The $2 Billion Myth
The latest crypto debacle -- the Dutch transport card -- is a great example of how real value creation can prevented by myth and ego. The story is about the break of the Dutch government's transportation payment smart-card system - reportedly having cost $2 billion - as a result of the cards' cryptography functions being fundamentally flawed. (Ed Felton has (no surprise) good coverage of the break and the technical issues.)
The short story is that the card's designers used a custom, secret encryption scheme that turned out to be easily broken by attackers. Of course, as many readers will know, secret algorithms are one of the basic no-no's of modern cryptography - as is the use of custom algorithms.The current standard ciphers are the result of an enormous amount of scrutiny and work by very highly trained specialists, and the greatest likelihood is that a custom cipher will be flawed and breakable. So it's rather an odd decision for any system designer choose to forgo the low effort and high value of using standard crypto and instead invest in developing a custom cipher - to say nothing adding insult to injury by ignoring basic crypto principles about secret algorithms and short keys. Yet that's exactly what the designers of the Dutch transport card did.
You have to ask, why? Well in reality we'll never know what they thought, but here is my explanation about what might be the reason why, perhaps in this case but certainly in other cases I've seen and others my colleagues have seen. The answer is: Julius Caesar, Sherlock Holmes, Dick Tracy, secret de-coder rings, and the like - in other words, the myth of crypto, it's cool! Well, some really bad ideas - like making a custom cipher - have incredible staying power, despite many counter-examples, because of support from a powerful myth. Lots of techies had fun earlier in life playing with ciphers, or reading fact or fiction where crypto played a role. Look, I can break a cipher like Sherlock Holmes! Fun - and in fact you can find letter substitution cipher puzzles in some daily newspapers.
If you're still in the grip of the myth, and think crypto is cool, and think you're very clever, then it might make a sort of manic sense to think that you could roll your own and invent something new and valuable. But the real fact of the matter is that modern cryptography isn't cool, isn't fun, isn't something you can't do yourself - not anymore. Modern crypto is nearly pure math, finding functions that are hard to reverse, search spaces that are very very large, and so on - and oh yes, poking holes in others' attempts to do so. Doing the work behind making and breaking ciphers is the domain of very highly educated or extremely brilliant self-trained applied mathematicians with years and years of experience -- and they often don't get it right the first time, or the second, or the third. For the rest of us, there are the newspaper puzzles, Holmes, Tracey, and the like -- very sorry if this is bad news for you.
For those of you for whom it is not news, there's still the question: you're making a new product, you have a finite budget, and there's always more good ideas than budget - how could you possibly choose to expend budget and time on such as wheel-inventing exercise as a custom cipher? Even allowing for ignorance or manic self-confidence, there is a lesson for most of us. The lesson is about the difference in extrinsic (or visible or demonstrable) value vs. intrinsic value that we believe in ourselves. The MiFare folks believed that a custom cipher would be a better mousetrap, that is they thought themselves that it would stronger in some way. All mis-guided of course, but even if it were a better mousetrap, why would that create real value? Is there a problem with standard crypto? In this case, the real answer is that standard crypto would have met the product requirements just fine, and the product development effort could have been done cheaper or faster or with better features in some way. No one would have known or cared about the specifics of the crypto inside, no matter how much "better" the custom cypto was or wasn't.
So in general, when we're working on something new, when we have a number of different innovations that we could invest in, there's always a trade-off analysis. The main decision factor is whether the value of the innovation will be visible. Is the new product with the innovation better than the new product without the innovation, in any way that you can point to and explain simply? Justifications like "The foobar gizmo is way better than the other gizmos" won't do.
It's hard to avoid myths, and ego, and really durable recurring bad ideas. They'll crop up. But to ensure that they don't end up flushing $2 billion, I at least have a good litmus test: if I decide X and the result is Y, could I explain Y and justify X to my grandfather? He was a tough-minded but fair man, God rest his soul, and the Dutch transport cards couldn't have put this past him. I bet you know some people just like he was - ask them!
The short story is that the card's designers used a custom, secret encryption scheme that turned out to be easily broken by attackers. Of course, as many readers will know, secret algorithms are one of the basic no-no's of modern cryptography - as is the use of custom algorithms.The current standard ciphers are the result of an enormous amount of scrutiny and work by very highly trained specialists, and the greatest likelihood is that a custom cipher will be flawed and breakable. So it's rather an odd decision for any system designer choose to forgo the low effort and high value of using standard crypto and instead invest in developing a custom cipher - to say nothing adding insult to injury by ignoring basic crypto principles about secret algorithms and short keys. Yet that's exactly what the designers of the Dutch transport card did.
You have to ask, why? Well in reality we'll never know what they thought, but here is my explanation about what might be the reason why, perhaps in this case but certainly in other cases I've seen and others my colleagues have seen. The answer is: Julius Caesar, Sherlock Holmes, Dick Tracy, secret de-coder rings, and the like - in other words, the myth of crypto, it's cool! Well, some really bad ideas - like making a custom cipher - have incredible staying power, despite many counter-examples, because of support from a powerful myth. Lots of techies had fun earlier in life playing with ciphers, or reading fact or fiction where crypto played a role. Look, I can break a cipher like Sherlock Holmes! Fun - and in fact you can find letter substitution cipher puzzles in some daily newspapers.
If you're still in the grip of the myth, and think crypto is cool, and think you're very clever, then it might make a sort of manic sense to think that you could roll your own and invent something new and valuable. But the real fact of the matter is that modern cryptography isn't cool, isn't fun, isn't something you can't do yourself - not anymore. Modern crypto is nearly pure math, finding functions that are hard to reverse, search spaces that are very very large, and so on - and oh yes, poking holes in others' attempts to do so. Doing the work behind making and breaking ciphers is the domain of very highly educated or extremely brilliant self-trained applied mathematicians with years and years of experience -- and they often don't get it right the first time, or the second, or the third. For the rest of us, there are the newspaper puzzles, Holmes, Tracey, and the like -- very sorry if this is bad news for you.
For those of you for whom it is not news, there's still the question: you're making a new product, you have a finite budget, and there's always more good ideas than budget - how could you possibly choose to expend budget and time on such as wheel-inventing exercise as a custom cipher? Even allowing for ignorance or manic self-confidence, there is a lesson for most of us. The lesson is about the difference in extrinsic (or visible or demonstrable) value vs. intrinsic value that we believe in ourselves. The MiFare folks believed that a custom cipher would be a better mousetrap, that is they thought themselves that it would stronger in some way. All mis-guided of course, but even if it were a better mousetrap, why would that create real value? Is there a problem with standard crypto? In this case, the real answer is that standard crypto would have met the product requirements just fine, and the product development effort could have been done cheaper or faster or with better features in some way. No one would have known or cared about the specifics of the crypto inside, no matter how much "better" the custom cypto was or wasn't.
So in general, when we're working on something new, when we have a number of different innovations that we could invest in, there's always a trade-off analysis. The main decision factor is whether the value of the innovation will be visible. Is the new product with the innovation better than the new product without the innovation, in any way that you can point to and explain simply? Justifications like "The foobar gizmo is way better than the other gizmos" won't do.
It's hard to avoid myths, and ego, and really durable recurring bad ideas. They'll crop up. But to ensure that they don't end up flushing $2 billion, I at least have a good litmus test: if I decide X and the result is Y, could I explain Y and justify X to my grandfather? He was a tough-minded but fair man, God rest his soul, and the Dutch transport cards couldn't have put this past him. I bet you know some people just like he was - ask them!
Labels: cryptography, trade-offs
posted by E. John Sebes at
4:45 PM
