[Full-Disclosure] "security by obscurity"
mail at blazde.co.uk
Mon Dec 9 20:03:36 GMT 2002
On Mon, 09 Dec 2002 18:57:35 +0200, Georgi Guninski wrote:
>Berend-Jan Wever wrote:
>> ... isn't hiding your root password security through obscurity ?
>> ... isn't hiding your private PGP key security through obscurity ?
>> ... isn't 90% of security based on these kinds of obscurity ?
>IMHO this is not security by obscurity.
>An example for security by obscurity is the following:
>I give you an application which does encryption, but I don't tell you how it
>works at all.
>The marketing says it is tru$tworthy and unbreakable.
It helps to understand the basic problem with security through
obscurity: Someone may discover what you've obscured.
Some people will disagree but I think the term 'Security through
Obscurity' stems from the basic crypto tenet that the strength of your
cypher should depend on keeping some easily changeable key data secret
not on keeping the underlying algorithm (which is very expensive to
So far from being 'security through obscurity', passwords are actually
it's replacement. You move all your security into a small, cheap to
change, easily defended piece of data. Meanwhile you have the added
advantage that you can safely show everyone your implementation and
they can help check that your security really does rely on your key
data. That's if you want to. And if you don't want to, it doesn't mean
you're /relying/ on security through obscurity. You're just denying
your attackers information. In an ideal world you can give away all the
details of your setup and still noone can break it. But computer
security is a long way from that, and if you hide your Apache banner,
for instance, your attacker may just go elsewhere.
You can probably draw many interesting analogies with weapons of mass
destruction but I don't think any of them are relevant because the
security can't be seperated out into a single easily changeable, easily
defended component. Not yet anyhow.
Full-Disclosure is hosted and sponsored by Secunia.