Websites with transparent security

Non-computer-related chit-chat

Moderators: ChrisThornett, LXF moderators

Postby guy » Thu Aug 16, 2012 2:00 pm

nelz wrote:how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.


So we descend to playing with meanings. If a message is encrypted and needs a private key to read it, does that encryption "obscure" the message? In my book, sure it does.

I used the phrase "Security through obscurity" with one meaning in mind, you replied with a more restricted meaning in mind.

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.

Many an encryption procedure has remained uncracked only because it was obscure. Of course, to ensure success the obscurity must not be compromised. But there are ways of reducing that risk.

Of such joys are flawed security arrangements made - whether or not you have a tame cryptographer on hand to trot out his favourite dogma. As you rightly point out, this is not a good approach for most Internet-facing software.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1078
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby nelz » Thu Aug 16, 2012 2:39 pm

That's not what is generally meant by security through obscurity. When you send a PGP-encrypted email, there is nothing obscured about the security, it plainly states that the message is PGP encrypted. The message itself is encrypted, but not hidden, you can still see that there is an encrypted message there.

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8498
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby guy » Thu Aug 16, 2012 3:39 pm

I thought that was what you meant.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1078
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby AndyBaxman » Thu Aug 16, 2012 3:47 pm

guy wrote:For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.


Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.
Bomb #20: "Let there be light"
User avatar
AndyBaxman
LXF regular
 
Posts: 523
Joined: Tue Oct 04, 2005 8:47 am

Postby AndyBaxman » Thu Aug 16, 2012 3:50 pm

nelz wrote:Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.


Indeed.

Like the three piggies painting their straw house to look like its made of brick.
Bomb #20: "Let there be light"
User avatar
AndyBaxman
LXF regular
 
Posts: 523
Joined: Tue Oct 04, 2005 8:47 am

Postby Gonzalez Rivera » Sat Feb 09, 2013 7:53 am

The whole discussion if informative regarding data security point of view. Nelz and Admin opinions are appreciable to solve the said issue.
[spam link removed]
Gonzalez Rivera
 

Postby guy » Sat Feb 09, 2013 11:42 am

Ho-hum, it's a quiet moment today:

Nelz wrote:Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.

I was rather under the impression that securing access to something is a great way to make it less easy to find.

AndyBaxman wrote:
guy wrote:For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.


Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.

No. Obscured means the relevant information is not accessible, e.g. a proprietary binary obscures the algorithm. That's exactly what makes the private key obscured - it is held where others cannot access it.

We must be careful not to treat the phrase "security through obscurity" as ideological dogma which gives meaning to the words which make it up - it is itself given meaning and context by the pre-existing meaning of the words within.

Fortunately we all agree on how to secure a system, and like all good techies we disagree on how to talk about it. I am tempted to make bad puns about obscure language, but my life calls me to get it back.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1078
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Previous

Return to Off Topic

Who is online

Users browsing this forum: pedros and 0 guests