From: Adam Shostack <adam@bwh.harvard.edu>
Date: Wed, 21 Sep 94 07:48:10 PDT
To: ianf@wiley.sydney.sgi.com (Ian Farquhar)
Subject: Security through obscurity
In-Reply-To: <9409211035.ZM14893@wiley.sydney.sgi.com>
Message-ID: <199409211447.KAA14579@bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


Ian Farquhar wrote:

| > > crypto hardware), that the design of the cipher may be easier to keep
| > > secret than the key itself.  As such, the use of security by obscurity
| > > in the design of the cipher itself is a lot more effective than most
| > > people would give it credit for.
| 
| > While this may seem to be a joke comment, it is not.
| 
| Remember that what is being secured here is almost certainly a stronger
| cipher than any of us have access to (representatives of TLA's excepted :),
| and so the public scrutiny issue does not arise.

| I agree with Black Unicorn's phrase: security by obscurity alone is no
| security.  If we need a buzzphrase - which itself is questionable - then
| that's about a close as we'll get.

	Obscuring things can be a useful part of a security system for
an organization.  The phrase "security through obscurity" refers to
systems which are all smoke and mirrors.  Good security comes from
reinforced concrete.  If you add smoke and mirrors in front of
concrete, you don't decrease your security.  Unless, of course, you
can't see whats coming becuse of all the smoke.


Adam