A New Take on Security through Obscurity

The times they are a-changin’.

This post seems to be older than 18 years—a long time on the internet. It might be outdated.

I was talking with Matt over the weekend and we started talking about security through obscurity. It’s nothing new, it’s been used for decades. The idea is “a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to ensure security” (Source: http://en.wikipedia.org/wiki/Security_through_obscurity).

Slashdot linked to a Wired article about the Kryptos, a rather cool sculpture located on the grounds of the CIA. It turns out that there’s a typo that’s affected the current decryption efforts.

My thought is this: you have a message you want to encrypt. If you introduce small errors into the spelling of words, errors that still easily convey the message, are decryption efforts hindered? If so, is the hindrance significant?

For the record, I think StO is a bad idea in general. It relies on the ability to keep information sequestered as a means of security. Once the information is released, the entire security blanket is destroyed. The exception to this is when StO is used as a final layer of security, where there are actual strong cryptographic efforts established and StO is enabled as a final level of security designed to merely delay cracking attempts.

[tags]cia, wired, slashdot, kryptos, security through obscurity, security by obscurity, cryptography[/tags]