[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Standard for Stenography?

To: Sergey Goldgaber <[email protected]>
Subject: Re: Standard for Stenography?
From: [email protected]
Date: Thu, 03 Mar 94 19:59:32 EST
Cc: [email protected]
Sender: [email protected]

	 I welcome any and all of Bill Stewart's comments on this
	 issue.  I have, since the beginning, noticed a distinct
	 dislike of "security-through-obscurity" among the senior
	 members of this and other similar lists/newsgroups.  Many
	 people preach this dislike.  Most don't seem to understand its
	 foundations fully; neverthelless, they consider it a closed
	 issue and usually don't bother to explain why.

Obscurity is certainly a help.  Attacking an unknown system is very
much harder than attacking a known one.  And everyone in the business
knows that.

However -- in the real world, as opposed to an academic exercise,
you cannot keep an algorithm secret forever.  Partners will betray
you, spies will steal copies, enemies will capture them.  Do you
trust everyone on cypherpunks?  Should you?  If your algorithm is not
strong enough to withstand an attack by an enemy who has captured
it, you're in trouble.  And although you can replace the algorithm,
it's a lot harder than changing keys -- good cryptoalgorithms take
a *lot* of work, and the details often matter a lot.  Besides, your
old traffic will then be readable.

Security through obscurity is more than a buzzword.  It's a necessity
in this business.


		--Steve Bellovin

Prev by Date: Re: Need info on Encyption book
Next by Date: Re: Standard for Steganography
Prev by thread: Re: Standard for Stenography?
Next by thread: Re: Standard for Stenography?
Index(es):
- Date
- Thread