lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <E18LUAO-0000jl-00.2002-12-09-20-06-13@cmailg1.svr.pol.co.uk>
From: mail at blazde.co.uk (Roland Postle)
Subject: "security by obscurity"

On Mon, 09 Dec 2002 18:57:35 +0200, Georgi Guninski wrote:
>Berend-Jan Wever wrote:
>> Hmmmm...
>> ... isn't hiding your root password security through obscurity ?
>> ... isn't hiding your private PGP key security through obscurity ?
>> ... isn't 90% of security based on these kinds of obscurity ?
>
>IMHO this is not security by obscurity.
>An example for security by obscurity is the following:
>I give you an application which does encryption, but I don't tell you how it 
>works at all.
>The marketing says it is tru$tworthy and unbreakable.

It helps to understand the basic problem with security through
obscurity: Someone may discover what you've obscured.

Some people will disagree but I think the term 'Security through
Obscurity' stems from the basic crypto tenet that the strength of your
cypher should depend on keeping some easily changeable key data secret
not on keeping the underlying algorithm (which is very expensive to
change) secret.

So far from being 'security through obscurity', passwords are actually
it's replacement. You move all your security into a small, cheap to
change, easily defended piece of data. Meanwhile you have the added
advantage that you can safely show everyone your implementation and
they can help check that your security really does rely on your key
data. That's if you want to. And if you don't want to, it doesn't mean
you're /relying/ on security through obscurity. You're just denying
your attackers information. In an ideal world you can give away all the
details of your setup and still noone can break it. But computer
security is a long way from that, and if you hide your Apache banner,
for instance, your attacker may just go elsewhere.

You can probably draw many interesting analogies with weapons of mass
destruction but I don't think any of them are relevant because the
security can't be seperated out into a single easily changeable, easily
defended component. Not yet anyhow.

- Blazde


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ