Anyone who’s been in the security field for a significant time has heard the saying “Security by obscurity is no security at all”. I have heard this statement in many contexts. One regular place it is used is in the context of a PAT enabled router. While there are a lot of directions I could go with that one example, I want to directly attack the use of the “security by obscurity” statement.
Now that I have everyone’s attention (mostly because they think I’m going to stick my foot in my mouth), I want to break security down into two distinct categories. The first category is physical security. This category can include controls to protect technical or non technical assets. Examples of this type of controls include things like doors, locks, racks, vaults, and cameras. The statement of focus has no real context in the realm of physical security.
“Security by Obscurity” is more relevant around the other category of security controls. This second category of controls is usually referred to as logical controls. These types of controls include restrictions implemented by network acl’s, file permissions, application permissions, firewalls, and intrusion detection systems. We often think about logical controls in terms of AAA (authentication, authorization and accounting). Authentication is the crucial first step required prior to allowing access.
So how do we authenticate? There are many deferent mechanisms, but I’ve listed a few below.
- IP Addresses
- Digital Certificates
- One Time Passwords (RSA, Versign, YubiKey)
All of these are forms of obscurity. Only the authorized user SHOULD know his or her password. IP addresses SHOULD be unique on the global Internet or in an individual corporate network. Even digital certificates are based on a public an private key pair. My point is that given an infinite amount of time, an attacker can guess their way through any of these controls.
So back to my stance about “security by obscurity”. My argument is that obscurity does have value in the context of security. However, we must really understand the degree of obscurity. How much entropy is provided by a particular method of obfuscation? How long would it take to attack a given control? How do we mitigate those attacks? Obviously, those are questions that we need to address as we build and implement controls.
Another example of a control that is based on obscurity is crypto. Crypto algorithms use a key to influence a crypto algorithm to make data look unintelligible. So again, the key is obscure. However, a proper key length should provide enough entropy that an attack isn’t computationally feasible. Furthermore, the key may be continually changing in order to limit the exposure of any key compromise.
I would like to personally challenge anyone out there to name a crypto or authentication algorithm that isn’t based on some form of obscurity or obfuscation. It is the degree of obscurity that is critical to providing strong security algorithms. Algorithms should not be based on ten’s, hundreds or thousands of possibilities. Algorithms must be based on enough entropy that the compute power for the foreseeable future cannot guess enough possibilities and render the control useless.
Anything that is subject to an offline attack, crypto for example, should use short lifetimes for the form of entropy it depends on. For example, a phase 2 IPSec SA, might use a one hour lifetime for its symmetric key. Additionally, online controls like authentication mechanisms should have the capability to detect any type of brute force attack.
The main point I’m trying to make is that as security professionals, we need to quit using the terminology “security by obscurity, is no security at all”. As professionals, we should understand and explain the degree of difficulty of guessing that which is obfuscated. Once we understand the degree of difficulty in guessing that which is obscure, we can think about and recommend the appropriate implementation of the controls. In the realm of logical security, we simply cannot eliminate “security by obscurity”.