Security through obscurity is one of the most deadly sins for experts in the field of information security. The institute where I follow my MSc in computer security is even named after it: the Kerckhoffs Principle. However, when information is power, could obscurity be a viable security paradigm?

When it comes to security, there are many principles that are important. One of the most well-known is the Kerckhoffs Principle, which states that only the keys should be secret, i.e. no security mechanism should rely on secrecy to work. A related rule is the Fortification Principle: the defender has to secure himself against all attack vectors, whereas the attack only needs to attack one. In other words, the defender has to get it right every time, while the attacker only needs to get lucky once.

Reach for Realistic Security, Not Perfectionism
In one of his papers, Dusko Pavlovic (2011) argues that security through obscurity may work in certain cases. He refers back to the original goal of Claude Shannon (1949), who argued that when an information source conveys information, an attacker will be able to extract this information. One can imagine that securing against this powerful attacker is practically impossible. Therefore, Diffie and Hellman (1976) proposed a new adversary, which is computationally limited. The limitation enables cryptographic systems, as they tend to rely on mathematical problems that are very hard, but not impossible – if you have several million years available, you can break a lot of systems.

While we changed our views on cryptography for more realistic ones, a strong opinion that an attacker knows the system stayed endorsed. By assuming that no algorithm can be kept secret from the attacker, all security mechanisms protect against a very strong attacker. In fact, all secrecy is limited to the key, whether this is a passphrase, PIN or a cryptographic key. However, this makes security very costly and requires perfectionism in our algorithms. Therefore, we should ask ourselves: can we turn things around?

Hello Criminal, I Want To Play a Game
It is widely known that many types of battles, whether they are economic, political or simply war, can be modelled using game theory, i.e. the mathematics of strategic decision making. The insight of the paper of Dusko Pavlovic is that security is actually also a game – more specifically, a game of incomplete information. Winning the game means uncovering the strategy of your opponent, while obscuring your own.

The first part of the security game – uncovering the strategy of your opponent – is already widely done. For example, honeypots are used to gather information on the behaviour of attackers, which can be used by intrusion detection systems. However, the second part – obscuring our own algorithms – is new. Nevertheless, practice shows that an additional part of obscurity is a good idea. For example, social engineers tend to put a lot of seemingly unimportant information to use to convince employees that they should have access to additional information or assets.

Gaming Security Through Obscurity
At the Royal Holloway University of London the new ASECOLab will focus on, amongst other topics, new directions of obscurity as a security paradigm. This may prove to be a wonderful new direction in security research, that will even the fight between attackers and defenders. For this reason alone, this may greatly reduce the difficulty of the life of the security engineer. Therefore, obscurity: here we come!

One Response to Let’s Be Obscure for a Change

  1. Beverly says:

    I would tend to agree that obscurity is useful in info security fields – a good argument. The person doing the protecting, if you like, is perhaps unequal from the attacker simply because they are protecting from all sides – but they can still stay one step ahead by adapting constantly.

Leave a Reply

Your email address will not be published. Required fields are marked *