Crypto-snake oil

By | August 27, 2006

The temptation to cheat can be significant in these cases, and some studies have suggested that both car mechanics and doctors recommend a significant amount of services that their customers do not really need. Could cryptography fall into the same category?

Economists divide goods into three types: search goods, experience goods and credence goods. Search goods have properties that are easy to check before you consume them. If you are in the market for a red car, for example, it is easy to check if a potential purchase is really red. Very few, if any, information security products fall into this category.

Experience goods have properties that are not obvious before you buy, but have properties that are easy to verify after you consume them. If you are looking for a car with a certain fuel efficiency, perhaps getting at least 35 miles per gallon under your typical driving conditions, you cannot tell this by looking at the car itself (although this is why laws mandate this information be provided to consumers), but you can easily test it.

Many security products are probably experience goods. You cannot tell before you deploy it whether or not antivirus software or an intrusion detection system (IDS) will really protect your network, for example, but you can observe warning messages and review the logs of the products after they have been deployed to verify that they are actually working.

Credence goods have properties that cannot easily be checked, either before or after they are consumed. Organically grown produce and meat from animals raised in humane conditions are examples of credence goods; it is very difficult to verify these particular properties, even after you consume them.

Many medicines, including the historical snake oil, are also credence goods, because it is difficult to tell if your recovery was really due to the medication, a placebo effect, or even simply your body recovering on its own.

Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography. Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.

It is always possible that a clever adversary could develop an attack that lets him defeat the cryptography that you are using, and he could then carry out this attack, perhaps reading encrypted messages, and you would have absolutely no idea that he was doing it.

Products cannot always be classified as purely search goods, experience goods or credence goods, and real products often have aspects of each category. Cars have some search characteristics, like their color, and some experience characteristics, like their fuel efficiency.

Similarly, information security products can have aspects of more than one category. We can easily review its logs to verify that a deployed IDS is stopping some attacks on our network, so it has some experience characteristics. At the same time, the tradeoff between Type I and Type II errors that you need to make for an IDS means that a deployed IDS is probably also missing some attacks on your network that you will never be informed of.

Leave a Reply