Monday, June 16, 2003


Bruce Schneier just published the latest issue of his newsletter “CryptoGram”,
available here. My favorite
bit was his link to this
, wherein an Idaho police department gave their officers laptops with wireless
access to the police network. As you may know, it’s basically trivial to crack
a 802.11 networks, even with WEP encryption enabled. To get around this, the police

added security by using a hard-to-crack
proprietary encryption protocol

This is a huge red flag
– secure protocols are generally not proprietary,
but rather developed in the public eye where they can undergo scrutiny by a community
of experts.

I’ve been down this road myself – I’ve invented security
protocols for clients only to invariably discover serious flaws in them months later
when I came to understand the problem better. When I went back to fix the problems,
I almost always converged on something that already existed – SSL, Kerberos,
whatever. Just look at WEP, the wireless encryption standard – even using “128-bit
encryption” it can be cracked in a matter of hours by freely available tools.
And even protocols that are thought by most experts to be secure can be cracked trivially
when they are implemented poorly.

Rule number one in security is: don’t
invent your own
. We’ll see how long it is before that police department
gets bit by their mistake.


  1. Hi Craig,

    >As you may know, it’s basically trivial to crack a 802.11 networks, even with WEP >encryption enabled

    No I don't! :) Can you point me somewhere for more info on this? Sounds scary. What do people do then?


  2. (Sorry, I've been at WinDev - mostly offline)

    Here's the best in-depth analysis a quick check turned up:

    Here's a good short explanation:

  3. Thanks! alas, the second link is the same as the first... ;)

  4. D'oh. Sorry about that. Try this one:

    And one of these days soon I'm going to add an RSS feed for comments so I'll find out about these sooner...