 |
Linux Format forums
Help, discussion, magazine feedback and more
|
| View previous topic :: View next topic |
| Author |
Message |
guy
LXF regular
Joined: Thu Apr 07, 2005 1:07 pm
Posts: 830
Location: Worcestershire
|
 Posted: Thu Aug 16, 2012 3:00 pm Post subject: |
 |
|
| nelz wrote: | how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.
The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key. |
So we descend to playing with meanings. If a message is encrypted and needs a private key to read it, does that encryption "obscure" the message? In my book, sure it does.
I used the phrase "Security through obscurity" with one meaning in mind, you replied with a more restricted meaning in mind.
For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.
Many an encryption procedure has remained uncracked only because it was obscure. Of course, to ensure success the obscurity must not be compromised. But there are ways of reducing that risk.
Of such joys are flawed security arrangements made - whether or not you have a tame cryptographer on hand to trot out his favourite dogma. As you rightly point out, this is not a good approach for most Internet-facing software.
_________________
Cheers,
Guy
The eternal noob |
|
| Back to top |
|
 |
nelz
Moderator
Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8002
Location: Warrington, UK
|
| Posted: Thu Aug 16, 2012 3:39 pm Post subject: |
|
|
That's not what is generally meant by security through obscurity. When you send a PGP-encrypted email, there is nothing obscured about the security, it plainly states that the message is PGP encrypted. The message itself is encrypted, but not hidden, you can still see that there is an encrypted message there.
Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.
_________________
Unix is user-friendly. It's just very selective about who it's friends are. |
|
| Back to top |
|
|
guy
LXF regular
Joined: Thu Apr 07, 2005 1:07 pm
Posts: 830
Location: Worcestershire
|
| Posted: Thu Aug 16, 2012 4:39 pm Post subject: |
|
|
I thought that was what you meant.
_________________
Cheers,
Guy
The eternal noob |
|
| Back to top |
|
|
AndyBaxman
LXF regular
Joined: Tue Oct 04, 2005 9:47 am
Posts: 519
|
| Posted: Thu Aug 16, 2012 4:47 pm Post subject: |
|
|
| guy wrote: |
For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm. |
Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.
_________________
Bomb #20: "Let there be light" |
|
| Back to top |
|
|
AndyBaxman
LXF regular
Joined: Tue Oct 04, 2005 9:47 am
Posts: 519
|
| Posted: Thu Aug 16, 2012 4:50 pm Post subject: |
|
|
| nelz wrote: |
Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it. |
Indeed.
Like the three piggies painting their straw house to look like its made of brick.
_________________
Bomb #20: "Let there be light" |
|
| Back to top |
|
|
Gonzalez Rivera
Guest
|
| Posted: Sat Feb 09, 2013 7:53 am Post subject: |
|
|
The whole discussion if informative regarding data security point of view. Nelz and Admin opinions are appreciable to solve the said issue.
[spam link removed] |
|
| Back to top |
|
|
guy
LXF regular
Joined: Thu Apr 07, 2005 1:07 pm
Posts: 830
Location: Worcestershire
|
| Posted: Sat Feb 09, 2013 11:42 am Post subject: |
|
|
Ho-hum, it's a quiet moment today:
| Nelz wrote: | | Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it. |
I was rather under the impression that securing access to something is a great way to make it less easy to find.
| AndyBaxman wrote: | | guy wrote: |
For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm. |
Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be. |
No. Obscured means the relevant information is not accessible, e.g. a proprietary binary obscures the algorithm. That's exactly what makes the private key obscured - it is held where others cannot access it.
We must be careful not to treat the phrase "security through obscurity" as ideological dogma which gives meaning to the words which make it up - it is itself given meaning and context by the pre-existing meaning of the words within.
Fortunately we all agree on how to secure a system, and like all good techies we disagree on how to talk about it. I am tempted to make bad puns about obscure language, but my life calls me to get it back.
_________________
Cheers,
Guy
The eternal noob |
|
| Back to top |
|
|
| View previous topic :: View next topic |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
