From: an41418@anon.penet.fi (wonderer)
Date: Mon, 11 Oct 93 12:51:10 PDT
To: cypherpunks@toad.com
Subject: Security through obscurity
Message-ID: <9310111947.AA02379@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain


I know that it is pretty much accepted by the security
community that security through obscurity is useless. There
are countless references to this, and it is a strong
argument in favor of publishing algorithms. 

From time to time, however, it is healthy to question policies
such as these and ask ourselves whether or not this is a good
idea. It seems that Denning has changed her mind on this by
advocating the secrecy of the skipjack algorithm. 

All of the known plaintext attacks on algorithms such as
DES, that involve exhaustive key search are based on knowledge
of the algorithm. Wouldn't keeping the algorithm a secret
render such chips, as the one presented in Eurocrypt '93
useless?

I agree that analysis is more difficult when you don't know
if an intruder has compromised your algorithm, but if it were
my data that I wanted kept secret I wouldn't give the
cracker a head start by publishing my algorithm. Clipper has
proven how difficult it is to reverse engineer an algorithm.

Let me just say that I know I have violated an accepted
doctrine of computer security, but I think it's okay to
question even the most accepted ideas every once in a while.
I thought this would be a bit provocative.

Wonderer
-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.