*BSD News Article 63659


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.eng.convex.com!newshost.convex.com!news.duke.edu!news.mathworks.com!fu-berlin.de!news.dfn.de!uni-muenster.de!news
From: gutschk@uni-muenster.de (Markus Gutschke)
Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc
Subject: Re: need secure OS to entrust millions to
Date: 03 Mar 1996 10:26:17 GMT
Organization: Markus Gutschke, Schlage 5a, 48268 Greven-Gimbte, Germany
Lines: 49
Message-ID: <GUTSCHK.96Mar3112617corpus@uni-muenster.de>
References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com>
	<y5ad974s4v4.fsf@graphics.cs.nyu.edu> <4gqf17$1lr@cynic.portal.ca>
	<1996Feb25.152559.8977@jarvis.cs.toronto.edu>
	<4gvchb$ln5@senator-bedfellow.MIT.EDU> <4h7rdd$qeu@park.uvsc.edu>
NNTP-Posting-Host: pppe187.uni-muenster.de
Mime-Version: 1.0 (generated by tm-edit 7.41)
Content-Type: text/plain; charset=US-ASCII
In-reply-to: Terry Lambert's message of 1 Mar 1996 21:49:33 GMT
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:92416 comp.os.linux.development.system:19457 comp.os.linux.networking:31905 comp.unix.bsd.bsdi.misc:2672 comp.unix.bsd.netbsd.misc:2480 comp.unix.bsd.freebsd.misc:15522

-----BEGIN PGP SIGNED MESSAGE-----

In article <4h7rdd$qeu@park.uvsc.edu> Terry Lambert <terry@lambert.org> writes:
> ghudson@mit.edu (Greg Hudson) wrote:
> ] Chris Colohan (colohan@eecg.toronto.edu) wrote:
> ] : 1.  Security through obscurity.  More people have access to the source
> ] : code for your OS, so there is a greater chance of someone finding a
> ] : security flaw and exploiting it before you can fix it.
> ] 
> ] It's disappointing that some people still think that security through
> ] obscurity is a net gain.
> 
> Public key cryptography (RSA, et. al.) is the ultimate in
> security through obscurity.  People trust it every day.

I cannot really see, why public key cryptography implies
obscurity. The whole point of public keys is the fact that the
algorithm and the encoding keys are public.

The questions whether public key encryption is secure, is not related
to it being public. The security of RSA is based on the assumption
that there is no good algorithm for factorizing large prime
numbers. As it is so far impossibly to *prove* whether this assumption
is true, it is also impossible to say if RSA is really as secure as
people believe it to be.

Of course there are plenty of poor implementations of encrypting
algorithms. Even if you use something as good (?) as RSA or triple-DES
(or preferably a combination of both) you can still mess up with the
implementation of your code and effectively render the security
void. A well-known example is Microsoft's problem with encrypting
network passwords. In this case it would actually have helped, if they
had release the source code before distributing thousands of insecure
copies, because people would then have been able to tell them that
they screwed up :-)

Markus


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAgUBMTlznhqJqDLErwMxAQHJoAP/Qu7C/MEoqzUwaE0F7sgSmjPeoK4rSGQd
UAbnUhm6+8/wuL2SWDdj1NWpLcgGSuON5MLOJ91Muym3mRwQM21R04sx4PK2/6LP
s0ngGtsS6BI5aqgQ9LbG+T4h9ZEPQQvjBMYs7lEGHcj/DYXX9mPNxyaaPtavHsKx
/NbFmW8tECA=
=cr2k
-----END PGP SIGNATURE-----