The infoanarchist guide to evaluating crypto products

The goal of this guide is to give people a kind of checklist in order to evaluate the security of a cryptographic product.

Table of contents 1 Evaluating the reviews
2 Evaluating individual components of a cryptosystem

2.1 Evaluating symetric algorithms

2.1.1 Evaluating keysize adequacy
2.1.2 Evaluating design

2.2 Evaluating asymetric algorithms

2.2.1 Evaluating keysize adequacy
2.2.2 Evaluating design

2.3 Evaluating cryptographic hashes

2.3.1 Evaluating output length adequacy
2.3.2 Evaluating design

2.4 Evaluating cryptographic PRNG

3 Evaluating cryptographic constructs

3.1 Initialization vectors
3.2 Chaining mode
3.3 Message authentication code
3.4 Workarounding known weaknesses
3.5 Evaluating products

4 Other factors
5 Further readings
Evaluating the reviews

When you try to know wether to trust someone’s evaluation of some crypto product, you have to weight the person’s credential against the probability of the person having a hidden agenda. Good credentials could be a PhD in cryptography with papers published and cited, huge hidden agenda would be NSA spokeperson. When you evaluate someone credentials always keep in mind that their could be an hidden agenda behing what they say. Even scientists can be involved in business ventures and be biased against competing products or protocol. Beware also of the pure theorician that may miss small implementation details that are really the devil in a cryptosystem. The biggest credentials for evaluating a random cryptosystems are from people that both implemented and broken real world cryptosystems (and didn’t have their systems broken). Some examples would be Paul Kocher, Bruce Schneier, Phil Zimmermann

Evaluating individual components of a cryptosystem

Evaluating symetric algorithms

Evaluating keysize adequacy

Evaluating design

Evaluating asymetric algorithms

Evaluating keysize adequacy

Evaluating design

Evaluating cryptographic hashes

Evaluating output length adequacy

Evaluating design

Evaluating cryptographic PRNG

Evaluating cryptographic constructs

Initialization vectors

Chaining mode

Message authentication code

Workarounding known weaknesses

Evaluating products

Other factors

Further readings

TakeDown.NET -> “The-infoanarchist-guide-to-evaluating-crypto-products