Snake oil is an elixir that's sold by shady people as a miraculous cure for just about everything. It May Not Work.
Cryptographers often use the term to mean cryptosystems that are built to look like real cryptosystems but aren't actually really as good as the hype tries to hint.
Of course, recognising snake oil is hard: all encryptors produce incomprehensible garbage (which is the point of encryption, of course).
Here are some warning signs that possibly mean the cipher sucks:
- "Trust us. We know what we're doing." (But if they do, why they aren't telling?)
- Technobabble ("Sure, our cipher uses numerizer that perturbs the plaintext producing 2-caret-8 different variations." ...if they tell what it means, you probably won't buy the program.)
- Secret algorithms (Trade Secret, Pat. pend., But trust us anyway, it will work, we guarantee it. Remember, it uses the Numerizer.)
- Revolutionary breakthroughs (Is it new, but has it been tested for years? Ciphers aren't just made up and used.)
- "Expert" opinions and other such things ("Mr. L33t D00d has examined our cipher and couldn't break it. Popular Computing, August 26 2001 issue, also mentioned us and said this was 'really cool, baby'.")
- Unbreakability (If it's really unbreakable, then it's also not decipherable =)
- One time pads (Not really practical for every-day communication, so it's obvious some people try to cheat - and that can be disastrous!)
- "Competitor X is insecure" (And the proof was...?)
- Recoverable keys (...and the l33t d00dz can recover my key, too?)
- Exportable from the USA (Oo, let me guess, 40-bit keys, right?)
- "Military grade" (And Germans used Enigma. Does this prove anything?)
Source: Snake Oil Warning Signs: Encryption Software to Avoid, Nikos Drakos, University of Leeds; http://www.interhack.net/people/cmcurtin/snake-oil-faq.html