. Never. A cryptography algorithm that relies on obscurity and secrecy about the algorithm itself,doesn't add to it's security, it diminishes it considerably. The only parties that have a genuine interest in these are three letter agencies.

The MIFARE fiasco proves this simple principle one more time, add LM, Bluetooth and DECT to the list. Maybe. Maybe?

The authors of the paper linked below do not believe in coincidence, particularly the way certain MIFARE cards were set-up, their weaknesses might have been introduced entirely on purpose. (Read: Backdoor)

The paper "The Dark side of security by Obscurity" goes into more detail about the mifare fiasco : http://www.want2pay.com/mifarebug.pdf (via FEFE)

0 comments

Post a Comment