Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Websites with transparent security
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Off Topic
View previous topic :: View next topic  
Author Message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1041
Location: Worcestershire

PostPosted: Thu Aug 16, 2012 3:00 pm    Post subject: Reply with quote

nelz wrote:
how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.


So we descend to playing with meanings. If a message is encrypted and needs a private key to read it, does that encryption "obscure" the message? In my book, sure it does.

I used the phrase "Security through obscurity" with one meaning in mind, you replied with a more restricted meaning in mind.

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.

Many an encryption procedure has remained uncracked only because it was obscure. Of course, to ensure success the obscurity must not be compromised. But there are ways of reducing that risk.

Of such joys are flawed security arrangements made - whether or not you have a tame cryptographer on hand to trot out his favourite dogma. As you rightly point out, this is not a good approach for most Internet-facing software.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8364
Location: Warrington, UK

PostPosted: Thu Aug 16, 2012 3:39 pm    Post subject: Reply with quote

That's not what is generally meant by security through obscurity. When you send a PGP-encrypted email, there is nothing obscured about the security, it plainly states that the message is PGP encrypted. The message itself is encrypted, but not hidden, you can still see that there is an encrypted message there.

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1041
Location: Worcestershire

PostPosted: Thu Aug 16, 2012 4:39 pm    Post subject: Reply with quote

I thought that was what you meant.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
AndyBaxman
LXF regular


Joined: Tue Oct 04, 2005 9:47 am
Posts: 523

PostPosted: Thu Aug 16, 2012 4:47 pm    Post subject: Reply with quote

guy wrote:

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.


Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.
_________________
Bomb #20: "Let there be light"
Back to top
View user's profile Send private message
AndyBaxman
LXF regular


Joined: Tue Oct 04, 2005 9:47 am
Posts: 523

PostPosted: Thu Aug 16, 2012 4:50 pm    Post subject: Reply with quote

nelz wrote:

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.


Indeed.

Like the three piggies painting their straw house to look like its made of brick.
_________________
Bomb #20: "Let there be light"
Back to top
View user's profile Send private message
Gonzalez Rivera
Guest





PostPosted: Sat Feb 09, 2013 7:53 am    Post subject: Reply with quote

The whole discussion if informative regarding data security point of view. Nelz and Admin opinions are appreciable to solve the said issue.
[spam link removed]
Back to top
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1041
Location: Worcestershire

PostPosted: Sat Feb 09, 2013 11:42 am    Post subject: Reply with quote

Ho-hum, it's a quiet moment today:

Nelz wrote:
Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.

I was rather under the impression that securing access to something is a great way to make it less easy to find.

AndyBaxman wrote:
guy wrote:

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.


Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.

No. Obscured means the relevant information is not accessible, e.g. a proprietary binary obscures the algorithm. That's exactly what makes the private key obscured - it is held where others cannot access it.

We must be careful not to treat the phrase "security through obscurity" as ideological dogma which gives meaning to the words which make it up - it is itself given meaning and context by the pre-existing meaning of the words within.

Fortunately we all agree on how to secure a system, and like all good techies we disagree on how to talk about it. I am tempted to make bad puns about obscure language, but my life calls me to get it back.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Off Topic All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast