saltzer and schroeder on information protection

[peter honeyman <honey@citi.umich.edu>]

this is taken from a paper i'm writing with avi rubin.  
it's not a sound bite, more like a snack.

	peter

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Experts dismiss systems that hide cryptographic algorithms or protocols
(a.k.a. "security through obscurity").  Kahn [1] cites Kerckhoffs'
classic treatise on military security [2].  Saltzer and Schroeder [3]
reflect the modern view in describing "open design" as one of the
basic principles of information protection:

   The design should not be secret.  The mechanisms should not depend
   on the ignorance of potential attackers, but rather on the
   possession of specific, more easily protected, keys or passwords.
   This decoupling of protection mechanisms from protection keys
   permits the mechanisms to be examined by many reviewers without
   concern that the review may itself compromise the safeguards.  In
   addition, any skeptical user may be allowed to convince himself that
   the system he is about to use is adequate for his purpose.  Finally,
   it is simply not realistic to attempt to maintain secrecy for any
   system which receives wide distribution.

1. D. Kahn, The Codebreakers, Macmillan Publishing Co., New York
(1967).

2. A. Kerckhoffs, La Cryptographie Militaire, Libraire Militaire de L.
Baudoin & Cie., Paris (1883).

3. J.H. Saltzer and M.D.  Schroeder, "The Protection of Information in
Computer Systems," Proc. of the IEEE, Vol.  63(9), pp. 1278-1307
(September, 1975).