Is strong crypto worse than weaker crypto? Lessons from Skype
A mantra in the security community, at least among some, has been that crypto that isn't really strong is worse than having no crypto at all. The feeling is that a false sense of security can be worse than having no security as long as you know you have none. The bad examples include of course truly weak systems (like 40 bit SSL and even DES), systems that appear strong but have not been independently verified, and perhaps the greatest villian, "security through obscurity" where the details of the security are kept secret -- and thus unverified by 3rd parties -- in a hope that might make them safer from attack.
On the surface, all of these arguments are valid. From a cryptographer's standpoint, since we know how to design good cryptography, why would we use anything less?
However, the problem is more complex than that, for it is not simply a problem of cryptography, but of business models, user interface and deployment. I fear that the attitude of "do it perfectly or not at all" has left the public with "not at all" far more than it should have.
An interesting illustration of the conflict is Skype. Skype encrypts all its calls as a matter of course. The user is unaware it's even happening, and does nothing to turn it on. It just works. However, Skype is proprietary. They have not allowed independent parties to study the quality of their encryption. They advertise they use AES-256, which is a well trusted cypher, but they haven't let people see if they've made mistakes in how they set it up.
This has caused criticism from the security community. And again, there is nothing wrong with the criticism in an academic sense. It certainly would be better if Skype laid bare their protocol and let people verify it. You could trust it more. Read on... But what's interesting is that while being criticised in this fashion, Skype has also done more to put crypto into the hands of the public, for use in person to person communications, than anybody. More than Phil Zimmerman's PGP. Certainly more than any other encrypting phone. With Skype, in fact, we have reached an important milestone: The use of crypto in Skype does not immediately tag you as a privacy-concerned cypherpunk. Everybody uses crypto with Skype, so it's not unusual to do so. With all other tools, you have had to go out of your way to get it, and make sure the other person does too.
I believe the push for perfect crypto has resulted in some poor choices by software designers. The vast majority have just left crypto out of their tools. One primary reason is that it's hard to get right. Another is that it often requires a complex UI that users have historically rejected, with certificates and PKIs. There are other reasons, including the export restrictions we at EFF fought like hell to get struck down, but these are important and decisions have left 99% of internet traffic unencrypted, or "in the clear."
Skype does what I call ZUI -- Zero User Interface. And the result is millions encrypting. ZUI requires some cryptography compromises. You are a bit more subject to the "man in the middle attack" if somebody can make all your internet traffic go through them. But it turns out anybody who can do that usually has a lot of other ways to get at you, so this is not as much of a compromise as some people think.
Many cryptographers, paid to design security for banks or spy agencies, assume a much too large "threat model" in designing their systems. Because they can design a system that can protect a bank or spy, they ask "why wouldn't you?" And by asking that, I think they have caused more and more systems to have no crypto because the programmers don't have the resources, or won't muck up the UI as might be needed to make the crypto as strong as it can be.
Skype's proprietary nature is also interesting. After giant protocol wars, with SIP the winner, Skype decided to ignore them, and design their own protocol which they keep closed. (They talk SIP to send calls to the regular phone network, but users don't see this.) Doing so gave Skype tremendous latitude of design. They controlled both ends, and did not have to test with other people's software. This allowed them to move more quickly, and create a "just works" application. It's much harder, with open tools, to create a "just works" application because you must make it work with all sorts of software you don't control.
The public loved it. In spite of all the good things about open standards, Skype leapt over them in a few months, by deliberately not letting other people see their protocol and try to talk to it. And so they keep their protocol, and their crypto, locked up. A determined reverse engineer can and someday will decode it, but for now things worked very well for them, and their users seem to agree.
Skype's crypto might have a flaw, but none has been publicised yet. I wouldn't trust it as well as a more scrutinized system, but in fact it's not an all or nothing game as some cryptographers would have you believe. I think you can put a decent amount of confidence in Skype if your "threat model" is the script kiddie sniffing the wireless network at your Starbucks. For that threat, it is a lot better than talking on an unencrypted system, which is what you will get from almost everybody else unless you go to a lot of trouble.
Skype, of course did this encryption not simply because they believed in it. Skype's architecture routinely routes voice traffic through other Skype users with real IP addresses in order to get past NATs. Had they not encrypted, nasty users running these supernodes would be routinely listening in on the calls going through them, and even putting them up on the web. Skype had no choice but to encrypt. Other VoIP tools tend to only send voice through selected service provider nodes, or do it purely peer to peer, and the opportunity for random wiretap is less (but not zero.)
More on the lessons here on an upcoming essay about how Skype could kill SIP.