Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: "security by obscurity"
From: "Roland Postle" <mail () blazde co uk>
Date: Mon, 09 Dec 2002 20:03:36 +0000

On Mon, 09 Dec 2002 18:57:35 +0200, Georgi Guninski wrote:
Berend-Jan Wever wrote:
... isn't hiding your root password security through obscurity ?
... isn't hiding your private PGP key security through obscurity ?
... isn't 90% of security based on these kinds of obscurity ?

IMHO this is not security by obscurity.
An example for security by obscurity is the following:
I give you an application which does encryption, but I don't tell you how it 
works at all.
The marketing says it is tru$tworthy and unbreakable.

It helps to understand the basic problem with security through
obscurity: Someone may discover what you've obscured.

Some people will disagree but I think the term 'Security through
Obscurity' stems from the basic crypto tenet that the strength of your
cypher should depend on keeping some easily changeable key data secret
not on keeping the underlying algorithm (which is very expensive to
change) secret.

So far from being 'security through obscurity', passwords are actually
it's replacement. You move all your security into a small, cheap to
change, easily defended piece of data. Meanwhile you have the added
advantage that you can safely show everyone your implementation and
they can help check that your security really does rely on your key
data. That's if you want to. And if you don't want to, it doesn't mean
you're /relying/ on security through obscurity. You're just denying
your attackers information. In an ideal world you can give away all the
details of your setup and still noone can break it. But computer
security is a long way from that, and if you hide your Apache banner,
for instance, your attacker may just go elsewhere.

You can probably draw many interesting analogies with weapons of mass
destruction but I don't think any of them are relevant because the
security can't be seperated out into a single easily changeable, easily
defended component. Not yet anyhow.

- Blazde

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]