Security And Obscurity: It’s Not What You Think
By Daniel Miessler on August 20th, 2005: Tagged as Computers | Philosophy | Security
Many of us are familiar with a concept know as Security by Obscurity. The term has quite negative connotations within the security community — often for the wrong reasons.
There’s little debate about whether security by obscurity is bad; this is true because it means the secret being hidden is the key to the entire system’s security. Obscurity itself, however, when added to a system that already has decent controls in place, is not necessarily a bad thing. In fact, when done right, obscurity can be a strong addition to an overall approach.
So what’s the difference?Security Through Obscurity
An example of security by obscurity is when someone has an expensive house outfitted with the latest alarm system, but they keep the key and alarm code in the planter box next to the front door. This is security by obscurity because if anyone knows the secret, i.e. that the key and code are stored in the planter, then the security of the system is compromised.That’s security by obscurity: if the secret ever gets out, it’s game over. The concept comes from cryptography, where it’s utterly sacrilegious to base the security of a system on the secrecy of the algorithm.
Obscurity As A Layer
Obscurity as a layer, however, can be used to enhance security that already exists. One excellent example of this is Portknocking.Portknocking allows one to hide their network services behind an additional layer of quasi-authentication. Using the technology you can have an SSH server sitting live on the Internet that portscanners literally can’t find. This works because your firewall sits between the Internet and your listening SSH server.
Your firewall listens to the incoming requests and ignores all standard SSH attempts to your box. If, however, you ask in a very specific way, i.e. using the secret “knock”, it’ll open access to the server for your source IP.
The part that most people miss is that you still have to authenticate to SSH. You didn’t replace SSH’s security with portknocking, you simply added it as a layer. Remember, the NSA most likely has great algorithms but they still don’t publish them.
So the next time the subject comes up, remember a simple concept: security by obscurity is bad, but obscurity itself — when added as a layer on top of existing security — can be quite useful. Those who dismiss obscurity out of hand are regurgitating something they’ve heard rather than thinking through the concepts themselves.:
--
That reminds me of a short story I read once (years ago now). A character in a story had the ability to get to know someone’s personality that he could somehow know what they would use as a computer password. He took great pride in one case (the main case in the story) in knowing in advance that the guy would use TWO layers of security … and he somehow deduced what the 2 passworkds would be. (YEAH YEAH … but this was in the early days when people used stupid passwords.) Just as he entered the second password to break into the system he realized that the guy would add one more layer of security. Before entering the CORRECT second password, he would enter an INCORRECT second password … and if no incorrect password was entered, the system would shut itself down. Alas the hero realized this too late. I suppose one could consider this an added layer of security using obscurity.
Comment by Carl M — 8/20/2005 @ 7:42 pm
Yes, absolutely ! The “lack security by obscurity” has become a mantra to most IT people … which is exactly why they should’t be doing security. If they’re not going to critically analyse and review security truisms they hear, then they’re not going to be good at security, where assumptions are usually the things that create security vulnerabilities.
There are two really easy ways to point out the flaw in assuming there is never security in obscurity :
(1) point out that it works quite effectively as a security measure (but not the only one) for animals in nature , or the military
(2) Ask those people if they’re blocking ICMP pings from the Internet. If they are, they’re obviously using it as a mechanism to obscure themselves from the Internet at large. In this case they’re obviously not practicing what they preach :-)
Comment by Mark — 5/18/2006 @ 8:25 pm