The comedy of commercial encryption software
Every classic drama has some comic relief, and the comic relief in cryptography is provided by the activities of the commercial sector. At the same time that we were working on public-key encryption hardware we were also working in the more down-to-earth field of encryption software for PCs. As much as anything, this was because we needed something like this for ourselves so that we could make endless backups of our confidential data without having to worry about losing them. Our product was called Ultralock and it is interesting in today's perspective mostly because of the virus-like way that it stitched itself into the operating system it was protecting: in fact, later versions of Ultralock used the computer equivalent of restriction enzymes to splice themselves into the operating system's RNA.
Every encryption system has to have an encryption algorithm and Ultralock was no exception. Believing ourselves (rightly or wrongly) to be reasonably competent cryptographers, we rolled our own. It used the same Feistel architecture as the Data Encryption Standard but it was better adapted for use on microprocessors, which work on bytes rather than bits. As was always the case in those days, we had to submit our algorithm to a Government agency (the CCTA) for assessment. Whether they laughed or were impressed is something that history does not record; but we were certainly made to apply for an export licence every time we sold a copy of Ultralock overseas.
No product development is complete without assessing the competition, and so we bought and tried out some of the other products on the market. Initially we concentrated on features and modes of operation (was it fast? could it encrypt different files with different keys?) because of course any responsible software supplier would be using secure encryption.
When I got round to looking at the encryption algorithms themselves, I was appalled to discover that the suppliers had paid no attention at all to their security; or, if they had, then they did not know what they were doing. All of them with one exception could be broken by a bored hacker with a spare afternoon; the exception (Lattice SecretDisk in non-DES mode) was breakable with a little more skill, which made it into a pleasant diversion.
Encryption software is different from something like a word processor. With a word processor, you can easily see if the program works or not; but with an encryption program, you can encrypt your files and look at them in their encrypted form but the data will look just as random to the naked eye whether the encryption is trivially weak or unassailably strong. The user has, in fact, no way of knowing if he has a secure encryption product, and this puts a much greater burden of responsibility onto the supplier. A state of affairs where people were being sold, with spectacular claims, something that provided virtually no security at all was unacceptable.
Martin Kochanski, "A survey of data insecurity packages" in Cryptologia vol. 11 no. 1 (1987) pp. 1-15.
"Security software fails the test", in PC User, January 1987, pp. 104-115. Editorial and interview.
"Enigma variations", in The Economist, January 31 1987, p. 76.
So I published an article in Cryptologia showing the encryption algorithms that these products used and giving examples of how easy it was to break them. Lattice SecretDisk was omitted because people who tried to attack it would mostly fail, and so publishing a successful attack would have been unfair.
This exploit got us a certain amount of press coverage and a visit from a hot and dusty person who wanted to buy a copy of Ultralock anonymously for cash but had misjudged the distance across the fields from the nearest town. We took the cash but heard nothing more, which may be a reflection of Ultralock's strength or of the competence of the agent's employers.
There is a more serious side to this comedy. About a year later we became aware of a product called Fortress, from a major international firm of accountants, which promised unprecedentedly elaborate levels of access control and security for a PC. Naturally we got a copy.
We were stunned to find that Fortress used what was in many ways the weakest cryptosystem so far. Now this was really serious. This was not a question of some dubious fly-by-night company, this was a major firm of accountants and auditors presumably selling its products to some fairly significant companies who would think, given the credibility of the supplier, that they were getting something that worked.
We published a press release on the subject and waited for a response. Given the size and respectability of the firm concerned, we expected a careful response along the lines of "certain weaknesses have been pointed out... here is a new version with a new cryptosystem". (There were by then many academics who would have been capable of designing such a system).
"Martin Kochanski cracks Fortress" in Computer Fraud and Security Bulletin vol. 9 no. 6 (1987) pp. 1-3.
"Fortress: the debate continues" in Computer Fraud and Security Bulletin vol. 9 no. 7 (1987) pp. 10-11.
Adrian Berry, "Briton cracks best-selling computer code", in The Daily Telegraph, July 18 1988, p. 7.
Instead, the effort that could have been spent on securing the system was spent on public relations. The firm claimed that the attack could work only on our own copy of Fortress (in fact, it could work with any copy at all because it deduced the key from the data on the disk). "Encryption is only one part of a security system", they added. Possibly; but it is the part on which everything else depends. "We recommend that people use sensible precautions like safes and locked doors" – which begged the question why they had bothered to include encryption at all.
Martin Kochanski, "Another data insecurity package" in Cryptologia vol. 12 no. 3 (1988) pp. 165-173.
In the face of such irresponsibility it was not appropriate to let the matter rest and so Cryptologia published another paper containing an analysis and, to prove the point that no key was needed, a short program that could break into any Fortress disk in existence.
We did not follow the subsequent history of the product. One can imagine the office politics ("Fortress is irreproachably secure but let's withdraw it for other reasons") but that is only imagination. Whatever really happened, Fortress has certainly disappeared.
In retrospect this time marks a turning point in the history of cryptology. No longer would products compete on claimed "better algorithms" than their opposition. It became in everyone's interest to focus on published algorithms whose design principles were well known. Cryptographic products found other areas to compete in (speed, features, ease of use) and because cryptology is now a respectable academic discipline, the benefits of publishing a successful attack on a cryptosystem far outweigh the dubious benefits of keeping that attack secret and using it for some kind of fraud.
In this area, at least, cryptology has grown up.