"The Cult of Schneier"

If there’s actually a cult out there, I want to hear about it. In an essay by that name, John Viega writes about the dangers of relying on Applied Cryptography to design cryptosystems:

But, after many years of evaluating the security of software systems, I’m incredibly down on using the book that made Bruce famous when designing the cryptographic aspects of a system. In fact, I can safely say I have never seen a secure system come out the other end, when that is the primary source for the crypto design. And I don’t mean that people forget about the buffer overflows. I mean, the crypto is crappy. My rule for software development teams is simple: Don’t use Applied Cryptography in your system design. It’s fine and fun to read it, just don’t build from it. […] The book talks about the fundamental building blocks of cryptography, but there is no guidance on things like, putting together all the pieces to create a secure, authenticated connection between two parties. Plus, in the nearly 13 years since the book was last revised, our understanding of cryptography has changed greatly. There are things in it that were thought to be true at the time that turned out to be very false….

I agree. And, to his credit, Viega points out that I agree:

But in the introduction to Bruce Schneier’s book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.

This is all true.

Designing a cryptosystem is hard. Just as you wouldn’t give a person — even a doctor — a brain-surgery instruction manual and then expect him to operate on live patients, you shouldn’t give an engineer a cryptography book and then expect him to design and implement a cryptosystem. The patient is unlikely to survive, and the cryptosystem is unlikely to be secure.

Even worse, security doesn’t provide immediate feedback. A dead patient on the operating table tells the doctor that maybe he doesn’t understand brain surgery just because he read a book, but an insecure cryptosystem works just fine. It’s not until someone takes the time to break it that the engineer might realize that he didn’t do as good a job as he thought. Remember: Anyone can design a security system that he himself cannot break. Even the experts regularly get it wrong. The odds that an amateur will get it right are extremely low.

For those who are interested, a second edition of Practical Cryptography will be published in early 2010, renamed Cryptography Engineering and featuring a third author: Tadayoshi Kohno.

EDITED TO ADD (9/16): Commentary.

Posted on September 3, 2009 at 1:56 PM • 63 Comments