In cryptography and computer security, security through obscurity (sometimes security by obscurity) is to some a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to ensure security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. The Enigma machine, used by Germany in World War II, implemented a complex cipher to protect sensitive communications. ... Computer security is a field of computer science concerned with the control of risks related to computer use. ... Security engineering is the field of engineering dealing with the security and integrity of real-world systems. ... Secrecy is the practice of hiding information from others. ...

In cryptography, the argument against security by obscurity is based on Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key: "the security of a cypher resides entirely in the key". Claude Shannon rephrased it as "the enemy knows the system". Historically, security through obscurity has been a very feeble reed on which to rely in cryptographic matters. Obscure codes, cyphers, and crypto systems have repeatedly fallen to attack regardless of the obscurity of their vulnerabilities. The Enigma machine, used by Germany in World War II, implemented a complex cipher to protect sensitive communications. ... Not to be confused with Kirchhoffs circuit laws. ... A key is a piece of information that controls the operation of a cryptography algorithm. ... Claude Elwood Shannon (April 30, 1916 _ February 24, 2001) has been called the father of information theory, and was the founder of practical digital circuit design theory. ... In cryptography, an adversary (rarely opponent, enemy) is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal (primarily privacy, integrity and availability of data). ...

The full disclosure movement goes further, suggesting that security flaws should be disclosed as soon as possible, delaying the information no longer than is necessary to release a fix or workaround for the immediate threat. Full Disclosure is an Thriller with the Megastar Fred Ward. ...

Arguments against security by obscurity

Some argue that security through obscurity is flawed. If a system's security depends solely or primarily on keeping an exploitable weakness hidden, then, in their view, if that weakness is discovered, the security is easily compromised. It is argued that keeping the details of widely-used systems and algorithms secret is difficult. In cryptography, for example, there are a number of examples of proprietary ciphers becoming public knowledge, either by reverse engineering (e.g. A5/1), or by a leaked description (e.g. RC4). The Enigma machine, used by Germany in World War II, implemented a complex cipher to protect sensitive communications. ... This article is about algorithms for encryption and decryption. ... Reverse engineering (RE) is the process of taking something (a device, an electrical component, a software program, etc. ... A5/1 is a stream cipher used to provide over-the-air voice privacy in the GSM cellular telephone standard. ... In cryptography, RC4 (or ARCFOUR) is the most widely-used symmetric key stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). ...

Keeping algorithms and protocols unpublished means that the ability to review the security is limited only to a few. It is argued that allowing everyone to review the security will mean that any flaws or weaknesses can be identified and fixed sooner.

Some argue that operators and developers/vendors of systems that rely on security by obscurity often keep the fact that their system is broken secret, to avoid destroying confidence in their service or product and thus its marketability. Following this train of thought, it is considered possible that this may amount in some cases to fraudulent misrepresentation of the security of their products, though application of the law in this respect has been less than vigorous, in part because terms of use imposed by vendors as a part of licensing contracts have (more or less successfully) disclaimed their apparent obligations under statutes and common law in many jurisdictions requiring fitness for use or similar quality standards. Others find this line of argument out of synch with reality, and suggest that the public would be better served if the accusers were to specify who has committed fraud. In the broadest sense, a fraud is a deception made for personal gain, although it has a more specific legal meaning, the exact details varying between jurisdictions. ... Wikipedia does not yet have an article with this exact name. ... How to obtain a amature radio licence differs from country to country. ... All the textbooks define a contract as either a promise or an agreement that is enfored or recognised by the law. ... A statute is a formal, written law of a country or state, written and enacted by its legislative authority, perhaps to then be ratified by the highest executive in the government, and finally published. ... This article concerns the common-law legal system, as contrasted with the civil law legal system; for other meanings of the term, within the field of law, see common law (disambiguation). ...

The accusers also assert that often, such designers or vendors, or executives thereat, actually believe they have ensured security by keeping the design of the system secret. It appears to be difficult for those who approach security in this way to have enough perspective to realise they are inviting trouble, sometimes very big trouble.

This security practice sets users up for trouble when the software they use is accidentally or deliberately disclosed, as has occurred in several cases:

• Diebold Election Systems — voting machine software; apparently accidental publication on an official Web site
• Microsoft — Windows and other software; apparently deliberate penetration of a corporate development network
• RSADSI — cryptographic algorithm software; probably deliberate publication of alleged RC4 source on Usenet
• Cisco — router operating system software; accidental exposure on a corporate network

Others believe the above citations do not support the assertions made regarding the allegedly nefarious intentions of software writers. They suggest that building secure code is challenging, and that the existence of attacks by criminal elements does not imply any degree of dishonest intentions on behalf of the victims. Diebold Elections Systems is a subsidiary of Diebold that makes and sells Voting machines. ... Microsoft Corporation (NASDAQ: MSFT, HKEx: 4338) is the worlds largest software company, with 2005 global annual sales of almost $40 billion USD and nearly 60,000 employees in 85 countries and regions. ... Microsoft Windows is a series of operating environments and operating systems created by Microsoft for use on personal computers and servers. ... The Enigma machine, used by Germany in World War II, implemented a complex cipher to protect sensitive communications. ... For the Vietnam road named RC4, see Route Coloniale 4. ... Cisco Systems, Inc. ...

When 'secure since obscure' software is widely used, there is potential for widespread trouble; for instance, assorted vulnerabilities in the various versions of the Windows operating system or its mandatory components such as its default web browser Internet Explorer, or its mail applications (Outlook or Outlook Express) have caused world wide problems when computer viruses, Trojan horses, computer worms, and so on have exploited them. Microsoft Windows is a series of operating environments and operating systems created by Microsoft for use on personal computers and servers. ... In computing, an operating system (OS) is the system software responsible for the direct control and management of hardware and basic system operations. ... Web browser shortcuts on an Apple computer A web browser is a software application, technically a type of HTTP client, that enables a user to display and interact with HTML documents hosted by web servers or held in a file system. ... Microsoft Internet Explorer, abbreviated IE or MSIE, is a proprietary graphical web browser made by Microsoft and currently available as part of Microsoft Windows. ... Screenshot of Outlook 2003 Microsoft Outlook is a personal information manager from Microsoft, and is part of the Microsoft Office suite. ... Microsoft Outlook Express is an e-mail and news client bundled with certain versions of Microsoft Windows starting with Windows 95 OSR-2. ... In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. ... This article is about computer system security. ... A computer worm is a self-replicating computer program, similar to a computer virus. ...

Software which is deliberately released as Open Source can never be said, certainly in theory, and in practice as well, to be relying on security through obscurity (the design being publicly available), but it can nevertheless also experience security debacles (e.g., the Morris worm of 1988 spread through some obscure -- if widely visible to those who bothered to look -- vulnerabilities), though the frequency and severity of the consequences have been rather less severe than for proprietary (ie, secret) software. The reason for this divergence has been attributed to the theory that many eyes make all bugs shallow (see Linus's law). Open source refers to projects that are open to the public and which draw on other projects that are freely available to the general public. ... The Morris worm or Internet worm was one of the first computer worms distributed via the Internet; it is considered the first worm and was certainly the first to gain significant mainstream media attention. ... 1988 (MCMLXXXVIII) was a leap year starting on a Friday of the Gregorian calendar. ... Linuss law, named after Linus Torvalds, the creator of Linux, states that given enough eyeballs, all bugs are shallow. More formally: Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone. ...

Notwithstanding the above, some executives support "security through obscurity" for protecting corporate information. They appreciate the quest for perfect or "unbroken" solutions, but suggest that absolutes are rarely obtained. obfuscating corporate software, in their view, is a rational choice for mitigating the risks of reverse engineering and theft of intellectual property. Software obfuscation is not advertised as absolute protection, but it can thwart many attacks that otherwise would be simple. Obfuscated code is source code that is (perhaps intentionally) very hard to read and understand. ...

Historical note

There are conflicting stories about the origin of this term. It has been claimed that it was first used in the Usenet newsgroup in news:comp.sys.apollo during a campaign to get HP/Apollo to fix security problems in its Unix-clone AEGIS / Domain/OS (they did not change a thing). ITS fans, on the other hand, say it was coined years earlier in opposition to Multics users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture, the term referred to (1) the fact that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community; and (2) (self-mockingly) the poor coverage of the documentation and obscurity of many commands. One instance of deliberate security through obscurity on ITS has been noted; the command to allow patching the running ITS system (altmode altmode control-R) echoed as $$^D. Typing alt alt ^D set a flag that would prevent patching the system even if the user later got it right. Usenet is a distributed Internet discussion system that evolved from a general purpose UUCP network of the same name. ... The Hewlett-Packard Company (NYSE: HPQ), commonly known as HP, is a very large, global company headquartered in Palo Alto, California, United States. ... Wikibooks has more about this subject: Guide to UNIX Unix or UNIX is a computer operating system originally developed in the 1960s and 1970s by a group of AT&T Bell Labs employees including Ken Thompson, Dennis Ritchie, and Douglas McIlroy. ... The Jargon File has this definition for clone: An exact duplicate: Our product is a clone of their product. ... Domain/OS was the operating system used by the Apollo/Domain line of workstations manufactured by Apollo Computers, Inc. ... ITS, the Incompatible Timesharing System, was an early, revolutionary, and influential MIT time-sharing operating system; it was developed principally by the Artificial Intelligence Laboratory at MIT, with some help from Project MAC. ITS development was initiated in the late 1960s by those (the majority of the MIT AI Lab... Multics (Multiplexed Information and Computing Service) was an extraordinarily influential early time-sharing operating system. ... A tourist boat travels the River Seine in Paris, France Tourism can be defined as the act of travel for the purpose of recreation, and the provision of services for this act. ...

See also

• inside job
• Secure by design

Inside Job is an album by Don Henley, released in 2000 (see 2000 in music). ... Secure by design, in software, means that the design is made to be secure. ...

External links

• A Model for when Disclosure Helps Security: What Is Different About Computer and Network Security? by Peter P. Swire
• Eric Raymond on Cisco's IOS source code 'release' v Open Source
• Computer Security Publications: Information Economics, Shifting Liability and the First Amendment by Ethan M. Preston and John Lofton
• "Security Through Obscurity" Ain't What They Think It Is by Jay Beale
• "Is Obsolescence Good Security?"