RE: Concepts: Security and Obscurity

["David Gillett" <gillettdavid () fhda edu>]

  I don't think port-knocking (generically) qualifies as "security 
through obscurity".  Consider two examples:

1.  SSL/HTTPS
  This is widely implemented; anyone who needs to find out how to 
implement it for yet another platform can find more than enough
detail publicly available to enable them to do so.
  But security of SSL isn't assumed to depend on attackers failing 
to avail themselves of this wealth of public knowledge -- it rests 
on keeping the session keys secret, and they only ever need to be
known by a pair of machines.  Widespread knowledge of the mechanism
doesn't weaken the measure.

2.  Phone switch tapping
  One of the government's major concerns about the NY Times disclosure
of the warrantless NSA wiretapping program was the revelation, in a
follow-up article, that the NSA was using eavesdropping ports built 
into phone company switches -- designed for legal wiretapping... --
to do it.
  Now I'm pretty sure that to anyone who knows even a little about
telephone network equipment, this is pretty obviously the way to do
it, but the gov't contends that this disclosure of the mechanism
severely damaged the effectiveness of the measure.  (This mechanism
needs to be widely enough known throughout those who work on or with 
such equipment that I cannot imagine founding any crucial security
measure on the requirement that it be unknown to hostiles....)

  If the disclosure of the mechanism doesn't weaken the measure --
in fact, may strengthen it by persuading some potential attackers to
seek lower-hanging fruit! -- then it's not Security Through Obscurity.
If disclosure of the mechanism substantially weakens the measure, or 
renders it ineffective, then that's STO.
  The knowledge that one is doing port-knocking doesn't render one 
suddenly open to practical attacks based on that knowledge, unless
the actual ports being used are disclosed.  (Brute forcing a port-
knocking access should require about the square of the effort
of a port-scan if you don't know the knock ports, right?)  So this
measure retains its effectiveness even when the mechanism is known,
and does not rely on the secrecy of the mechanism.

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Daniel Miessler
> Sent: Wednesday, April 04, 2007 8:28 PM
> To: warl0ck () metaeye org
> Cc: security-basics () securityfocus com
> Subject: Re: Concepts: Security and Obscurity
>
>
> On Apr 4, 2007, at 3:55 PM, Pranay Kanwar wrote:
>
> > "Kerckhoffs' principle applies beyond codes and ciphers to security 
> > systems in general: every secret creates a potential failure point.
> > Secrecy, in other words, is a prime cause of 
> brittleness-and therefore 
> > something likely to make a system prone to catastrophic collapse.
> > Conversely, openness provides ductility."
>
> Thanks for commenting, Pranay. I would argue, however, that 
> this applies to situations where the security of the system 
> RESTS on secrecy, not when the security of the system is 
> independent of any secrecy as a layer. I just don't see any 
> practical, real-world downside to systems such as SPA or 
> Portknocking when they sit in front of daemons that have 
> already been significantly secured.
>
> Thoughts?
>
> --
> Daniel Miessler
> E: daniel () dmiessler com
> W: http://dmiessler.com
> G: 0xDA6D50EAC