RE: Concepts: Security and Obscurity



I don't think port-knocking (generically) qualifies as "security
through obscurity". Consider two examples:

1. SSL/HTTPS
This is widely implemented; anyone who needs to find out how to
implement it for yet another platform can find more than enough
detail publicly available to enable them to do so.
But security of SSL isn't assumed to depend on attackers failing
to avail themselves of this wealth of public knowledge -- it rests
on keeping the session keys secret, and they only ever need to be
known by a pair of machines. Widespread knowledge of the mechanism
doesn't weaken the measure.

2. Phone switch tapping
One of the government's major concerns about the NY Times disclosure
of the warrantless NSA wiretapping program was the revelation, in a
follow-up article, that the NSA was using eavesdropping ports built
into phone company switches -- designed for legal wiretapping... --
to do it.
Now I'm pretty sure that to anyone who knows even a little about
telephone network equipment, this is pretty obviously the way to do
it, but the gov't contends that this disclosure of the mechanism
severely damaged the effectiveness of the measure. (This mechanism
needs to be widely enough known throughout those who work on or with
such equipment that I cannot imagine founding any crucial security
measure on the requirement that it be unknown to hostiles....)

If the disclosure of the mechanism doesn't weaken the measure --
in fact, may strengthen it by persuading some potential attackers to
seek lower-hanging fruit! -- then it's not Security Through Obscurity.
If disclosure of the mechanism substantially weakens the measure, or
renders it ineffective, then that's STO.
The knowledge that one is doing port-knocking doesn't render one
suddenly open to practical attacks based on that knowledge, unless
the actual ports being used are disclosed. (Brute forcing a port-
knocking access should require about the square of the effort
of a port-scan if you don't know the knock ports, right?) So this
measure retains its effectiveness even when the mechanism is known,
and does not rely on the secrecy of the mechanism.

David Gillett


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Daniel Miessler
Sent: Wednesday, April 04, 2007 8:28 PM
To: warl0ck@xxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Concepts: Security and Obscurity


On Apr 4, 2007, at 3:55 PM, Pranay Kanwar wrote:

"Kerckhoffs' principle applies beyond codes and ciphers to security
systems in general: every secret creates a potential failure point.
Secrecy, in other words, is a prime cause of
brittleness-and therefore
something likely to make a system prone to catastrophic collapse.
Conversely, openness provides ductility."

Thanks for commenting, Pranay. I would argue, however, that
this applies to situations where the security of the system
RESTS on secrecy, not when the security of the system is
independent of any secrecy as a layer. I just don't see any
practical, real-world downside to systems such as SPA or
Portknocking when they sit in front of daemons that have
already been significantly secured.

Thoughts?

--
Daniel Miessler
E: daniel@xxxxxxxxxxxxx
W: http://dmiessler.com
G: 0xDA6D50EAC






Relevant Pages

  • RE: Concepts: Security and Obscurity
    ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
    (Security-Basics)
  • RE: Re: Concepts: Security and Obscurity
    ... so long as you understand that the server location and port number ... security in the slightest." ... Beale's assertion that "Obscurity Potentially Slows Down the Attacker". ... BDO Kendalls is a national association of separate partnerships and entities. ...
    (Security-Basics)
  • Re: NAT external/Public IP
    ... I remember working for an ISP a long while back that was threatened to be disconnected from the Internet if they did not stop routing the 10.x range in their BGP tables. ... Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. ... Why not Security by Design plus Security by Obscurity? ...
    (Security-Basics)
  • RE: Concepts: Security and Obscurity
    ... Subject: Concepts: Security and Obscurity ... I have at no point claimed absolute security measures or cost ... It also ignores the requirements of a control function. ...
    (Security-Basics)
  • RE: Re: Concepts: Security and Obscurity
    ... Subject: Concepts: Security and Obscurity ... BDO Kendalls is a national association of separate partnerships and entities. ... Maybe we can all agree that "port obscurity" is a special case of STO. ...
    (Security-Basics)