Security By Obscurity — a New Theory

mikejuk writes "Kerckhoffs' Principle suggests that there is no security by obscurity — but perhaps there is. A recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better. In addition to considering the attacker's computing power limits, he also thinks it's worth considering limits on their logic or programming capabilities (PDF). He recommends obscurity plus a little reactive security in response to an attacker probing the system. In this case, instead of having to protect against every possible attack vector, you can just defend against the attack that has been or is about to be launched."

Remember it only talks about cryptography

[tech4]

I hate it when people always seem to take the phrase out of context and apply it to mean any kind of security, like network security or the old Windows/Linux battle. It's a completely different kind of situation, and in the former it's especially true that security by obscurity is a hardener layer. It's also why Linux has managed to stay as (consumer) malware free to day, even though it still has a fair share of its own worms and other security problems.

Re:Remember it only talks about cryptography

[davester666]

This part of the summary is just great: "... is about to be launched"

Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

Re:Remember it only talks about cryptography

[elucido]

This part of the summary is just great: "... is about to be launched"

Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

It also assumes we can determine the capability or the resources the enemy is willing to employ. It's a lot safer to assume you don't know than to try and assume you know.

Re:Remember it only talks about cryptography

[cgenman]

The problem is that Security by Obscurity is the defense of lazy vendors who should damn well know better. On the one hand, it's "obscure" that a particular keyphrase known by trusted people will get you to a layer of network security. It is slightly less "obscure" to have your server up on an unresponsive IP address. It's technically a form of "obscurity" to think the hackers wouldn't notice that you left an FTP server up and running without realizing it, or that the default login was still viable. But when vendors use that form of the term obscurity, they're just masking the fact that they are selling you rubbish.

Any properly secured system should be able to proudly proclaim all of its pertinent information to the world, including source code to all available participants, and still be secure. ONLY THEN, should obscurity be layered on. But if your vendor or contractor starts talking about obscurity first, they don't have a clue what they're doing.

Obscurity is icing. Minimalist, properly protected system design with multiple layers of protection, iron-clad internal logging, and no routes to priviledge escalation (especially social) is the route to security. Obscurity is a mildly nice icing that makes maintaining servers less problematic. It also usually leads to lazy vendors creating the illusion of security out of a soon-to-be-had massive privacy lawsuit.

I don't think they understood.

[khasim]

Obscurity only makes your security "brittle". Once broken, it is completely broken. Like hiding your house key under a flower pot.

Which means that the real security is the lock on the door. All you've done is allow another avenue of attacking it.

Re:I don't think they understood.

[jhoegl]

There is another way to look at this.

Imagine you have gold behind a locked door. Now imagine you have 50 locked doors.

This is your security through obscurity.

Re:I don't think they understood.

[Cryacin]

Well, if you had them behind 2^128 you'd have a trust certificate :P

Re:I don't think they understood.

[jmerlin]

And once you guess their encryption password, their encryption isn't completely broken? Your analogy is flawed, fundamentally you are assuming someone leaves a key lying around in an easily accessible area. No security we have isn't fundamentally based on obscurity. None.

Re:I don't think they understood.

[thegarbz]

Which means that the real security is the lock on the door.

But that is also just obscurity in another form. The obscure part is that the attacker doesn't know the combination to the lock, or doesn't know how the tumblers specifically are keyed. Otherwise a key could be made up.

All security is obscurity, just different levels of it. In some schemes the obscure value is shared (hidden directory on the server that isn't crawled but can none the less be accessed by a direct link). Some obscure values aren't (public key encryption).

The hiding the key under the rock is analogous to using a weak form of obscurity to hide a strong one. Which in this case is no better than the obscurity of not letting anyone know that the door lock doesn't actually work anyway.

Re:I don't think they understood.

[buchner.johannes]

Think about it a little more and you'll see that it's the same thing. A number and it's representation in a numeral system share a duality. Also, it's not 2^128 bits, it's 128 bits, but you probably meant that anyways.

Re:I don't think they understood.

[rainsford]

No, the encryption ISN'T completely broken. If I have an encryption system that uses passwords for security, and you guess my password, the security is broken for this instance of the system...but I can just pick another password and security is restored. "Security through obscurity" doesn't mean security based on ANY secret, it means security through secrecy in some fundamental element of the system, especially when such a secret makes the system brittle. If you steal my key, I can simply rekey a lock and I'm just as secure as before. But if I ALWAYS leave a spare key in the same spot, once you figure that out the entire system is fundamentally broken. That's security through obscurity.

Re:I don't think they understood.

[jbengt]

Your analogy is flawed, fundamentally you are assuming someone leaves a key lying around in an easily accessible area. No security we have isn't fundamentally based on obscurity. None.

Secrecy is not identical to obscurity. The meaning of obscurity in "Security Through Obscurity" refers to the overall scheme and methods. The secured secrecy of keys and the like is assumed and does not mean that the security system is based on obscurity as understood in the context of discussing security through obscurity.

From the Wikipedia article linked in TFS:

Using secure cryptography is supposed to replace the difficult problem of keeping messages secure with a much more manageable one, keeping relatively small keys secure.. A system that requires long-term secrecy for something as large and complex as the whole design of a cryptographic system obviously cannot achieve that goal. It only replaces one hard problem with another. However, if a system is secure even when the enemy knows everything except the key, then all that is needed is to manage keeping the keys secret.

Think of going to two banks to decide where to store some irreplaceable valuables.
In one bank, they tell you about their armed security guards, they show you the vault and describe how thick the steel is, how it operates on a timeclock and a combination They detail how they give you one key to the safety deposit box and how they keep the other, and that you need both keys to open the box. They tell you know that before they let you past the armed guards they require you to show identification and sign in, and only then will they accompany you to your box to turn their key while you turn yours to open the box. They even give you the blueprints to the bank to assure you how well it's built.
The other bank tells you that they can't say what they do with your valuables, because they need to keep it a secret in order to maintain security.
Which bank would you prefer?

Of course, if you are handling your own security, adding multiple layers, including obscurity, can help. But at the core, you need to implement similar protections as the first bank, or you are just fooling yourself to think you are being as secure as it.

Re:I don't think they understood.

[thsths]

> Which bank would you prefer?

And that is the key point. Real security can be audited without compromising it. Obscurity cannot be audited - you have to take their word that it is "obscure" enough. And what is obscure or inconceivable to some person may be perfectly obvious to another (such as a blackhat with actual security skills...).

Re:I don't think they understood.

[buchner.johannes]

No. Only the following two are true:
(a) A 128 bit certificate is the equivalent of 128 light switches that have all to be in the right setting (not 2^128),
(b) A 128 bit certificate is the equivalent of 2^128 doors, of which you have to find the right one.

Here the arrangement of 128 options with 2 choices is the equivalent of choosing the ordering number in a sequence of 2^128 elements.

Doors with (counter)clockwise just half the number of doors needed, as you can see each rotation as a separate door. Or you go back to the example of a vault lock based on a certain order of specific rotations -- then you are again taking about a combinatoric issue. If your argument is that the unknown procedure is the security, then I just have to find a way to list all the possible solution procedures -- the complexity of that is the security of the lock. Nothing is gained.

Sure

[EdIII]

That's fine and all. If you want to create your security through incomplete information, or different tactics and strategy, that is a choice.

Just don't be a childish whining little bitch and run to the FBI to stop the big bad anti-social "hackers" from revealing your used-to-be incomplete information in security conventions and trying to have them arrested.

You get double whiny bitch points trying to invoke copyright to prevent the "leakage" of your incomplete information.

I certainly get the point of the article, but a system that is secured through well thought out and tested means will always trump a system where, "Golly Gee Willickers Bat Man.... I hope they don't find the secret entrance to our bat cave that is totally unprotected and unmonitored".

Re:Sure

[EdIII]

I don't think that is what they mean by incomplete information.

In the context of security through obscurity it has always, to me, seemed to mean that your method and process of providing security is not well understood and it is this fact that is providing the majority of the security. If somebody figures out the method or process, your security is greatly compromised.

A password, or private key, is not a good example in this case. I think a better example would be that passwords and private keys protect documents created by a certain well known company, but that their methods and processes were so laughable that you could create a program to bypass the keys themselves.

Or in other words........ the only thing keeping Wile E Coyote (Super Genius) from getting to Bugs Bunny though the locked door is his complete lack of awareness that there is nothing around the door but the desert itself. Take two steps to the right, two steps forward, turn to your left, and there is Bugs Bunny. You did not even have to get an ACME locksmith to come out.

Re:Sure

[EdIII]

Uhhhhhh..... okay

I am not redefining terms here at all.

Granted, this is from Wikipedia:

Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

icebraining is not correct here, and your assertion I am changing the definition from the norm and widely accepted definition is false. Security through obscurity, as a concept, is not something vague and a matter of perspective. It is a very well defined term in security and has been for quite some time.

According to the definition above, a password is not incomplete information, or information being obscured, as it is being presented in the context of the article and the principle of security through obscurity.

Making this a philosophical debate that a password is also obscurity at some level has nothing to do with the principles that are mentioned.

Re:Sure

[moderatorrater]

It's an identifier. Security through obscurity is where methods, processes and algorithms are hidden in an attempt to create security. It's the difference between having a vault door with a lock and having a hidden door with no lock.

Passwords and private keys are very specific pieces of information that use algorithms to make it mathematically (almost) impossible to figure out. Obscure processes and methods and algorithms, on the other hand, are negligibly easy to find out when it comes to computers. Computers are too powerful to hide something from them (with a few exceptions mentioned above). Relying on obscurity is a fools game in those circumstances.

Nature disagrees

Camouflage is the oldest and most natural form of security on the planet.

Misapplication of Kerckhoff's Principle

[telekon]

Kerckhoff's Principle specifically applies to cryptosystems. Not only does TFA describe more of a generalized application to systems and code, but it's not really describing 'security through obscurity.' It's describing informational arbitrage, i.e., profiting (not necessarily financially) from an imbalance of knowledge on one side of a two-participant game.

The dynamic adaptive approach has its merits, particularly as it is increasingly clear that most security is only the illusion of security, maintained until it is breached. But traditional 'security through obscurity' refers to systems for which the only security measure in place is maintaining the secrecy of a protocol, algorithm, etc.

It seems to me the ideal approach is a balanced one, that embraces the UNIX philosophy: cover the 90% of most common attack vectors with proven security measures (and update practices as needed), and take a dynamic adaptive approach to the edge cases, because those are the ones most likely to breach if you've done the first 90% correctly.

SbO: lame

[Dr.+Tom]

Security by Obscurity is lame. The REAL test of a good security protocol is when you publish ALL the details and the bad guys STILL can't get in. If you are merely relying on somebody, somewhere, not saying anything, you are asking for it. All the real security products that people actually trust are open source. I will never, ever, ever, ever, trust anything that is closed source. There could be a back door, and you can't argue with that. Again, and again, and again, the ONLY security algorithms worth talking about are OPEN. If you can publish your work in public and STILL be secure, THAT is security. That is quite possible, it has been done many times. If you can't do that, you are just making excuses for your lame security that relies on a secret. Look at history. Your secret will be published, and then your product will be dead.

Re:Yet...

[RoFLKOPTr]

A new kind of goatse troll in which the troll commenter hides his actions by contributing to the thread in a positive manner.

*golfclap*

Missing the point?

[nine-times]

Well maybe I'm wrong, but I always thought the complaints of "security by obscurity" were not that obscurity couldn't be helpful to security, but that it was a bad idea to rely on obscurity.

It seems obvious to me that the more complete the attacker's knowledge, the greater the chance of a successful attack. If an attacker knows which ports are opened, which services are running, which versions of which software are running which services, and whether critical security patches have been applied, for example, it's much easier for them to find an attack vector if there is one. You're more secure if attackers don't know that information about your systems, because it forces them to discover it. That takes additional time and effort, and they may not be able to discover that information at all.

However (and here's the point), it's not a good idea to leave your systems wide open and insecure and hope that attackers don't discover the holes in your security. It's not smart to rely on the attacker's ignorance as the chief (or only) form of protection, because a lot of times that information can be discovered. It's true that "obscurity" is a form of security, but it's a fairly weak form that doesn't hold up over time. The truth tends to out.

Re:Yet...

[NoSleepDemon]

Goatse through obscurity?

Re:Yet...

[RoFLKOPTr]

Wow that didn't even cross my mind. So in addition to contributing to the thread positively, the goatse troll is actually relevant to the topic at hand. Absolutely amazing. A technological marvel.

"Security by obscurity" is misleading.

[ZouPrime]

As a information security professional, I've always seen the whole "security by obscurity" issue somewhat misleading. By repeating the mantra, I feel many people forgot its true meaning.

Security shouldn't RELY on obscurity. That's true. But it doesn't mean obscurity, by itself, doesn't provide security benefits.

There are many examples where this is obvious. For example, would you publish your network topography on your public website? Of course not. Even if you were convinced that its security and access control are air tight, the cost of keeping such documentation "obscure" is negligible versus its usefulness by a potential attacker.

The problem arise when obscurity is used in lieu of proper security. Unfortunately, it still happens too often. But while the presence of obscurity may be seen as suspicious by an outside party trying to evaluate the security of a system, it shouldn't be considered as evidence of its insecurity, as it sometimes is.

Finally, I understand the "many eyes" argument, and how public disclosure of the security details of a system can help improving it. After all, nobody would think about trusting a crypto algorithm that hasn't been made public and scrutinized accordingly. But this logic cannot be generalized for all systems in all context.

You have it wrong.

[khasim]

And once you guess their encryption password, their encryption isn't completely broken?

You're confusing the "obscurity" portion of that statement.

Passwords should rely upon the difficulty in cracking them due to their complexity. The system is known. The password is not known.

Security through obscurity refers to the workings of the system being hidden. Such as the key under the flower pot opening the door. Once that information is discovered, the system is cracked.

Re:You have it wrong.

[Daniel_Staal]

The idea of any security system is to reduce the number of fatal secrets. The minimum number is one. (Otherwise you have an open-access system.)

Your password, or key, should be that one. It shouldn't matter if the attacker gets everything else, they still can't get your data.

'Security Through Obscurity' is saying 'we've removed this fatal secret by hiding it from the attackers'. Um, no. All you've done is made it slightly harder for them to find. It's still a fatal secret. If you want to remove it from the system, you'll have to make it not matter if they've got it.

Then, of course, you hide it. Because you assume that you missed something. ;) But the intent is that it doesn't matter if the attacker finds everything but the key.

Nope. That would be "obscurity".

[khasim]

I am not suggesting leaving it open and just not telling anyone. That would be crazy.

No, that would be "security through obscurity".

What you want to do is keep it secure as possible, but give the potential intruder something else to work on that yields no results, but increases their risk of exposure.

But that does nothing to improve the security of the system. If the attacker choose the correct door (or whatever) then you're left with only the defenses of that door.

Security through obscurity does not automatically assume that it is a door left wide open, just no one knows about it.

No. The "security THROUGH obscurity" means that the door IS unlocked (or unlockable with the hidden key) and that the "security" comes from no one KNOWING that it is a way in. That's what the "through" part of that statement means.

Do you understand the thinking now?

I've always understood it. And you're making a very common mistake. Obscurity != Secret in "security through obscurity".

Re:Nope. That would be "obscurity".

[artor3]

Man, you beat the ever-loving shit out of that strawman!

Nobody talks about security exclusively through obscurity. Secrecy is just an added layer.

The added security of many eyes reviewing your code makes up for the loss of security from having the code visible. <i>That</i> is why Linux is more secure than Windows. But security through obscurity is not useless.

OpenBSD: Only two remote holes in years

[tepples]

Of course, just correctly guess sooner, and then you can fix the system beforehand

One method to make such a guess is called a "code audit", and code auditing practices applied since mid-1996 are part of why OpenBSD has had only two remote vulnerabilities for over a decade.

Re:OpenBSD: Only two remote holes in years

[TheLink]

And MSDOS has had zero remote vulnerabilities in the default install for longer (you can add TCP/IP support to MSDOS, but it's not there by default).

Seriously, the main reason why OpenBSD had few remote vulnerabilities in the default install was because they only had one service running in the default install- e.g. openssh. ( http://en.wikipedia.org/wiki/OpenBSD#Security_and_code_auditing )

If some idiot installed phpnuke/phpbb, apache with an outdated version of the app, php etc, they'd be just as pwned whether they were running OpenBSD, FreeBSD, Ubuntu or Windows.

So such claims are as stupid as Microsoft saying that the default IE on Windows Server 2003/2008 is not vulnerable to XYZ. With the default IE, javascript doesn't run on most sites, you can't download practically anything, you get warnings on almost any webpage. Who really uses IE in its default config on Windows Server 2003/2008? I normally reconfigure it so that I can download another browser ;).

I look on suspicion on anyone making such claims.

Now if on the other hand you had an operating system which tracked where input/output came from e.g. untrusted NIC vs trusted NIC, then all processes, threads etc launched and any resulting communications would be "tainted", and tainted processes would be unable to do certain things unless the communications was "untainted" via a special processes, then things would be much harder for attackers but they might be much harder for developers as well (debugging why an app failed could be harder ;) ). Which is probably why such operating systems aren't popular ;).

Of course even if you go through all that trouble, if there are bugs the attacker might still be able to break out. But the difference is if the system actually works, you get an extra layer of protection even if there are bugs in the applications.

Not exactly.

[khasim]

There are other ways to have obscurity.

What if you put the lock for the door underneath one of the many flower pots, and perhaps even have a completely non-functional keyhole on the door itself.

That isn't "obscurity" in the context of "security THROUGH obscurity". The word "through" is important there.

You can have a functional security system and add misdirection to that without reducing the overall security of the system. But the system, in the end, still depends upon the original security model. Once the correct key hole is known, the lock still must be cracked.

You can add obscurity without making the security dependent upon the obscurity.

Which is more than it's coders got

[dutchwhizzman]

Come on, you are way off topic here. You deserve the troll remark. It's about obscurity as a risk mitigation factor, not as an unbreakable defense. That has nothing to do with what OS is better at staying secure. All "major" operating systems get code reviews. Once they get more popular, they get more people reviewing code and probing for vulnerabilities. I'm fairly certain Windows and OSX get more code reviews and probing than FreeBSD does. If you want to spend time finding a vulnerability in an OS for profit, you spend time on the one with the biggest potential gains. Getting a zeroday on FreeBSD most likely will not gain you a lot, while getting one on Windows will give you your own botnet of meeeeelions of machines, controlling meeeelions of credit cards, bank accounts and what not.

Not the quality of the code, but the obscurity of FreeBSD is what caused the lack of remote vulnerabilities.

Re:Which is more than it's coders got

[drinkypoo]

Come on, you are way off topic here. You deserve the troll remark. We're talking about OpenBSD, not FreeBSD. You didn't read the comment you replied to and you don't know what you're talking about anyway. OpenBSD is rarely used, but when it is used, it is used because it is protecting something, and that means that the value of attacking it is very high; virtually every OpenBSD system not on some nerd's desk is guarding something important to someone.

interesting, but incomplete

[Tom]

Applying game theory is always an interesting approach.

However, this one misses what I consider an extremely important part: The multiplayer aspect. If obscurity is a part of your defense strategy, you can not cooperate with other defenders. As your are competing with the attacker, that means obscurity is only advantageous if the additional cost to the attacker is higher than the benefit you could gain from such cooperation. In general, your security mechanism will not be so new, innovative and hard to crack that this is true. It does depend on the size and resources of your organisation, though. If you're a large organisation that can keep a secret (say, a secret service), it could have a net advantage. For almost everyone else, though, having more eyes on the problem will generally provide a better solution than the additional difficulty that obscurity provides for the attacker.