RE: Concepts: Security and Obscurity

I don't think port-knocking (generically) qualifies as "security
through obscurity". Consider two examples:

This is widely implemented; anyone who needs to find out how to
implement it for yet another platform can find more than enough
detail publicly available to enable them to do so.
But security of SSL isn't assumed to depend on attackers failing
to avail themselves of this wealth of public knowledge -- it rests
on keeping the session keys secret, and they only ever need to be
known by a pair of machines. Widespread knowledge of the mechanism
doesn't weaken the measure.

2. Phone switch tapping
One of the government's major concerns about the NY Times disclosure
of the warrantless NSA wiretapping program was the revelation, in a
follow-up article, that the NSA was using eavesdropping ports built
into phone company switches -- designed for legal wiretapping... --
to do it.
Now I'm pretty sure that to anyone who knows even a little about
telephone network equipment, this is pretty obviously the way to do
it, but the gov't contends that this disclosure of the mechanism
severely damaged the effectiveness of the measure. (This mechanism
needs to be widely enough known throughout those who work on or with
such equipment that I cannot imagine founding any crucial security
measure on the requirement that it be unknown to hostiles....)

If the disclosure of the mechanism doesn't weaken the measure --
in fact, may strengthen it by persuading some potential attackers to
seek lower-hanging fruit! -- then it's not Security Through Obscurity.
If disclosure of the mechanism substantially weakens the measure, or
renders it ineffective, then that's STO.
The knowledge that one is doing port-knocking doesn't render one
suddenly open to practical attacks based on that knowledge, unless
the actual ports being used are disclosed. (Brute forcing a port-
knocking access should require about the square of the effort
of a port-scan if you don't know the knock ports, right?) So this
measure retains its effectiveness even when the mechanism is known,
and does not rely on the secrecy of the mechanism.

David Gillett

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Daniel Miessler
Sent: Wednesday, April 04, 2007 8:28 PM
To: warl0ck@xxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Concepts: Security and Obscurity

On Apr 4, 2007, at 3:55 PM, Pranay Kanwar wrote:

"Kerckhoffs' principle applies beyond codes and ciphers to security
systems in general: every secret creates a potential failure point.
Secrecy, in other words, is a prime cause of
brittleness-and therefore
something likely to make a system prone to catastrophic collapse.
Conversely, openness provides ductility."

Thanks for commenting, Pranay. I would argue, however, that
this applies to situations where the security of the system
RESTS on secrecy, not when the security of the system is
independent of any secrecy as a layer. I just don't see any
practical, real-world downside to systems such as SPA or
Portknocking when they sit in front of daemons that have
already been significantly secured.


Daniel Miessler
E: daniel@xxxxxxxxxxxxx
G: 0xDA6D50EAC