What good cryptography error messages need to include

February 4, 2013

Suppose that you have a system that involves cryptography and at some point your cryptography indicates that there is a problem, one where something isn't verifying properly. Many programs fumble what happens next in a way that significantly degrades their security; they give people bad error messages, ones that make it hard for people to understand what's wrong.

Crypto error messages are very important because crypto error messages are your one chance to convince people not to go on anyways. People really want to what they were planning to do, so their default action is to override your warnings or errors and go on anyways (in whatever way that that takes). If there is a real problem (as opposed to a false alert) you desperately want people to stop, so you desperately want to convince them that there is a problem.

Generic error messages do not do this. Cryptic error messages do not do this. What both communicate to most people is nothing more than 'something went wrong in the magic black box' and that is not going to stop people from going on.

So my view is that a good crypto error message needs to include four things (at least). It needs to tell me exactly what is wrong, what it happened to, what it might mean, and what the minimal workaround is. As much as possible it should cover all of this in plain language because most people will not understand technical jargon. A good error message should also be comprehensive, in that the program should check everything it can instead of just stopping at the first error.

(It goes without saying that a good error message should also be accurate. Inaccurate error messages are a great way of training people to ignore them entirely.)

Although it's tempting to say that the goal of a crypto error message is to give people enough information that they can make an informed decision, that's not really it. The real goal is to give people enough information to convince them that you're right and something really is wrong. Allowing them to make an informed decision is secondary, although important in reality (because in reality it's probably more likely that you're wrong). If people override your warning, you want to have given them enough information so that they can confidently say why you're wrong.

(Well, so that people who care and pay attention can confidently say so. I'm a realistic idealist about this.)


Comments on this page:

From 99.253.218.182 at 2013-05-31 12:05:44:

Good crypto error messages must not leak information that reduces security.

Written on 04 February 2013.
« Systems with cryptography should always have minimal workarounds
Dynamic web sites and blogs need not be slow, illustrated »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Feb 4 02:46:42 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.