Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Security through obscurity
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Reliance on design or implementation secrecy for security}} [[File:Security through obscurity hiding a key on a car tyre.jpg|thumb|alt=A key on a car tyre of a car|Security through obscurity should not be used as the only security feature of a system.]] In [[security engineering]], '''security through obscurity''' is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of [[Cypherpunk#Hiding the act of hiding|hiding something in plain sight]], akin to a magician's [[sleight of hand]] or the use of [[camouflage]]. It diverges from traditional security methods, such as physical locks, and is more about obscuring information or characteristics to deter potential threats. Examples of this practice include disguising sensitive information within commonplace items, like a piece of paper in a book, or altering digital footprints, such as [[user agent spoofing|spoofing a web browser's version number]]. While not a standalone solution, security through obscurity can complement other [[Operations security|security measures]] in certain scenarios.<ref>{{Cite book |last=Zwicky |first=Elizabeth D. |url=https://books.google.com/books?id=Q0ErhHGxNWcC |title=Building Internet Firewalls: Internet and Web Security |last2=Cooper |first2=Simon |last3=Chapman |first3=D. Brent |date=2000-06-26 |publisher="O'Reilly Media, Inc." |isbn=978-0-596-55188-9 |language=en}}</ref> Obscurity in the context of security engineering is the notion that information can be protected, to a certain extent, when it is difficult to access or comprehend. This concept hinges on the principle of making the details or workings of a system less visible or understandable, thereby reducing the likelihood of unauthorized access or manipulation.<ref>Selinger, Evan and Hartzog, Woodrow, Obscurity and Privacy (May 21, 2014). Routledge Companion to Philosophy of Technology (Joseph Pitt & Ashley Shew, eds., 2014 Forthcoming), Available at SSRN: <nowiki>https://ssrn.com/abstract=2439866</nowiki></ref> Security by obscurity alone is discouraged and not recommended by standards bodies. ==History== An early opponent of security through obscurity was the locksmith [[Alfred Charles Hobbs]], who in 1851 demonstrated to the public how state-of-the-art locks could be picked. In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals, he said: "Rogues are very keen in their profession, and know already much more than we can teach them."<ref>{{cite news|last1=Stross|first1=Randall|title=Theater of the Absurd at the T.S.A.|url=https://www.nytimes.com/2006/12/17/business/yourmoney/17digi.html|website=The New York Times|date=17 December 2006|access-date=5 May 2015|archive-date=8 December 2022|archive-url=https://web.archive.org/web/20221208063347/https://www.nytimes.com/2006/12/17/business/yourmoney/17digi.html|url-status=live}}</ref> There is scant formal literature on the issue of security through obscurity. Books on [[security engineering]] cite [[Kerckhoffs's principle|Kerckhoffs' doctrine]] from 1883 if they cite anything at all. For example, in a discussion about secrecy and openness in [[nuclear command and control]]: <blockquote>[T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure.<!--ref>{{cite journal | author=Auguste Kerckhoffs | author-link=Auguste_Kerckhoffs | title=La Cryptographie Militaire | journal=Journal des Sciences Militaires | date=January 9, 1883 | pages=5β38 | url=http://www.cl.cam.ac.uk/users/fapp2/kerckhoffs/ }}</ref--><ref>{{cite book | first=Ross | last=Anderson | title=Security Engineering: A Guide to Building Dependable Distributed Systems | publisher=John Wiley & Sons, Inc. | location=New York, NY | year=2001 | isbn=0-471-38922-6 | page=[https://archive.org/details/securityengineer00ande/page/240 240] | url=https://archive.org/details/securityengineer00ande/page/240 | url-access=registration }}</ref></blockquote> [[Peter Swire]] has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "[[loose lips sink ships]]",<ref>{{cite journal | first=Peter P. | last = Swire | title=A Model for When Disclosure Helps Security: What is Different About Computer and Network Security? | journal=Journal on Telecommunications and High Technology Law | year=2004 | volume=2 | ssrn=531782 }}</ref> as well as on how competition affects the incentives to disclose.<ref>{{cite journal | first=Peter P. | last = Swire | title=A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies | journal=Houston Law Review |date=January 2006 | volume=42 | ssrn=842228 }}</ref>{{explain|date=September 2022}} There are conflicting stories about the origin of this term. Fans of [[MIT]]'s [[Incompatible Timesharing System]] (ITS) say it was coined in opposition to [[Multics]] users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture, the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community. One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as <code>$$^D</code>. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.<ref>{{cite web|url=http://catb.org/jargon/html/S/security-through-obscurity.html|title=security through obscurity|work=The Jargon File|access-date=2010-01-29|archive-date=2010-03-29|archive-url=https://web.archive.org/web/20100329153340/http://catb.org/jargon/html/S/security-through-obscurity.html|url-status=live}}</ref> In January 2020, [[NPR]] reported that [[Iowa Democratic Party|Democratic Party officials in Iowa]] declined to share information regarding the security of [[Shadow Inc.#IowaReporterApp|its caucus app]], to "make sure we are not relaying information that could be used against us." Cybersecurity experts replied that "to withhold the technical details of its app doesn't do much to protect the system."<ref>{{Cite news|url=https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app|title=Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App|newspaper=NPR.org|access-date=2020-02-06|archive-date=2022-12-23|archive-url=https://web.archive.org/web/20221223193433/https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app|url-status=live}}</ref> == Criticism == Security by obscurity alone is discouraged and not recommended by standards bodies. The [[National Institute of Standards and Technology]] (NIST) in the [[United States]] recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."<ref>{{cite web|date=2008-07-01|format=PDF; 258 kB|language=en|publisher=[[National Institute of Standards and Technology]]|title=Guide to General Server Security|url=http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf|archive-date=2017-08-09|archive-url=https://web.archive.org/web/20170809023939/http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf|url-status=live}}</ref> The [[Common Weakness Enumeration]] project lists "Reliance on Security Through Obscurity" as CWE-656.<ref>{{cite web|access-date=2023-09-28|date=2008-01-18|language=en|publisher=The MITRE Corporation|title=CWE-656: Reliance on Security Through Obscurity|url=https://cwe.mitre.org/data/definitions/656.html|archive-date=2023-09-28|archive-url=https://web.archive.org/web/20230928051914/https://cwe.mitre.org/data/definitions/656.html|url-status=live}}</ref> A large number of telecommunication and [[digital rights management]] cryptosystems use security through obscurity, but have ultimately been broken. These include components of [[GSM]], [[GEO-Mobile Radio Interface|GMR]] encryption, [[GPRS]] encryption, a number of RFID encryption schemes, and most recently [[Terrestrial Trunked Radio]] (TETRA).<ref>{{cite conference|url=https://i.blackhat.com/BH-US-23/Presentations/US-23-Meijer-All-Cops-Are-Broadcasting.pdf|title=ALL COPS ARE BROADCASTING: Breaking TETRA after decades in the shadows (slideshow)|author=Midnight Blue|date=August 2023|conference=Blackhat USA 2023|access-date=2023-08-11|archive-date=2023-08-11|archive-url=https://web.archive.org/web/20230811121629/https://i.blackhat.com/BH-US-23/Presentations/US-23-Meijer-All-Cops-Are-Broadcasting.pdf|url-status=live}}<br /> {{cite conference|url=https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf|title=All cops are broadcasting: TETRA under scrutiny (paper)|author1=Carlo Meijer|author2=Wouter Bokslag|author3=Jos Wetzels|date=August 2023|conference=Usenix Security 2023|access-date=2023-08-11|archive-date=2023-08-11|archive-url=https://web.archive.org/web/20230811143013/https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf|url-status=live}}</ref> One of the largest proponents of security through obscurity commonly seen today is anti-malware software. What typically occurs with this [[single point of failure]], however, is an [[arms race]] of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on.<ref>{{cite web|url=https://kpmg.com/nl/en/home/insights/2022/05/the-cat-and-mouse-game-of-antivirus-evasion.html|title=The cat and mouse game of antivirus evasion|author=KPMG|date=May 2022|access-date=2023-08-28|archive-date=2023-08-28|archive-url=https://web.archive.org/web/20230828004504/https://kpmg.com/nl/en/home/insights/2022/05/the-cat-and-mouse-game-of-antivirus-evasion.html|url-status=live}}</ref> The technique stands in contrast with [[security by design]] and [[open security]], although many real-world projects include elements of all strategies. == Obscurity in architecture vs. technique == Knowledge of how the system is built differs from concealment and [[camouflage]]. The effectiveness of obscurity in [[operations security]] depends on whether the obscurity lives on top of other good security practices, or if it is being used alone.<ref>{{Cite news|url=https://danielmiessler.com/study/security-by-obscurity/|title=Obscurity is a Valid Security Layer - Daniel Miessler|work=Daniel Miessler|access-date=2018-06-20|language=en-US|archive-date=2022-12-08|archive-url=https://web.archive.org/web/20221208063348/https://danielmiessler.com/study/security-by-obscurity/|url-status=live}}</ref> When used as an independent layer, obscurity is considered a valid security tool.<ref>{{Cite web|url=https://www.csiac.org/journal-article/cyber-deception/|title=Cyber Deception {{!}} CSIAC|website=www.csiac.org|language=en-US|access-date=2018-06-20|archive-date=2021-04-20|archive-url=https://web.archive.org/web/20210420102103/https://www.csiac.org/journal-article/cyber-deception/|url-status=live}}</ref> In recent years, more advanced versions of "security through obscurity" have gained support as a methodology in [[cybersecurity]] through Moving Target Defense and [[Deception technology|cyber deception]].<ref>{{Cite news|url=https://www.dhs.gov/science-and-technology/csd-mtd|title=CSD-MTD|date=2013-06-25|work=Department of Homeland Security|access-date=2018-06-20|language=en|archive-date=2022-12-08|archive-url=https://web.archive.org/web/20221208063349/https://www.dhs.gov/science-and-technology/csd-mtd|url-status=live}}</ref> NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/160/v2/ipd |title=Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems |last=Ross |first=Ron |last2=Graubart |first2=Richard |date=2018-03-21 |publisher=National Institute of Standards and Technology |issue=NIST Special Publication (SP) 800-160 Vol. 2 (Withdrawn) |language=en |last3=Bodeau |first3=Deborah |last4=McQuaid |first4=Rosalie |access-date=2024-04-05 |archive-date=2023-12-06 |archive-url=https://web.archive.org/web/20231206132437/https://csrc.nist.gov/pubs/sp/800/160/v2/ipd |url-status=live }}</ref> ==See also== {{Div col|colwidth=25em}} * [[Steganography]] * [[Code morphing]] * [[Need to know]] * [[Obfuscation (software)]] * [[Secure by design]] * [[AACS encryption key controversy]] * [[Full disclosure (computer security)]] * [[Code talker]] * [[Obfuscation]] * [[Concealment device]] {{Div col end}} ==References== {{Reflist}} ==External links== * [https://lwn.net/Articles/85958/ Eric Raymond on Cisco's IOS source code 'release' v Open Source] * [https://web.archive.org/web/20050306155631/http://www.eplaw.us/data/ComputerSecurityPublications.pdf Computer Security Publications: Information Economics, Shifting Liability and the First Amendment] by Ethan M. Preston and John Lofton * {{webarchive |url=https://web.archive.org/web/20070202151534/http://www.bastille-linux.org/jay/obscurity-revisited.html |date=February 2, 2007 |title="Security Through Obscurity" Ain't What They Think It Is }} by Jay Beale * [http://www.schneier.com/crypto-gram-0205.html#1 Secrecy, Security and Obscurity] & [http://www.schneier.com/essay-056.html The Non-Security of Secrecy] by [[Bruce Schneier]] * [http://www.linux.com/articles/23313 "Security through obsolescence", Robin Miller, ''linux.com'', June 6, 2002] {{DEFAULTSORT:Security Through Obscurity}} [[Category:Computer security procedures]] [[Category:Cryptography]] [[Category:Secrecy]] [[Category:Security engineering]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite book
(
edit
)
Template:Cite conference
(
edit
)
Template:Cite journal
(
edit
)
Template:Cite news
(
edit
)
Template:Cite report
(
edit
)
Template:Cite web
(
edit
)
Template:Div col
(
edit
)
Template:Div col end
(
edit
)
Template:Explain
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)
Template:Webarchive
(
edit
)