Alberto Treviño wrote: > "Security by obscurity" is a huge misnomer. ALL forms of security must rely > on obscurity. Even the venerable SSL standard and its corresponding > protocols rely on a SECRET or private key for their security. If that > "obscure" bit of data is leaked, SSL security is brought to naught.
No, this is not a correct analogy. SSL is based on the idea that the public key is known to the world and not secret. The SSL private key may indeed be an "obscure" secret, but for SSL to function the private need not be revealed at all, ever. See the difference? With security by obscurity, you're relying on the fact that only the party you wish to communicate knows some obscure secret configuration or sequence. But the other party has to know it in order to communicate. If we are to use your analogy, then security by obscurity is requiring a shared key that multiple parties may or may not know. With PKI, it doesn't matter that the entire world knows your public key, because as long as you know your third party's public key, you can encrypt a message that is guaranteed to only be readable by him or her, and is guaranteed to be from you. That is the basis of a secure algorithm. Security really means that even if you know the mechanism and can see the communication, you cannot intercept it. Security by obscurity is an attempt to hide something that is fundamentally insecure such that the system appears, fraudulently, to protect users and data. -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/mailman/listinfo/uug-list
