*BSD News Article 62862

Return to BSD News archive 

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!newshost.telstra.net!act.news.telstra.net!psgrain!iafrica.com!pipex-sa.net!plug.news.pipex.net!pipex!tube.news.pipex.net!pipex!lade.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.mathworks.com!zombie.ncsc.mil!nntp.coast.net!swidir.switch.ch!in2p3.fr!univ-lyon1.fr!ensta!itesec!keltia.frmug.fr.net!not-for-mail
From: roberto@keltia.freenix.fr (Ollivier Robert)
Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc
Subject: Re: need secure OS to entrust millions to
Date: 5 Mar 1996 20:44:47 GMT
Organization: Usenet Canal Historique
Lines: 24
Message-ID: <4hi93v$qas@keltia.freenix.fr>
References: <4gi6t6$3h9@lace.colorado.edu> <1996Feb25.152559.8977@jarvis.cs.toronto.edu> <4gvchb$ln5@senator-bedfellow.MIT.EDU> <4h7rdd$qeu@park.uvsc.edu>
NNTP-Posting-Host: keltia.freenix.fr
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:90123 comp.os.linux.development.system:18729 comp.os.linux.networking:30722 comp.unix.bsd.bsdi.misc:2554 comp.unix.bsd.netbsd.misc:2391 comp.unix.bsd.freebsd.misc:14929

In article <4h7rdd$qeu@park.uvsc.edu>,
Terry Lambert  <terry@lambert.org> wrote:
> Public key cryptography (RSA, et. al.) is the ultimate in
> security through obscurity.  

Not at all. 

PK Crypto relies on _secrecy_ of the key (and its size of course, you can't
rely  on 384 bits PGP  keys for example),  not on  the  algorithm itself or
something else you may try to hide. 

Every cryptographic system has  to have a secret  somewhere. That does  not
mean it uses security by obscurity -- at  least not in  the sense of SBO as
used by firewall folks. 

Hiding things   like an  algorithm  or  an operating  system will  not help
security. Many crackers (I don't use the term "hacker"  even if I know this
particular  battle is lost)  have never seen AIX  or VM/CMS source code and
there have been intrusions in them. Keeping RC4 and  RC2 as "trade secrets"
has not added to their security.

-- 
Ollivier ROBERT  -=- FreeBSD: The daemon is FREE! -=-  roberto@freebsd.org
-=-=-=-=-=-=-=-=-=-=- FreeBSD 2.x FAQ maintainer -=-=-=-=-=-=-=-=-=-=-=-=-