On Mon, 09 Dec 2002 18:57:35 +0200, Georgi Guninski wrote: >Berend-Jan Wever wrote: >> Hmmmm... >> ... isn't hiding your root password security through obscurity ? >> ... isn't hiding your private PGP key security through obscurity ? >> ... isn't 90% of security based on these kinds of obscurity ? > >IMHO this is not security by obscurity. >An example for security by obscurity is the following: >I give you an application which does encryption, but I don't tell you how it >works at all. >The marketing says it is tru$tworthy and unbreakable.
It helps to understand the basic problem with security through obscurity: Someone may discover what you've obscured. Some people will disagree but I think the term 'Security through Obscurity' stems from the basic crypto tenet that the strength of your cypher should depend on keeping some easily changeable key data secret not on keeping the underlying algorithm (which is very expensive to change) secret. So far from being 'security through obscurity', passwords are actually it's replacement. You move all your security into a small, cheap to change, easily defended piece of data. Meanwhile you have the added advantage that you can safely show everyone your implementation and they can help check that your security really does rely on your key data. That's if you want to. And if you don't want to, it doesn't mean you're /relying/ on security through obscurity. You're just denying your attackers information. In an ideal world you can give away all the details of your setup and still noone can break it. But computer security is a long way from that, and if you hide your Apache banner, for instance, your attacker may just go elsewhere. You can probably draw many interesting analogies with weapons of mass destruction but I don't think any of them are relevant because the security can't be seperated out into a single easily changeable, easily defended component. Not yet anyhow. - Blazde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
