Security through obscurity
Security through obscurity or security by obscurity (in German " security through obscurity " or " security through obscurity ") is a principle in computer and network security. There the security of a system or a process tries to ensure by its operation is kept secret.
The counter-concept to this is security through utmost transparency referred to as Kerckhoffs ' principle or full disclosure. Starting from the cryptology is hereby proposed to keep as little as possible secret in order to protect it then the easier and replace if needed.
The principle is very controversial, so advises the National Institute of Standards and Technology ( NIST) security systems will not be designed on this basis: "System Security Should not depend on the secrecy of the implementation or its components. "
Based on this principle systems are transparent for the user, making it suitable to provide little confidence in security: " Security by Obscurity is a principle that is not only unsuitable as hedging principle, it is on top of customer- hostile. "
Background
Challenging security blanket assurance and spectacular failure was announced at the beginning of the 20th century, already in the early days of information and communication technology and linked to Guglielmo Marconi, whose supposedly high-precision radio technology could be surprisingly easy abused by John Nevil Maskelyne, who chose an unexpected approach.
The saying of the information theorist Claude Shannon The enemy knows the system (" The enemy knows the system " ) is a starting point from which should be considered in the preparation of security concepts today. Security based solely on the secrecy or concealment of procedure, has often been found to be insufficient. As a complement to existing security concepts to conceal, however, can prove effective, for example, against automated attacks.
Cryptography relies fundamentally on that decryption by secrecy prevents data. The difference is whether a key or the algorithm used is kept secret - because once the algorithm is used for many things, he is no longer a secret, but widespread. Security by obscurity would be the attempt to keep things secret, the wide dissemination.
A strong algorithm, such as the Advanced Encryption Standard requires from the perspective of pure cryptographic security no secrecy of the proceedings, but only the key. The cryptographic security is concerned with the safety of a procedure.
However, encryption algorithms are kept secret over again. Finally, can be detected by the knowledge that any weaknesses, so it turns out later that the encryption was not effective. An example is RC4, which was kept secret for seven years until 1994, the source code was published anonymously.
In this way, security by obscurity leads to a loss of security, as security by obscurity for the supposed security methods are not checked for their effectiveness, ineffective methods are not early discarded as such.
The very widespread concept of passwords is despite the obvious secrecy usually no security through obscurity: while it holds a password secret to ensure that only have officer access or access, however, the (password ) input mask and the mechanism used ( the access is known at the password is correct ) as a rule.