Alan DeKok wrote:
Brian Hatch <bugtraq@ifokr.org> wrote:With one other critical factor: Systems that can be *properly* criticized for being "security through obscurity" have the property that the "obscurity" factor is fixed at software release time, or earlier. Thus the attacker need only crack the key once, and then own thousands of copies.
People keep saying "but it won't stop everything", and that's true.
Exactly. Even DES isn't "perfectly" secure, (i.e. unbreakable). It *obfuscates* the data, but does not *secure* it. The benefit of DES is that it has a provable level of obfuscation. This takes the security versus obscurity argument from the realm of personal opinion to one of quantitative statements. We should have a similar goal for this discussion.
Systematic diversity (as explored by me <http://wirex.com/%7Ecrispin/crackerpatch.pdf>, Forrest et al, proposed in Bugtraq yesterday by Huang, and here in this thread) is qualitatively different in that the "key" (the degree of rebasing offset) can be chosen at runtime. If it is chosen with sufficient entropy, then it is as effective as a similar amount of entropy in your favorite crypto system. More, because with crypto the attacker can grind on your ciphertext off line, but with systematic diversity, the attacker has to grind on your machine, which you tend to notice sooner or later :-)
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Just say ".Nyet"
Attachment:
pgp00290.pgp
Description: PGP signature
