On 2009-11-18, David Brown <[email protected]> wrote:
> N. Coesel wrote:
>>> The old "security by obscurity" trick, that has /such/ a good reputation?
>>
>> Any means of security is security by obscurity by definition.
>> All protections schemes come down to hiding a secret
>> (obscurity). Whether its a key, a secret algorithm, etc.
>
> The phrase "security by obscurity" is normally taken to mean
> "security by hiding the way it works", i.e., trying to hide
> the code or algorithm.
Exactly. "Security by obscurity" does not refer to the fact
that you need to keep a secret key a secret. It refers
specifically to the dependance on keeping the design and
implementation of the _algorithms_ a secret.
Quoting Paul Schneier in _Secrets_&_Lies_:
A good security design has no secrets in its details. In
other words, all of the security is in the product itself
and its chageable secret: the cryptographic keys, the
passwords, the tokens and so forth. The antithesis is
_security_by_obscurity_: The details of the system are
part of the security. If a system is designed with
security by obscurity then that security is delicate.
Later in the same book:
Again and again in this book I rail against _security_by_
_obscurity_: proprietary cryptography, closed source code,
secret operating systems.
Security by obscurity doesn't work.
--
Grant Edwards grante Yow! This is a NO-FRILLS
at flight -- hold th' CANADIAN
visi.com BACON!!
