Security through obscurity

from Wikipedia, the free encyclopedia

Security through obscurity or Security by obscurity (German "Sicherheit durch Obscurität ", also "Security through obscurity") is a principle in computer and network security . It tries to guarantee the security of a system or a process by keeping its functionality secret.

The counter-concept to this is security through the greatest possible transparency, known as the Kerckhoffs' principle or full disclosure . Based on the cryptology , it is suggested that as little as possible be kept secret so that it can then be protected all the more easily and, if necessary, replaced.

The principle of security through obscurity is very controversial. The National Institute of Standards and Technology (NIST) advises not to design security systems on this basis: “ System security should not depend on the secrecy of the implementation or its components.

Systems based on this principle are opaque for their users and are therefore not very suitable for creating trust in security: "Security by obscurity is a principle that not only remains unsuitable as a security principle, it is also customer-hostile."

background

Questioned security, blanket assurance and spectacular failure were already known in the early days of information and communication technology at the beginning of the 20th century and linked to Guglielmo Marconi , whose supposedly high-precision radio technology could surprisingly easily be abused by Nevil Maskelyne , who chose an unexpected approach.

The statement of the information theorist Claude Shannon The enemy knows the system ( "The enemy knows the system") is a starting point, it should be assumed that the today in the creation of security concepts. Security based solely on secrecy or obfuscation of procedures has often proven to be inadequate. As a supplement to existing security concepts, obfuscation - up to the spread of automated test environments ("fuzzing") - could prove to be effective e.g. B. against automated attacks.

Cryptography is basically based on the fact that decryption is prevented by keeping data secret. The difference is whether a key or the algorithm used is kept secret - because as soon as the algorithm is used for many things, it is no longer secret, but widespread. Security by obscurity would then be an attempt to keep things secret that are widely used.

From the point of view of pure cryptographic security, a strong algorithm , for example the Advanced Encryption Standard or the RSA cryptosystem , does not require secrecy of the procedure, but only of the key used. Cryptography security deals with the security of a procedure.

Nevertheless, encryption algorithms are kept secret again and again. Ultimately, through their knowledge, the possible weak points can be discovered, so that it is only later found out that the encryption was not effective. One example is RC4 , which was kept secret for seven years until the source code was published anonymously in 1994 - in the meantime, RC4 is considered to be massively insecure.

In this way, security by obscurity leads to a loss of security , since with this principle the supposed security methods cannot be checked for their effectiveness and the ineffective methods cannot be discarded as such at an early stage.

The very widespread concept of passwords is usually not security through obscurity , despite the obvious secrecy of these . The password corresponds to the key used, which must be kept secret both with security through obscurity and with the Kerckhoffs principle in order to prevent unauthorized access. The method for checking the entry and comparing the correct password is independent of this. This can very well be based on security through obscurity .

Examples

Keys under the doormat
An example of the disadvantages of the principle is someone who hides the key to his house door under the doormat in case he locks himself out of the house. The weak point of this approach is obvious: anyone who knows where the key is hidden can open the front door. The house owner assumes that nobody knows about the hiding place and that even a burglar would hardly find the key. The security of the locking system is irrelevant here.
"Ignore" ping
Some hosts are configured in such a way that they do not satisfy a request for an echo . It is not taken into account that the Internet Control Message Protocol provides for responses from the gateway if the host behind the gateway cannot be reached. If there is no such response, it can be concluded that the host can be reached.
"Ignore" port scans
Configuration of a firewall so that requests to ports are silently discarded ( DROP ) instead of rejected ( REJECT ).
Hide network services
Do not let services like Secure Shell or MySQL run on their standardized ports , but on other ports. In an automated attack with a frequency of 50 milliseconds at the level of a packet cycle time on the Internet, trying out all 65,535 ports takes just under an hour. Conventional port scanners such as Nmap usually support a parallel attack ( multithreading ) on the individual ports, which can easily reduce the time required to less than 5 minutes.
Output of misinformation
Change the regular response to incoming connections, such as the names or version numbers of the programs, in order to trick attackers into thinking that other software is of no interest. This process is also used by honeypots .
Closed source software
How open source and closed source behave under the aspect of security is sometimes controversial. Operating systems with publicly visible source code such as BSD , OpenSolaris or Linux benefit from the fact that the source code can be looked through by many programmers and thus program errors can also be found. Eric Raymond is often quoted in this context : “ Given enough eyeballs, all bugs are shallow. “The aspect of the accessible source code is important for all specific algorithms in cryptography ( Kerckhoffs' principle ) - this is not guaranteed even under Microsoft Windows 10, which is why the BSI advises against use in security-critical areas.
E-mail letter
In an interview with the magazine CIO , the project manager of the E-Postbrief , Georg Rau, stated: “Basically, we don't see any security gaps here. I don't want to say more. Because an essential aspect of our security concept is: We don't talk about it in public. That is part of the security concept. "

Individual evidence

  1. Javier Galbally Herrero: Vulnerabilities and Attack Protection in Security Systems Based on Biometric Recognition . Universidad Autónoma de Madrid , November 2009, p. 7 ( books.google.de ).
  2. Guide to General Server Security (PDF; 258 kB) National Institute of Standards and Technology. July 2008. Retrieved October 2, 2011.
  3. ↑ Plain text: Are you sure? Not. . Heise Zeitschriften Verlag. August 13, 2013. Retrieved November 28, 2013.
  4. Sungook Hong: Syntony and Credibility: John Ambrose Fleming, Guglielmo Marconi, and the Maskelyne Affair. In: Jed Z. Buchwald (Ed.): Scientific Credibility and Technical Standards in 19th and early 20th century Germany and Britain. (= Archimedes, Vol. 1) Kluwer, Dordrecht / Boston / London 1996, ISBN 0-7923-4241-0 , pp. 157-176.
  5. Frank Patalong : Wireless at a loss . Spiegel publishing house . 17th May 2020.
  6. RFC 792 - Internet Control Message Protocol . Internet Engineering Task Force . September 1981. Retrieved October 14, 2012.
  7. [1]
  8. Exclusive interview, Swiss Post defends itself against criticism of the e-letter. CIO interview, August 25, 2010