Security through obscurity
Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.
History
An early opponent of security through obscurity was the locksmith Alfred Charles Hobbs, who in 1851 demonstrated to the public how state-of-the-art locks could be picked. In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals, he said: "Rogues are very keen in their profession, and know already much more than we can teach them".[1]
There is scant formal literature on the issue of security through obscurity. Books on security engineering cite Kerckhoffs' doctrine from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:
[T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure.[2]
In the field of legal academia, Peter Swire has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships"[3] as well as how competition affects the incentives to disclose.[4]
The principle of security through obscurity was more generally accepted in cryptographic work in the days when essentially all well-informed cryptographers were employed by national intelligence agencies, such as the National Security Agency. Now that cryptographers often work at universities, where researchers publish many or even all of their results, and publicly test others' designs, or in private industry, where results are more often controlled by patents and copyrights than by secrecy, the argument has lost some of its former popularity. An early example was PGP, whose source code is publicly available to anyone. The security technology in some of the best commercial browsers is also considered highly secure despite being open source.
There are conflicting stories about the origin of this term. Fans of MIT's Incompatible Timesharing System (ITS) say it was coined in opposition to Multics users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community. One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as $$^D
. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.[5]
In January 2020, NPR reported that party officials in Iowa declined to share information regarding the security of its caucus app, to "make sure we are not relaying information that could be used against us." Cybersecurity experts replied that "to withhold the technical details of its app doesn't do much to protect the system." [6]
Criticism
Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States sometimes recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."[7]
The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.
Obscurity in architecture vs. technique
Knowledge of how the system is built differs from concealment and camouflage. The efficacy of obscurity in operations security depends by whether the obscurity lives on top of other good security practices, or if it is being used alone.[8] When used as an independent layer, obscurity is considered a valid security tool.[9]
In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.[10] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.[11] The research firm Forrester recommends the usage of environment concealment to protect messages against Advanced Persistent Threats.[12]
See also
- Steganography
- Code morphing
- Kerckhoffs' principle
- Need to know
- Obfuscated code
- Presumed security
- Secure by design
- AACS encryption key controversy
- Zero-day (computing)
- Code talker
- Obfuscation
References
- Stross, Randall. "Theater of the Absurd at the T.S.A." The New York Times. Retrieved 5 May 2015.
- Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, Inc. p. 240. ISBN 0-471-38922-6.
- Swire, Peter P. (2004). "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?". Journal on Telecommunications and High Technology Law. 2. SSRN 531782.
- Swire, Peter P. (January 2006). "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies". Houston Law Review. 42. SSRN 842228.
- "security through obscurity". The Jargon File.
- https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app
- "Guide to General Server Security" (PDF). National Institute of Standards and Technology. July 2008. Retrieved 2 October 2011.
- "Obscurity is a Valid Security Layer - Daniel Miessler". Daniel Miessler. Retrieved 2018-06-20.
- "Cyber Deception | CSIAC". www.csiac.org. Retrieved 2018-06-20.
- "CSD-MTD". Department of Homeland Security. 2013-06-25. Retrieved 2018-06-20.
- (NIST), Author: Ron Ross; (MITRE), Author: Richard Graubart; (MITRE), Author: Deborah Bodeau; (MITRE), Author: Rosalie McQuaid. "SP 800-160 Vol. 2 (DRAFT), Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems". csrc.nist.gov. Retrieved 2018-06-20.
- "Enable Secure Communications To Protect Data And Privacy". www.forrester.com. Retrieved 2018-06-20.
External links
- Eric Raymond on Cisco's IOS source code 'release' v Open Source
- Computer Security Publications: Information Economics, Shifting Liability and the First Amendment by Ethan M. Preston and John Lofton
- "Security Through Obscurity" Ain't What They Think It Is at the Wayback Machine (archived February 2, 2007) by Jay Beale
- Secrecy, Security and Obscurity & The Non-Security of Secrecy by Bruce Schneier
- "Security through obsolescence", Robin Miller, linux.com, June 6, 2002