Ross Patel, a cryptology researcher at AFENTIS and member of the BCS Security Expert Panel, Computing 20 January 2005.

A fresh look at a misunderstood concept

Security through obscurity (STO) is a controversial principle in security engineering based on the premise that secrecy of an element or function can ensure security of the whole.

One of the first lessons any aspiring security professional or system administrator learns is: 'security through obscurity is bad'. Its underlying logic and simplicity seems beyond question.

However a fresh look STO can help dispel some of the myths and illustrate how obscurity can be a very powerful tool for providing security and assurance.

When specialists talk about STO the real concern is 'security implemented solely through obscurity' - a state where the only protection mechanism involved is the hiding of critical details on the presence, setup or function of an asset.

This is like a business running a file-server on the corporate network and providing the IP address of the system to only those within the firm with a need to know. If even basic password protection is not employed, the security burden lies with the assumption that only those in the know will be able to find and access the server.

Taking this example further, administrators sometimes place sensitive services on non-standard ports to help hide their presence and defeat script-kiddie tools that seek to exploit vulnerabilities in common programmes; the simple act of placing the service on a different port is often more than sufficient to thwart such attacks, which are hard programmed to look for banners (responses to a connection) from services running on standard ports.

Moving the file-server to an unassigned port of 21000 may provide some degree of insulation from such automated attacks, but the underlying access control remains obscurity.

These scenarios present a dangerously simplistic approach to security and in the absence of significant access controls anyone with a curious nature or a port scanner could quickly locate and gain entry to the server.

This helps illustrate that 'security implemented solely through obscurity is bad.' Systems built on the STO premise may have theoretical or actual security vulnerabilities, but designers can be reluctant to remedy the situation if they believe that the flaw cannot be exploited because attackers are unlikely to be able to find them.

Obscurity, however, isn't always a bad idea. In the 19th century cryptographer Auguste Kerckhoffs, said 'a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.'

This statement takes the position that cryptosystems should be secure even when an opponent has full working knowledge of the mechanisms employed for confidentiality - so STO by itself is insufficient protection.

Military cryptosystems are typically developed in accordance with Shannon's Maxim - 'the enemy knows the system', but also employ a level of obscurity protection, where the underlying protocols will be maintained as a closely guarded secret; often even withheld from operational users.

Whilst clearly an act of obscurity, it is not the only control in effect; instead it is viewed as complimentary to the confidentiality and integrity methodologies built into the ciphersystem.

The obscurity element forces an adversary to begin from a position of distinct disadvantage. Analysis of the system must be made in a 'black box' environment with the mechanics of the system slowly evaluated and understood.

Only through monitoring and assessing can a picture of the internal workings be developed. However, as surely as a determined intruder can steadily build up a picture of a firewall rule-set through systematic packet-level probing and analysis, their continued actions make it increasingly difficult to undertake such actions quietly and with stealth.

Each query and connection increases the profile of the reconnaissance (or attack) and provides greater opportunity for administrator detection and response.

Obscurity can slow reconnaissance activity, thwart scripted attacks, and force the concerted adversary to undertake activities that can no longer be stealthy resulting in increased exposure.

Security can be complimented by obscurity measures, and as long as it's not employed in complete isolation, it can be considered another powerful tool in the arsenal to provide defence in depth.