Adam Adler: Security Through Obscurity is Dangerous
Adam Adler (Miami, FL): Hiding security vulnerabilities in algorithms, software, and/or hardware decreases the likelihood they will be repaired and increases
the likelihood that they can and will be exploited by evil-doers.
The long history of cryptography and cryptoanalysis has shown time and time again that open discussion and analysis of algorithms expose weaknesses not thought of by the original authors, and thereby leads to better and more secure algorithms. As Kerckhoff noted about cipher systems in 1883 "the system must not require secrecy and can be stolen by the enemy without causing trouble."
Cryptography is the science of secrets. In the distant past, it was simply about scrambling messages so adversaries couldn’t read them. In the modern computing era (a span of time that stretches less than 50 years), cryptography has become a keystone of computer security, encompassing all the ways we hide data, verify identities, communicate privately, and prevent message tampering.
“Every secret creates a potential failure point.” — Bruce Schneier
One of the most dangerous security mistakes a programmer can make (other than rolling their own crypto) is trusting that the things that are secret during development can stay secret forever.
Imagine you write an algorithm to verify promotional codes. As soon as someone discovers its rules of logic — by research, reverse engineering, trial-and-error, or just asking questions — it ceases to be a reliable test for finding fakes. No secret lasts forever, and every secret is just one exploit away from being compromised.
This concept can seem confusing at first because computer security does rely on secret ingredients like passwords and keys. But if you look more carefully, you’ll find that these are the exact weak points of a system, to be minimized, managed, or avoided wherever possible. Passwords are a notorious failure point — all it takes is one email spoofing attack or improperly discarded hard drive to pinch one. (Biometric data, which isn’t secret but isn’t easy to acquire, is far more secure.)
“A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.” — Auguste Kerckhoffs
This applies the same philosophy (there is no security through obscurity) to the cryptographic algorithms we use. Time and time again, it’s been shown that the most reliable encryption comes from heavily explored public algorithms. The least reliable encryption is from secret algorithms that haven’t been tested by the broader community and are almost certainly full of undiscovered vulnerabilities.
“Cryptography is typically bypassed, not penetrated.” — Adi Shamir
Most cryptography is never broken, and most attacks don’t even try. Instead, cryptography is like a dead-bolted door on a house — once it establishes a moderately high threshold of protection, it simply moves an attack elsewhere (say, to a side window or a neighbor with a spare key).
There are many ways to attack a system. Relying on known flaws in hardware or unpatched software is common. But without a doubt, the weakest links in every security system are the human ones.
“Cryptography without system integrity is like investing in an armored car to carry money between a customer living in a cardboard box and a person doing business on a park bench.” — Gene Spafford
Good programmers already know that if they want to optimize the performance of their code, they need to focus on the bottlenecks. Improvements in other places won’t yield results. The same is true of security systems. You need to improve the weakest areas, and if there’s a backdoor that can evade your security measures, it doesn’t matter how fantastic your cryptographic algorithms are.
“Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin.” — John von Neumann
As you already know, ordinary attackers rarely bother to attack the cryptography of a system. But there are exceptions. The most common cases are when the value of the encrypted data is very high—for example, it’s protecting trade secrets or the ownership of a block of cryptocurrency.
When hackers attack cryptography, they would like to attack the implementation — particularly, the way the cryptography is integrated into the rest of the system. Often, there are gaps or outright sloppiness, information leaking out of overly detailed error messages, defective hardware, or buggy software. But if that doesn’t work, another common way to break encryption is by exploiting poor randomness. It sounds like an edge case, but it’s actually a common tactic behind plenty of legendary exploits, including attacks on slot machines, lotteries, internet games, bitcoin wallets, and the digital signing system used by the PlayStation 4.
The problem is well known — computers create random-seeming numbers using algorithms, and if you know the inputs to these algorithms you can regenerate the same “random” numbers. What’s less obvious is that you can choose random-seeming inputs, and still be wide open to attacks.
For example, if you seed a basic ordinary random number generator using the current millisecond of the computer clock, you’ve narrowed down the possible random values enough that they can easily be guessed. Even using multiple inputs with one guessable value compromises the whole system, opening the door to relatively easy brute force attacks. And if you can figure out the random numbers that someone else has used, you’re well on your way to decrypting the messages they’ve sent, or even figuring out the private key that they used.
“Random numbers should not be generated with a method chosen at random.” — Donald Knuth
Humans confuse themselves about randomness all the time because the way we use it in casual conversation (to mean something arbitrary) is different from the way we use it in solid cryptographic programming (to mean something non-deterministic). Here, computer pioneer Donald Knuth plays with this double-meaning.
“All the magic crypto fairy dust in the world won’t make you secure.”— Gary McGraw
The math, science, and computing power that goes into modern-day encryption is dazzling. It’s hard not to be impressed by shiny things like quantum cryptography.
But there is one time that high-grade cryptography can be dangerous to the people using it. That’s when it gives them a false sense of security, and an excuse to ignore more likely attack vectors. The advice is obvious — but often overlooked.
“If you think cryptography will solve your problem, either you don’t understand cryptography, or you don’t understand your problem.” — Peter G. Neumann
It’s sometimes said that cryptography doesn’t fix problems, it changes them. You start with a data privacy problem, and cryptography replaces it with a key management problem. This quote from Peter G. Neumann has been repeated in slightly different versions by nearly a dozen famous cryptography researchers. The bottom line stays the same. Proper security is not tied up with anyone's technology. Instead, it’s a process that encompasses the design of an entire system.