Jaime Gago Condensing Information Systems From the Vapor Of Data

All Your Obscure Methods Are Belong To Us

With such a title you can expect to be immersed in an ocean of geek-o-logic theories and so you will if you keep reading...

Let’s take it straight from the beginning, to me there is no such a thing as a method that can provide 100% security to your systems, maybe in pure Cryptology Theory but not in the real world. This “no 100% security in the real world” [arguable] statement is based on my “no Theory of Everything for the pun humans” belief, and if I am wrong let’s catch up in the next multiverse!

A shortcut to explain this “no 100%” could be “what human can code, human can decode” basically all security methods have their origins in the human mind, therefore another human mind will be able to break in within a timeframe that is *not* infinite.

I have to admit though there is a real world fact that shakes this. Follow my chain of thought here and consider a chess game as an effort to access the code of a winning position (i.e. check mate). Then think about Deep Blue beating Kasparov, none of the IBM researchers that “built” Deep Blue had a single chance to beat Kasparov, even playing as a team against him, even if Kasparov had been sleep deprived for a week by American Idol music playing loud 24/7, they had no chance whatsoever to beat Gary Kasparov for he is a Grandmaster (think of Yoda but for Chess).  Yet their Turk did beat him, and there was no human inside.

The story says that Kasparov could not believe some Deep Blue moves were not human, this anecdote in itself says it all, Kasparov is no fool. My point is that the human mind *may* well be capable to create something that is–mathematically–“smarter” than the human mind itself, but Kasparov being beaten by a computer built by Chess neophytes (even if they were helped by Joel Benjamin) can not be considered as a proof.

This is not a random example, Deep Blue is more related to Algorithmic than Cryptology yes, but these 2 fields are very intertwined when it comes to computer systems. For example “Brute Force” has often been use to describe Deep Blue capacity to search his chess games database for the next “correct” move.  We even use that same word for the object that translates algorithms into computer languages and the object used to encrypt a secret: THE CODE

And for chess, just look at the way those players write! It certainly looks like a md5 hash to me.

But let’s forget about Deep Blue and come back to my intended topic Security through obscurity in Modern Information Systems (i.e. in 2009: computers & networks). From a strict theoretical and logic perspective obscurity is just the wrong thing to do, especially when you oppose it to security by design (see Kerchoffs’ principle), if you are not convinced I recommend that you read the Art Of Information Security blog post on the topic.

Now, to go back to Chess, I’d like to compare being obscure to the poor tactic of planning your next move based on your opponent’s worst move. Granted you might have been thinking that this [very bad] move was actually a great move, and if you are honest in your thinking, who knows you might win! But, the point of being obscure is actually knowing that it is a bad move (i.e. a move you wouldn’t do) and yet plan on your opponent playing it.

Yes, security through obscurity seems more pawn-like than King-like thinking. Yet once you transpose Kerchoffs’ principle to real life objects, full transparency might not be the best thing. Good security *starts* with good design, that is a given, but I don’t think design should be a “snob” to obscurity. In other words some secrecy on top of your intended secure methods won’t hurt. It is about being humble, you only think you have the ultimate design until someone breaks it.

And that is my main argument about blindly following Kerchoffs’ propositions: because you can never be certain your method is perfect, why take the risk of full disclosure? I understand the opposition with the Open Source philosophy (which I am an advocate for) but could there be a balanced way to deal with openness in security? I mean Open Source has proven his strength when it comes to building robust information systems architectures, and we should never have to limit the sharing of knowledge. But then I think about how scientists related to the Manhattan Project self censored themselves so they didn’t help Nazis efforts to get the bomb. Not that I think Enola Gay is the best thing that happened to humanity but imagine the A-Bomb in the hands of nazis before U.S...

edit: I just found out about "Godwin's law" . I don't think it applies to my analogy but it's worth mentioning it, after all I do have Nazis in one of my first posts here!

Now back to Auguste Kerckhoff, since:

-the original article in French is available online

-my native language happens to be French

-my english is not all that bad

-I have not found a translation that I agree entirely with

I will post my own translation of these 2 propositions here, after all this is my blog Na! If you don’t agree you are welcome to comment.

1 ) Le système doit être matériellement, sinon mathématiquement, indéchiffrable;

->The system must be physically, if not mathematically, undecipherable

2 ) Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi;

->It must not require secrecy, and should it be discovered by the enemy it should not be a problem.

I don’t think I need to translate the proposition related to the Telegraph or should I?

Now if you are still with me, I hope you see why my introductory statement is about no possible 100% secure method in the real world, it’s clear that Kerckhoffs proposition are dealing in absolutes.

I really wonder, how certain can you be that your system is *physically and forever* undecipherable? And if you are 100% sure, wouldn’t that mean you could prove it by mathematical means?  And to an extend that goes beyond way, way beyond my understanding, how far are you from a Theory of Everything if you can mathematically prove the absoluteness of your physical cryptographic model?

So if you can not achieve the first proposition do you still want to blindly follow the second one and tell the web how you designed your ultimate secure system? Proposition 1 and 2 are interdependent propositions (our good old boolean AND) having the one without the others is, in my humble opinion, defeating the original article’s purpose.

Don't get me wrong, relying on obscurity in the age of the Internet is just plain bad. Even an Administration as heavy as the one in charge of U.S. laws seems to have understood it in 1999, read this also Philip Zimmermann and his PGP case. Still, anybody designing with security in mind wanting to *fully* rely on Kerchoffs' principle should remember the original propositions were a Theory for cryptographic military environments...

In the end thinking obscurity is only for the ignorant and stupid agencies that you are going to crack with your 1337 $killz, is probably not that wise. I will personally try to remember that when blogging about the iptables rules protecting my american native friend aka Apache.