Essentially, I'm wondering if an octet stream is, by its nature, secure without knowledge of a semantic meaning for the bytes being sent. If you have no knowledge of the processing at either end of the stream, is there any way to get information from it?
3 Answers
Real-life data has a lot of structure which makes recognition easy. The Unix file
utility has done so since 1973.
Not being able to figure out the ins and outs of a bunch of bytes means that the bytes are not distinguishable from random, unless you know a "secret convention" which governs the interpretation of said bytes -- this exists and is called encryption. Decades of research in cryptography have come to the following conclusion: encryption can exist, but it is not easy. If you do not apply encryption explicitly, then the meaning of the data is not secret but, at best, obscure. Experience shows that obscurity rarely lasts long.
-
Ah, I see. So the idea is that in *practice* the stream will contain something like XML or JSON which is easily recognizable by the structure and order of the bytes if it's unencrypted? – asteri Feb 12 '13 at 16:47
-
Yes. Even data in compressed formats (e.g. JPEG pictures) will begin with a recognizable header. – Tom Leek Feb 12 '13 at 17:43
This would be known as Security by Obscurity, and I wouldn't count that as security.
The ability to derive information from a given stream depends on the protocol or technology that created it, nothing more or less.
To keep information private, you'll need to use an encryption algorithm. Even with an algorithm applied to your stream, it could be insecure depending on where the stream is. Is the stream on disk, or is the stream on the network?
Often times if the encryption itself isn't broken, the key exchange is. Depending on the value of what you're protecting in the arbitrary stream of bytes, it may or may not be worth it for a black hat to decipher your stream.
Given enough time and motivation, any non-standard cryptography will be broken quickly.
- 50,090
- 54
- 250
- 536
BobBarker04011950PriceIsRightLosAngelesCalifornia
Is that secure? Particularly if you can manipulate the input and see the output, it is trivial to determine the meaning of a data stream unless encryption is placed on the data.
- 41,816
- 5
- 63
- 110
-
Right, that makes sense. I guess I was thinking that because you don't know the format of the bytes, including the beginning or end points of the data, that getting any semantic information would be difficult. But the more I think about it, I suppose that's extremely naive. Still trying to learn about all this stuff. :) – asteri Feb 12 '13 at 17:07
-
@Jeff - yeah, don't feel bad. It's an incredibly common mistake that people make when they are first trying to secure stuff. I can't tell you how many system's I've seen that rely on similar types of obfuscation only to be surprised when it falls flat on it's face the first time someone actually attacks it. – AJ Henderson Feb 12 '13 at 19:39