Posted on 10/05/2005 7:42:38 AM PDT by N3WBI3
You guys just can't let it go. Think long enough and parse enough words and you'll get that square peg into that round hole.
GE has a valid point. And opsec is all about obscurity.
Obscurity: The quality or condition of being imperfectly known or difficult to understand
Confidentiality: Entrusted with the confidence of another
Secrecy: The quality or condition of being secret or hidden; concealment.
The process is one in which you take a well none algorithm, well documented and reproducible to generate a key which you will keep secret. Is this Obscurity, Confidentiality, or Secrecy?
Good definitions. They should have been brought out early on as in a couple threads the term obscurity has been used to mean secret (by both sides making points).
But in addition to that, the definition of obscurity still fits many of the arguments made from both sides.
Confidentiality (from the posts I've read closely) doesn't fit in the discussion of security by obscurity.
Security comes through architecture and design. Be it open or closed source thats the only place you're going to make anything more secure.
The normalized signature must still be stored. Without something pre-existing and secret, you can't verify. Duh.
Agreed but it was a term that was used so I threw it out there..
In the same way I think its abusing the English language, and I would know ;), to say that obscurity is the practice of generating private keys with a known defined algorithm. Secrecy is easily the best definition.
Exactly, when the bottom line is they're typical new age thinkers who somehow believe everything must be open for it to be secret, even though those are by definition diametrically opposed. The deeper and deeper into obscurity I want to hide something, obviously the harder and harder it would be for anyone to dig it out. And without my key, like a password, their only hope is brute force.
Using N3WBI3 definition of Obscurity...it looks like to me as if it describes one of the properties of a one-way hash.
So that catch phrase of security via obscurity is no security isn't accurate.
Something that used to work years ago (it has probabally been fixed by now) is zipping a zip file...
Actually after thinking about that...obscurity is one of the properties of a one-way hash. It takes a phrase and makes it obscure so that if you receive the hash you won't be able to work backwards and get the true phrase (unless you have the key). However, the message is still there in the hash (assuming the hash doesn't have any collisions). SO the hash is obscuring the message.
Would it be more accurate to say it depends on how the hash is generated. If I know how to generate a hash in the exact same manner is what youre doing obscure?
It would be, but of course I never said that. I'm "hiding" the key in obscurity, making it "private". You have to find the key in order to unlock the encyrption. Right now you don't even know where my key is, much less what it is. Same with my password.
Not surprising newbie would try to slip the 3rd defintion in as proper one.
http://dictionary.reference.com/search?q=obscurity
1. Deficiency or absence of light; darkness.
2a. The quality or condition of being unknown
2b. One that is unknown.
3. The quality or condition of being imperfectly known or difficult to understand
IMO, if you can't read it, or get your hands on it well enough to actually use it, it is effectively obscure.
Not really, because it's a one-way hash, so that the hash is something that is obscure even if you know how it was created. The whole point of a hash is to make it hard to get back to the original phrase.
So if my password is "P@ssW0rd" and the hash is "39d**(30%4kK3!@" there is no easy way to know my password. In fact, the only one that really knows how to create that hash is the person that knows the password. The hash is what is kept on a computer(s). When I need to access info and the computer wants to verify it's me I enter my password...the computer runs it through the one-way hash and checks if it matches the hash it has on file for my password (it doesn't have my password stored). If it matches it assumes its me.
So the one-way hash is obscure to anyone that may get access to the hash. You still want to keep your obscure hash SECRET as brute force attacks on the hash can still work (assuming the algorithm that created the hash is known). Hence that's why NSA and super secret orgs don't release their algorithms for creating a hash.
So secrecy and obscurity is still fundamental to security. I've been staying out of this one a bit more than usual as it goes against conventional wisdom (or at least a catch phrase that I thought was gospel). But GE tought me something (not really anything I didn't already know, but never put put the logic together to refute that catch phrase).
Misspoke...let me fix that...
So the password is obscure to anyone that may get access to the hash.
You're welcome, but I can only imagine what the hounds of hell will think of you saying that, prepare for a major onslaught of BS. But actual conventional wisdom and even common sense will tell you that hiding something by definition makes it more secure, ask any common man who hasn't been "enlightened" by these new age theories, LOL.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.