If you’ve been around security for any amount of time you’ve been drilled that obscurity is bad. Basically, anyone talks about hiding something, or obscuring its meaning in any sort of way, causes people to freak out.
That’s obscurity, not security! RAAAWWWRRR!
[ Actual quote. ]
But people who’ve been around security for a while also know that OPSEC is a good thing. OPSEC is when you avoid giving information to your enemies that can help them attack you. You hide your communications. You hide your travel plans. Etc.
(record screech sound)
Hiding your communications? Hiding your plans? That’s obscurity!
A unified theory of obscurity and security
To sort this out you need to back up a few steps. Security is the process of reducing risk, and risk can be captured as:
risk = probability X impact
Impact is how bad it would be if something happened, and Probability is the chance of that bad thing taking place.
Well, OPSEC (and obscurity in general) is used to reduce the probability of the bad thing happening. Hiding your communications, or your logistical plans, etc., can reduce the chance of being ambushed, for example. And putting camouflage on a tank reduces the chances that it’ll be targeted by an enemy.
Those are reductions in probability, and therefore reductions in risk, and therefore increases in security.
The aversion to obscurity in the context of security has been taught to incoming security professionals as religion as opposed to science, and it’s time for it to end.
- The Kerckhoff Principal is something of a red herring in this conversation. It says that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. It’s a very crypto-specific point. Can you imagine saying that a military operation should be secure even if everything about its operation is known? Or that a corporation should be secure if all its salaries, business deals, and customer data were known? The problem with the entire narrative is that people have been applying Kerchhoff’s Principal to infosec in general, not realizing that it’s a concept for securing cryptographic systems, not everything.