Re: Concepts: Security and Obscurity

[Daniel Miessler <daniel () dmiessler com>]

On Apr 10, 2007, at 6:50 PM, Craig Wright wrote:

> Please demonstrate your hypothetical controls. Stating your hypothesis
> in an intestable way does nothing to further the argument.

Control:
Limiting access to a potentially vulnerable daemon by 99.9% of the  
Internet population. So legitimate users are allowed in without  
issue, while nobody else on the Internet even knows a daemon exists.

Cost:
Configure your firewall device to handle PK or SPA and deploy the  
augmented client.

--

In my view this is a big win for the organization if the technologies  
can be used. Not all infrastructures support PK or SPA technology  
yet, but one can imagine them being used for VPNs and a number of  
other applications.

But that isn't even the point: the point is that just because  
obscurity is used as part of the total approach does NOT mean the  
system is somehow weakened. The Kerckhoff Principle applies when  
security RESTS on secrecy, not when it's added as a layer on top of  
existing systems.

As an example, if you have a tested VPN system that gave, say, 7  
points of security (lame, but bear with me). So you then added a  
layer of obscurity on top of it that gave an additional 2 points,  
you'd have a total of 9. Well, if you have a compromise to your  
obscurity of said system, what would you fall back to?

4?

2?

No -- 5.

5 is what you started with WITHOUT the layer, so you can't fall below  
that. This is true simply because the two layers are independent of  
each other. We're not talking about a cryptographic algorithm where  
the scrutiny of the algorithm is PART of the security itself.

In this case we're building a completely isolated and independent  
layer, and as such the Kerckhoff principle does not apply. Again, 5 +  
2 - 2 = 5, not less than 5.

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC

Attachment: PGP.sig
Description: This is a digitally signed message part