The Netflix matchup between Mike Tyson and Jake Paul has redefined what a modern boxing event can be, fusing old-school boxing prestige with digital-age…
Security by obscurity returns to online cryptography
It seems that a new research paper released by the Royal Holloway, University of London, and University of Twente is ready to change the way that people think about security. The paper is entitled “Gaming security by obscurity” and Professor Dusko Pavlovic, its author, presents an incredibly strong argument that Kerckhoff’s Principle, an aphorism that is generally accepted across the security industry, no longer fully applies to modern computing environments.
Kerckhoff’s Principle claims that a system should be secure even if everything except the key itself is publicly known. In Claude Shannon’s words, “The enemy knows the system”. Or to put everything really simply, there can be no such thing as security through obscurity. All of our modern cryptography pretty much relies on this approach. As long as we can encrypt data using a publicly available key, we really don’t mind if the encrypted data or the public key is available to absolutely anyone. That’s because the only way to decrypt the data is by using a secure private key that we keep nice and safe.
There is a second security principle that Pavlovic points to called Fortification. This proposes that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one security flaw in order to break into a system. While this is the accepted norm across the security industry, Pavlovic argues that it represents a form of information asymmetry that makes security look like a game biased in favour of the attackers. By applying game theory to this security problem, Pavlovic suggests that security defenders can gain the upper hand on attackers by making it difficult for an attacker to work out how the system actually works. This approach can be further improved if the defender monitors attacker behaviours and then modifies the defense strategy accordingly.
Pavlovic presents us with a fundamental claim that security can be increased by analysing the attacker and obscuring the defender. He presents a concept of “one way programming” which increases the logical complexity of a program. This approach makes it logically impossible to work out an algorithm from the outside. In this way, even if it is computationally easy to attack the program, it is logically difficult to the point of becoming unfeasible.
What is interesting about this paper is that while it is not saying that established security principles are wrong, it is looking at principles that have long been thrown out of the window as ways to further enhance existing security strategies.
Our current public key cryptography is based on the fact that predicting a matching private key is computationally almost impossible. Diffie and Hellman, inventors of modern key exchange technology, relied on the fact that there are computational limits to attacking key-based cryptography. Embedded in the belief that there can be no security by obscurity, however, is the assumption that there are no limits to an attacker’s programmatic or logical capabilities. Pavlovic has pointed out that this is essentially throwing the baby out with the bath water. By working to foil an attacker’s programmatic attempts to break into a system, as well as relying on his computational limits, we can only improve security further.
This paper is likely to stir some public debate. For one thing, security specialists tend to follow a philosophy that if you can publish the source code to your cryptography program along with the complete details of the encryption algorithm so that a programmer can understand exactly how the code works, and people are still unable to break into it, you have a secure program. There is something of an open-source flavour to this. What Pavlovic is saying is that this in itself is madness, that realistically you should also be hiding the details of your algorithm, and that it should have the potential to evolve depending on the attack vectors being applied. I think he has a point.