Kerckhoffs' Principle: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
(link)
imported>Sandy Harris
(rewrite lede; see talk page)
Line 14: Line 14:
  | first = Fabien | last = Peticolas
  | first = Fabien | last = Peticolas
}}</ref>,
}}</ref>,
he stated six axioms of [[cryptography]]. Some are no longer relevant given the ability of computers to perform complex encryption, but the second is the most critical, and, perhaps, counterintuitive.
he stated six axioms of [[cryptography]]. Some are no longer relevant given the ability of computers to perform complex encryption, but his second axiom, now known as '''Kerckhoffs' Principle''', is still critically important:


{{cquote|Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi.}}
{{cquote|Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi.}}
{{cquote|The method must not need to be kept secret, and having it fall into the enemy's hands should not cause problems.}}
{{cquote|The method must not need to be kept secret, and having it fall into the enemy's hands should not cause problems.}}


Another English formulation
The same principle is sometimes called '''Shannon's Maxim''' after [[Claude Shannon]] who formulated it as "'''The enemy knows the system.'''"
<ref>{{citation
 
That is, the security should depend ''only'' on the secrecy of the key, ''not'' on the secrecy of the ''system''. Another English formulation is: "If the '''method''' of encipherment becomes known to one's adversary, this should not prevent one from continuing to use the cipher as long as the '''key remains unknown.'''" <ref>{{citation
  | url = http://www.quadibloc.com/crypto/mi0611.htm
  | url = http://www.quadibloc.com/crypto/mi0611.htm
  | contribution = The Ideal Cipher
  | contribution = The Ideal Cipher
Line 26: Line 27:
  | first = John J. G. | last = Savard
  | first = John J. G. | last = Savard
}}</ref>
}}</ref>
is:
{{cquote|If the '''method''' of encipherment becomes known to one's adversary, this should not prevent one from continuing to use the cipher as long as the '''key remains unknown'''}}
The same principle is sometimes called "Shannon's Maxim" after [[Claude Shannon]] who formulated it as:
{{cquote|The enemy knows the system.}}
A Cold War formulation was:
<ref name=Bellovin>{{citation
| url = http://catless.ncl.ac.uk/Risks/25.71.html
| contribution = Security through obscurity
| title = Risks Digest
| first = Steve | last = Bellovin
| date = June, 2009
}}</ref>
{{cquote|A former official at NSA's National Computer Security Center told me that the standard assumption there was that serial number 1 of any new device was delivered to the Kremlin.}}
That is, the security should depend ''only'' on the secrecy of the key.


==Implications for analysis==
==Implications for analysis==

Revision as of 09:03, 23 May 2010

This article has a Citable Version.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article has an approved citable version (see its Citable Version subpage). While we have done conscientious work, we cannot guarantee that this Main Article, or its citable version, is wholly free of mistakes. By helping to improve this editable Main Article, you will help the process of generating a new, improved citable version.

In Auguste Kerckhoffs' [1] 1883 book, La Cryptographie Militaire [2], he stated six axioms of cryptography. Some are no longer relevant given the ability of computers to perform complex encryption, but his second axiom, now known as Kerckhoffs' Principle, is still critically important:

Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi.
The method must not need to be kept secret, and having it fall into the enemy's hands should not cause problems.

The same principle is sometimes called Shannon's Maxim after Claude Shannon who formulated it as "The enemy knows the system."

That is, the security should depend only on the secrecy of the key, not on the secrecy of the system. Another English formulation is: "If the method of encipherment becomes known to one's adversary, this should not prevent one from continuing to use the cipher as long as the key remains unknown." [3]

Implications for analysis

Is your system secure when the enemy knows everything except the key? If not, then at some point it is certain to become worthless. Since a security analyst cannot know when that point might come, the analysis can be simplified to The system is insecure if it cannot withstand an attacker that knows all its internal details.

Any serious enemy — one with strong motives and plentiful resources — will learn all the other details. In war, the enemy will capture some of your equipment and some of your people, and will use spies. If your method involves software, enemies will do memory dumps, run it under the control of a debugger, and so on. If it is hardware, they will buy or steal some and build whatever programs or gadgets they need to test them, or dismantle them and look at chip details with microscopes. Or in any of these cases, they may bribe, blackmail or threaten your staff or your customers. One way or another, sooner or later they will know exactly how it all works.

From the defender's point of view, using secure cryptography is supposed to replace a difficult problem — keeping messages secure — with a much more manageable one — keeping relatively small keys secure. A system that requires long-term secrecy for something large and complex — the whole design of a cryptographic system — obviously cannot achieve that goal. It only replaces one hard problem with another.

Because of this, any competent person asked to analyse a system will first ask for all the internal details. An enemy will have them, so the analyst should if the analysis is to make sense.

Cryptographers will generally dismiss out-of-hand any security claims made for any system whose internal details are kept secret. Without analysis, no system should be trusted. Without details, it cannot be properly analysed. If you want your system trusted — or even just taken seriously — the first step is to publish all the internal details. Of course, there are some exceptions; if a major national intelligence agency claims that one of their secret systems is secure, the claim will be taken seriously because they have their own cipher-cracking experts. However, no-one else making such a claim is likely to be believed.

Security through obscurity

Steve Bellovin writes:

The subject of security through obscurity comes up frequently. I think

a lot of the debate happens because people misunderstand the issue.

It helps, I think, to go back to Kerckhoffs' second principle, translated as

"The system must not require secrecy and can be stolen by the enemy without causing trouble", per http://petitcolas.net/fabien/kerckhoffs/). Kerckhoffs said neither "publish everything" nor "keep everything secret"; rather, he said that the system should still be secure *even if the enemy has a copy*.

In other words -- design your system assuming that your opponents know it in

detail. (A former official at NSA's National Computer Security Center told me that the standard assumption there was that serial number 1 of any new device was delivered to the Kremlin.) After that, though, there's nothing wrong with trying to keep it secret -- it's another hurdle factor the enemy has to overcome. (One obstacle the British ran into when attacking the German Engima system was simple: they didn't know the unkeyed mapping between keyboard keys and the input to the rotor array.) But -- *don't rely on secrecy*.[4]

That is, "security through obscurity" does not work. Anyone who claims something is secure (except perhaps in the very short term) because its internals are secret is either clueless or lying, perhaps both. Such claims are one of the common indicators of cryptographic snake oil.

References

  1. Kahn, David (second edition, 1996), The Codebreakers: the story of secret writing, Scribners p.235
  2. Peticolas, Fabien, la cryptographie militaire
  3. Savard, John J. G., The Ideal Cipher, A Cryptographic Compendium
  4. Cite error: Invalid <ref> tag; no text was provided for refs named Bellovin