Security through obscurity (or security by obscurity) is the reliance in

security engineering Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in tha ...

on design or implementation

secrecy Secrecy is the practice of hiding information from certain individuals or groups who do not have the "need to know", perhaps while sharing it with other individuals. That which is kept hidden is known as the secret. Secrecy is often controvers ...

as the main method of providing

security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

to a system or component.

History

An early opponent of security through obscurity was the locksmith

Alfred Charles Hobbs Alfred Charles Hobbs (October 7, 1812 – November 6, 1891) was an American locksmith and inventor. He was born in Boston, Massachusetts, in 1812; his father was a carpenter. He married Charlotte F. Nye (1815-?) of Sandwich, Massachusetts, ...

, who in 1851 demonstrated to the public how state-of-the-art locks could be picked. In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals, he said: "Rogues are very keen in their profession, and know already much more than we can teach them." There is scant formal literature on the issue of security through obscurity. Books on

cite Kerckhoffs' doctrine from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:

e benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs'
doctrine Doctrine (from la, doctrina, meaning "teaching, instruction") is a codification of beliefs or a body of teachings or instructions, taught principles or positions, as the essence of teachings in a given branch of knowledge or in a belief system ...
, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure.

Peter Swire has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "

loose lips sink ships Loose lips sink ships is an American English idiom meaning "beware of unguarded talk". The phrase originated on propaganda posters during World War II. The phrase was created by the War Advertising Council and used on posters by the United St ...

", as well as on how competition affects the incentives to disclose. There are conflicting stories about the origin of this term. Fans of

MIT The Massachusetts Institute of Technology (MIT) is a private land-grant research university in Cambridge, Massachusetts. Established in 1861, MIT has played a key role in the development of modern technology and science, and is one of the m ...

Incompatible Timesharing System Incompatible Timesharing System (ITS) is a time-sharing operating system developed principally by the MIT Artificial Intelligence Laboratory, with help from Project MAC. The name is the jocular complement of the MIT Compatible Time-Sharing System ...

(ITS) say it was coined in opposition to

Multics Multics ("Multiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.Dennis M. Ritchie, "The Evolution of the Unix Time-sharing System", Communications of t ...

users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community. One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as $$^D. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right. In January 2020, NPR reported that Democratic party officials in Iowa declined to share information regarding the security of its caucus app, to "make sure we are not relaying information that could be used against us." Cybersecurity experts replied that "to withhold the technical details of its app doesn't do much to protect the system."

Criticism

Security by obscurity alone is discouraged and not recommended by standards bodies. The

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

(NIST) in the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territo ...

sometimes recommends against this practice: "System security should not depend on the secrecy of the implementation or its components." The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

Obscurity in architecture vs. technique

Knowledge of how the system is built differs from concealment and

camouflage Camouflage is the use of any combination of materials, coloration, or illumination for concealment, either by making animals or objects hard to see, or by disguising them as something else. Examples include the leopard's spotted coat, the b ...

. The effectiveness of obscurity in

operations security Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, a ...

depends on whether the obscurity lives on top of other good security practices, or if it is being used alone. When used as an independent layer, obscurity is considered a valid security tool. In recent years, security through obscurity has gained support as a methodology in

cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

through Moving Target Defense and cyber deception. NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.

References

External links

Eric Raymond on Cisco's IOS source code 'release' v Open Source

Computer Security Publications: Information Economics, Shifting Liability and the First Amendment
by Ethan M. Preston and John Lofton * by Jay Beale

by

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cent ...

"Security through obsolescence", Robin Miller, ''linux.com'', June 6, 2002
{{DEFAULTSORT:Security Through Obscurity Computer security procedures Cryptography Secrecy

History

Criticism

Obscurity in architecture vs. technique

See also

References

External links