Three letter acronyms don’t provide good security!

As a second part for my previous post, here is an other post where Deb Shinder gets it wrong (or at least emphasizes the wrong words): Security Mechanisms in Office 2007.

My problem is not with the post per-se (because admittedly I only saw Office 2007 in the Channel 9 videos), but with this particular phrase (emphasis mine):

These include a much improved password protection scheme that uses AES, built in support for Windows Rights Management Services (RMS), more user friendly digital signature support, the ability to force users to use the new, more secure XML-based file formats, cryptographic options for Outlook and more.

Repeat after me: three letter acronyms don’t provide good security! Good security planning provides good security! I think that she falls here in the pit dug by many advertisers who put on their products things like 1024-bit military grade encrpytion and the like. Lets examine both of the claims in a little more detail:

AES encryption – simply by stating what encryption algorithm a product uses says (almost) nothing about the security of the product because it doesn’t say how it is used (to be fair it says that at least the developers were smart enough not to try to come up with their own algorithm).

more secure XML-based file formats – more secure than what? The XML based file format is easier to read and to extract metadata from than from the proprietary binary blob which is the original file format.

In fact the new file format is nothing more than a set of XML files inside of a good old ZIP archive, optionally with a password. In fact the article should say: Office programmers learn from their mistakes (of trying to come up with their own encryption algorithm) and start using proven industry standard!

Leave a Reply

Your email address will not be published. Required fields are marked *