Issue No. 09 - September (1998 vol. 31)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/2.708447
Popular magazines often describe cryptography products in terms of algorithms and key lengths. These security techniques make good headlines ("Triple DES is much stronger than single DES."). Unfortunately, cryptography isn't so simple: Longer keys do not guarantee more security. Compare a cryptographic algorithm to the lock on your front door. Improving the lock probably won't make your house more secure. Burglars don't try every possible key (the equivalent of a brute-force attack); most aren't clever enough to pick the lock (the equivalent of a cryptographic attack). No, burglars smash windows, kick in doors, disguise themselves as police, and rob key-holders at gunpoint. Strong cryptography is very powerful when it is done right, but it is not a panacea. Building a secure cryptographic system is easy to do badly and very difficult to do well. Unfortunately, most people can't tell the difference. In this article, the author conveys some of the lessons learned in designing, analyzing, and breaking cryptographic systems.
Bruce Schneier, "Cryptographic Design Vulnerabilities", Computer, vol. 31, no. , pp. 29-33, September 1998, doi:10.1109/2.708447