The New Theory of Security By Obscurity
“A recent research paper tackles the idea of security by obscurity. The basic idea is that you can improve system security by making it hard to find out how it works…
As a code protection principle, obfuscation has always seemed obvious, but there are two general principles of security that suggests it is probably a waste of time.
- Kerckhoffs’ Principle that there is no security by obscurity,
- Fortification Principle that the defender has to defend all attack vectors, whereas the attacker only needs to attack one.
These two principles are more generally applied to systems, and not just software, but it gives us a cause for concern – after all systems are mostly accumulations of software…
The new research suggests that security is a game of incomplete information and you can learn a lot by examining your attacker’s behaviors and algorithms – his “type” and that obscuring your game really does bring an advantage and improves your odds of winning. In short, obfuscation is a good general principle – i.e. make it hard for your attacker to find out how best to attack you.
The paper, which is well worth reading for its presentation of the general security problem, presents a “toy” security game of incomplete information where the best strategy is to try to characterize the attacker’s type while giving away as little as possible about the defender’s type. The idea of logical complexity is also used to characterize the amount and nature of the obscurity involved.”