[dsacco]

> Is it true that the encrytion algorithms still aren't the weakest link for highly sensitive classified information (e.g. in the government)? (Or in similar high-secrecy situations, not the ones that an everyday person takes part in)

Yes. The weak link for cryptography is implementation. Implementation is insidious because it's easy to implement an existing cryptographic specification in a way that looks safe but which is completely broken. It's also an attractive exercise for people who know how to write software. In contrast, designing novel cryptography (especially public key cryptography) requires a very advanced understanding of mathematics and complexity theory before you can even get to the "seems convincing, but is actually horribly broken" stage. If you want to compromise a cryptosystem you attack the individual implementation, not the design specification that has withstood a generation of careful scrutiny by well-funded mathematicians and computer scientists.

> Also, if current methods aren't backed by rigorous mathematics, isn't that a risk in it of itself?

I think Schneier probably shouldn't have written his point this way; in context he's referring to provable security. Provable security is a separate, complexity theoretic study. The mathematics underlying our cryptosystems is very well understood in the sense that we generally have a mature understanding of how difficult various intractable problems are. The difficult part is mapping that intractability to specific cryptographic properties in an adversarial model, such as existential unforgeability. For example, NTRU is a well studied, currently safe cryptosystem which didn't have any provable security metrics for at least a decade after it was invented.

Provable security does represent a risk, which is why it's always an active research topic. But importantly, provable security exists within a computational framework - it is not solved by proposals for quantum cryptography.