» Obscurity

January 21st, 2008 by Chandler Howell

There was much discussion of “security-by-obscurity” last week. Then, this week, we get a world-class example of security-by-obscurity failing in the real world. I’ll use the Freedom To Tinker write-up, because it’s better than any of the press accounts–as is often the case when you have real experts, rather than journalists, doing the reporting:

The new Dutch transit card system, on which $2 billion has been spent, was recently shown by researchers to be insecure. Three attacks have been announced by separate research groups.

What failed? A combination of factors, not least of which was that the engineers of the system seem to have assumed that their encryption algorithm and key would remain a secret:

Karsten Nohl, “Starbug,” and Henryk Plötz announced an attack that involved opening up a Mifare Classic card and capturing a high-resolution image of the circuitry, which they then used to reverse-engineer the cryptographic algorithm. They didn’t publish the algorithm, but their work shows that a real attacker could get the algorithm too.

Unmasking of the algorithm should have been no problem, had the system been engineered well. Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that security should never rely on keeping an algorithm secret. It’s okay to have a secret key, if the key is randomly chosen and can be changed when needed, but you should never bank on an algorithm remaining secret.

Read the post for the full details, but the next time someone tries to muddy the waters by arguing about what is or isn’t security-by-obscurity, take a look back at this case study of spectacular failure.

- Posted in Security and Risk Management, Risk Management

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


« Powerful extortion or powerful myth?
Culture vs. Corruption »


Jack Says:

Great point. In fact, at least as I understand it, encryption algorithms and keys were THE instances where the phrase “security by obscurity is no security at all” was intended to apply. So this Dutch transit example is a perfect case-in-point. It seems that this “security by obscurity is not security at all” has subsequently been adopted (co-opted?) inappropriately and mis-applied as a general principle.

- January 23rd, 2008 at 8:40 pm |

- Leave a Reply