[cryptography] real world illustrations of Kerckhoff's principle?

Ian G iang at iang.org
Wed Sep 8 19:35:56 EDT 2010

On 9/09/10 5:07 AM, Scott G. Kelly wrote:
> I'd like to create a convincing list of real-world examples of failures involving use of "secret" algorithms.

Unfortunately, the result may not be what you were hoping for :)

You're probably thinking of Kherckhoffs' *2nd* principle.  Back in 1883, 
he wrote the basic story for developing crypto systems for military 
affairs, and included 6 principles.

All 6 are important, and should be considered together.  Still true 
today.  If you don't consider them together, your system won't survive. 
  If you cherry-pick, you'll likely take a wrong path;  it's a package 
not a silver bullet.

K2 was reformulated as Shannon's maxim, being

     the enemy knows the system.

It's probably best to refer to Shannon's maxim, for two reasons. 
Fristly, this avoids misunderstandings of Kherchhoffs' principles 
(cherry-picking on K2).  Secondly, the basic maxim is commonly 
misunderstood to be "don't ever use a secret algorithm."

This is wrong.  Empirically, there are many cases where secret 
algorithms are employed successfully, and even broken.  GSM is a 
canonical case.  Its set of secret algorithms were broken in 1998 by 
Lucky Green (*).  Yet, even broken, the GSM phone system continued to 
defeat the designated enemy (&).  Even today, it still provides 
substantial protection against the enemies in the threat model, and 
(AFAIK) it's even possible to buy GSM crackers online for a few thousand.

The way out of this apparent contradiction is to understand what 
Kherckhoffs and Shannon were really saying:  don't rely *only* on the 
secrecy of the algorithm, assume the enemy can get it.

You can still use a secret algorithm ... but it should be part of an 
overall framework. For example, in military use, the secret algorithms 
are also coupled with guidelines as to the nature of the traffic that 
can be protected, and how long it has to be protected for.  "Tactical" 
communications tend to be order of 1 day.  If the attack orders are kept 
secret for 1 day, then the job is done, because the enemy knows after 
that, right?

So what's the point of keeping it secret?  If it isn't secret, everyone 
knows it.  But if it is secret, the enemy has to keep it secret too! 
This really slows down their use of it (consider that front line troops 
can no longer know about it, because front line troops get captured). 
Also, only the most sophisticated enemies will crack the secret, the 
less sophisticated will not. The former can be targetted with other 
systems, the latter can be nose-thumbed.

In commercial affairs, keeping the algorithm secret means that an 
attacker is dealing with a piece of property that leaves more tracks. 
This forces more risks, more liability on the attacker.  This can 
dramatically reduce the number of attackers.  Commercial attackers go 
where it's easiest and most economic, they're smart.  Forcing them to 
carry special kit with them ... is like forcing burglars to carry 
lock-picking tools, it's a guaranteed sentence.  No innocent defence 
possible.  Better to use a brick.

Also, it could well be that the only attackers of importance are 
economically minded.  This is why it works for GSM and Skype.  We just 
don't care if the NSA can crack these systems.

As a final footnote;  why is K2 so misused?  Why does everyone believe 
that Shannon's maxim means you must never use a secret algorithm?

The reason I think is serendipity.  It just happens to match the open 
source community's treasured concept of open source.  As the Internet is 
built on open source, the whole Internet community is politically 
aligned towards open source, now, then, always.  This is a good thing.

And that means open crypto algorithms.  Shannon's maxim gives the open 
source community a powerful weapon - a law from the sexy field of 
cryptography - to carry on their campaign for the open Internet.  It's 
completely uninteresting to them that they've misunderstood its 
application through gross simplicity.  It's too powerful, too sexy, too 
catchy to avoid abuse by over-extension.

> Can anyone help with pointers to particular cases?

Skype:     still secret today ...
GSM:       cracked in 1998, didn't worry it at all.
Netscape:  40 bit crypto crunched by a couple of bored students
            in 1997?, didn't slow down the web one iota.
Suite A:   so secret, we don't even know if it exists...
RC4:       reverse engineered as ARC4, still in use,
            by Skype for example!


(*) Lucky Green extracted the algorithms from the GSM phone, took about 
3 months of probing to extract all the bits out.  Then, the same couple 
of bored students as in the Netscape hack, Dave Warner and Ian Goldberg, 
gave him a hand and cracked the algorithms "in a day" or so the media 
said at the time...  Technically, not all of algorithms were cracked, 
but that's mostly irrelevant to the story.

(&) The designated enemy for the GSM phone was twofold:  papparazi 
listening to private calls (typically, secret affairs between notable 
people), and time-stealing by cloning the phone.  Both of these 
disappeared completely with the GSM.

More information about the cryptography mailing list