In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage. It diverges from traditional security methods, such as physical locks, and is more about obscuring information or characteristics to deter potential threats. Examples of this practice include disguising sensitive information within commonplace items, like a piece of paper in a book, or altering digital footprints, such as spoofing a web browser's version number. While not a standalone solution, security through obscurity can complement other security measures in certain scenarios. [1]
Obscurity in the context of security engineering is the notion that information can be protected, to a certain extent, when it is difficult to access or comprehend. This concept hinges on the principle of making the details or workings of a system less visible or understandable, thereby reducing the likelihood of unauthorized access or manipulation. [2]
An early opponent of security through obscurity was the locksmith Alfred Charles Hobbs, who in 1851 demonstrated to the public how state-of-the-art locks could be picked. In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals, he said: "Rogues are very keen in their profession, and know already much more than we can teach them." [3]
There is scant formal literature on the issue of security through obscurity. Books on security engineering cite Kerckhoffs' doctrine from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:
[T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure. [4]
Peter Swire has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships", [5] as well as on how competition affects the incentives to disclose. [6] [ further explanation needed ]
There are conflicting stories about the origin of this term. Fans of MIT's Incompatible Timesharing System (ITS) say it was coined in opposition to Multics users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community. One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as $$^D
. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right. [7]
In January 2020, NPR reported that Democratic party officials in Iowa declined to share information regarding the security of its caucus app, to "make sure we are not relaying information that could be used against us." Cybersecurity experts replied that "to withhold the technical details of its app doesn't do much to protect the system." [8]
Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components." [9] The Common Weakness Enumeration project lists "Reliance on Security Through Obscurity" as CWE-656. [10]
A large number of telecommunication and digital rights management cryptosystems use security through obscurity, but have ultimately been broken. These include components of GSM, GMR encryption, GPRS encryption, a number of RFID encryption schemes, and most recently Terrestrial Trunked Radio (TETRA). [11]
One of the largest proponents of security through obscurity commonly seen today is anti-malware software. What typically occurs with this single point of failure, however, is an arms race of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on. [12]
The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.
Knowledge of how the system is built differs from concealment and camouflage. The effectiveness of obscurity in operations security depends on whether the obscurity lives on top of other good security practices, or if it is being used alone. [13] When used as an independent layer, obscurity is considered a valid security tool. [14]
In recent years, more advanced versions of "security through obscurity" have gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception. [15] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment. [16]
In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.
Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.
Kerckhoffs's principle of cryptography was stated by Dutch-born cryptographer Auguste Kerckhoffs in the 19th century. The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge. This concept is widely embraced by cryptographers, in contrast to security through obscurity, which is not.
Auguste Kerckhoffs was a Dutch linguist and cryptographer in the late 19th century.
Terrestrial Trunked Radio, a European standard for a trunked radio system, is a professional mobile radio and two-way transceiver specification. TETRA was specifically designed for use by government agencies, emergency services, for public safety networks, rail transport staff for train radios, transport services and the military. TETRA is the European version of trunked radio, similar to Project 25.
In cryptography, snake oil is any cryptographic method or product considered to be bogus or fraudulent. The name derives from snake oil, one type of patent medicine widely available in 19th century United States.
Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.
Project 25 is a suite of standards for interoperable digital two-way radio products. P25 was developed by public safety professionals in North America and has gained acceptance for public safety, security, public service, and commercial applications worldwide. P25 radios are a direct replacement for analog UHF radios, adding the ability to transfer data as well as voice for more natural implementations of encryption and text messaging. P25 radios are commonly implemented by dispatch organizations, such as police, fire, ambulance and emergency rescue service, using vehicle-mounted radios combined with repeaters and handheld walkie-talkie use.
End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse.
Hyper-encryption is a form of encryption invented by Michael O. Rabin which uses a high-bandwidth source of public random bits, together with a secret key that is shared by only the sender and recipient(s) of the message. It uses the assumptions of Ueli Maurer's bounded-storage model as the basis of its secrecy. Although everyone can see the data, decryption by adversaries without the secret key is still not feasible, because of the space limitations of storing enough data to mount an attack against the system.
SafeNet, Inc. was an information security company based in Belcamp, Maryland, United States, which was acquired in August 2014 by the French security company Gemalto. Gemalto was, in turn, acquired by Thales Group in 2019. The former SafeNet's products include solutions for enterprise authentication, data encryption, and key management. SafeNet's software monetization products are sold under the Thales Sentinel brand.
Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.
Peter P. Swire is the J.Z. Liang Chair in the School of Cybersecurity and Privacy in the College of Computing at the Georgia Institute of Technology. Swire is also Professor of Law and Ethics in the Scheller College of Business and has an appointment by courtesy with the School of Public Policy. He is an internationally recognized expert in privacy law. Swire is also a senior fellow at the Future of Privacy Forum and has served on the National Academies of Science and Engineering Forum on Cyber Resilience. During the Clinton administration, he became the first person to hold the position of Chief Counselor for Privacy in the Office of Management and Budget. In this role, he coordinated administration policy on privacy and data protection, including interfacing with privacy officials in foreign countries. He may be best known for shaping the Health Insurance Portability and Accountability Act Privacy Rule while serving as the Chief Counselor for Privacy. In November 2012 he was named as co-chair of the Tracking Protection Working Group of the World Wide Web Consortium (W3C), to attempt to mediate a global Do Not Track standard. In August 2013, President Obama named Swire as one of five members of the Director of National Intelligence Review Group on Intelligence and Communications Technologies.
Open security is the use of open source philosophies and methodologies to approach computer security and other information security challenges. Traditional application security is based on the premise that any application or service relies on security through obscurity.
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.
The United Kingdom has a diverse cyber security community, interconnected in a complex network.
The following outline is provided as an overview of and topical guide to computer security:
Active defense can refer to a defensive strategy in the military or cybersecurity arena.
Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.