Serpent cipher

Re: The reality of it all.

I've tried quite some encryption programs, my feeling is, that many of them use the same encryption libraries or source codes, which are commercially available or free of charge on the web. Are there really so many things to go wrong just by using them?

 

It's about trendsetting.

If they're implemented properly, you're likely to be just fine. However, in some protocols, I've seen algorithm negotiation failures, even when the primitives themselves were implemented properly. I imagine that this wouldn't be a problem in most applications, though. Regardless, the way I feel about it lies within what you quoted me on, in your post: "Since the demands of consumers often influence how a product is developed, I don't want consumers thinking they need cascades, nor developers thinking they need to implement them."

Consumers often set the trends that vendors capitalize on; they, the consumers, think they need "more," and that's what the vendors give them; it follows that the software vendors themselves are often responsible for the consumers' misconception that more is better, with the jargon and hype they market.

Unfortunately, there's an enormous gap between cryptographers, developers, and consumers. Ultimately, the developers are responsible for implementing the cryptographers' primitives in the consumers' products; this is where the proper trends should be set. I make an effort to educate both developers and consumers on the reality of security and how to influence each other on the right security decisions to make.

It's not that you're going to be insecure by using correctly and securely implemented cascades; it's that consumers neither need cascades nor do developers need to stick them in software. My argument is more about good "trendsetting."

 

Re: It's about trendsetting.

Regarding cracking AES or any of the other strong algorithms, you're focussed on defeating the strongest component on an encryption system. It is many, many times more likely that a potential attacker, government agency, etc would accomplish any or all of the following long before they could crack the algorithm itself:
1, Discover an exploitable flaw in the encryption app itself.
2, Recover a cached or stored password.
3, Exploiting the operating system the encryption software is installed on and capturing the password (trojan, rootkit, etc).
4, Forcing or persuading the user to surrender the password.

No matter how good an encryption algorithm is, encryption is only as secure as the weakest part of the entire system that uses it. All of the better encryption algorithms are many times more secure than the windows operating system they're installed on can ever be made.
Rick