Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 9 Apr 2007 14:55:33 -0700
I don't think port-knocking (generically) qualifies as "security through obscurity". Consider two examples: 1. SSL/HTTPS This is widely implemented; anyone who needs to find out how to implement it for yet another platform can find more than enough detail publicly available to enable them to do so. But security of SSL isn't assumed to depend on attackers failing to avail themselves of this wealth of public knowledge -- it rests on keeping the session keys secret, and they only ever need to be known by a pair of machines. Widespread knowledge of the mechanism doesn't weaken the measure. 2. Phone switch tapping One of the government's major concerns about the NY Times disclosure of the warrantless NSA wiretapping program was the revelation, in a follow-up article, that the NSA was using eavesdropping ports built into phone company switches -- designed for legal wiretapping... -- to do it. Now I'm pretty sure that to anyone who knows even a little about telephone network equipment, this is pretty obviously the way to do it, but the gov't contends that this disclosure of the mechanism severely damaged the effectiveness of the measure. (This mechanism needs to be widely enough known throughout those who work on or with such equipment that I cannot imagine founding any crucial security measure on the requirement that it be unknown to hostiles....) If the disclosure of the mechanism doesn't weaken the measure -- in fact, may strengthen it by persuading some potential attackers to seek lower-hanging fruit! -- then it's not Security Through Obscurity. If disclosure of the mechanism substantially weakens the measure, or renders it ineffective, then that's STO. The knowledge that one is doing port-knocking doesn't render one suddenly open to practical attacks based on that knowledge, unless the actual ports being used are disclosed. (Brute forcing a port- knocking access should require about the square of the effort of a port-scan if you don't know the knock ports, right?) So this measure retains its effectiveness even when the mechanism is known, and does not rely on the secrecy of the mechanism. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Daniel Miessler Sent: Wednesday, April 04, 2007 8:28 PM To: warl0ck () metaeye org Cc: security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity On Apr 4, 2007, at 3:55 PM, Pranay Kanwar wrote:"Kerckhoffs' principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause ofbrittleness-and thereforesomething likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility."Thanks for commenting, Pranay. I would argue, however, that this applies to situations where the security of the system RESTS on secrecy, not when the security of the system is independent of any secrecy as a layer. I just don't see any practical, real-world downside to systems such as SPA or Portknocking when they sit in front of daemons that have already been significantly secured. Thoughts? -- Daniel Miessler E: daniel () dmiessler com W: http://dmiessler.com G: 0xDA6D50EAC
Current thread:
- Concepts: Security and Obscurity Daniel Miessler (Apr 04)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 04)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 09)
- Re: Concepts: Security and Obscurity ericfurman (Apr 10)
- RE: Concepts: Security and Obscurity David Gillett (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 09)
- RE: Concepts: Security and Obscurity security (Apr 05)
- <Possible follow-ups>
- Re: Concepts: Security and Obscurity work (Apr 04)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Mark Sutton (Apr 09)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- RE: Concepts: Security and Obscurity Mandelcorn, Seymour (Apr 09)
- RE: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- Re: Concepts: Security and Obscurity krymson (Apr 05)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity John Rodriguez (Apr 09)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
(Thread continues...)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 04)