[cryptography] real world illustrations of Kerckhoff's principle?
iang at iang.org
Wed Sep 8 19:35:56 EDT 2010
On 9/09/10 5:07 AM, Scott G. Kelly wrote:
> I'd like to create a convincing list of real-world examples of failures involving use of "secret" algorithms.
Unfortunately, the result may not be what you were hoping for :)
You're probably thinking of Kherckhoffs' *2nd* principle. Back in 1883,
he wrote the basic story for developing crypto systems for military
affairs, and included 6 principles.
All 6 are important, and should be considered together. Still true
today. If you don't consider them together, your system won't survive.
If you cherry-pick, you'll likely take a wrong path; it's a package
not a silver bullet.
K2 was reformulated as Shannon's maxim, being
the enemy knows the system.
It's probably best to refer to Shannon's maxim, for two reasons.
Fristly, this avoids misunderstandings of Kherchhoffs' principles
(cherry-picking on K2). Secondly, the basic maxim is commonly
misunderstood to be "don't ever use a secret algorithm."
This is wrong. Empirically, there are many cases where secret
algorithms are employed successfully, and even broken. GSM is a
canonical case. Its set of secret algorithms were broken in 1998 by
Lucky Green (*). Yet, even broken, the GSM phone system continued to
defeat the designated enemy (&). Even today, it still provides
substantial protection against the enemies in the threat model, and
(AFAIK) it's even possible to buy GSM crackers online for a few thousand.
The way out of this apparent contradiction is to understand what
Kherckhoffs and Shannon were really saying: don't rely *only* on the
secrecy of the algorithm, assume the enemy can get it.
You can still use a secret algorithm ... but it should be part of an
overall framework. For example, in military use, the secret algorithms
are also coupled with guidelines as to the nature of the traffic that
can be protected, and how long it has to be protected for. "Tactical"
communications tend to be order of 1 day. If the attack orders are kept
secret for 1 day, then the job is done, because the enemy knows after
So what's the point of keeping it secret? If it isn't secret, everyone
knows it. But if it is secret, the enemy has to keep it secret too!
This really slows down their use of it (consider that front line troops
can no longer know about it, because front line troops get captured).
Also, only the most sophisticated enemies will crack the secret, the
less sophisticated will not. The former can be targetted with other
systems, the latter can be nose-thumbed.
In commercial affairs, keeping the algorithm secret means that an
attacker is dealing with a piece of property that leaves more tracks.
This forces more risks, more liability on the attacker. This can
dramatically reduce the number of attackers. Commercial attackers go
where it's easiest and most economic, they're smart. Forcing them to
carry special kit with them ... is like forcing burglars to carry
lock-picking tools, it's a guaranteed sentence. No innocent defence
possible. Better to use a brick.
Also, it could well be that the only attackers of importance are
economically minded. This is why it works for GSM and Skype. We just
don't care if the NSA can crack these systems.
As a final footnote; why is K2 so misused? Why does everyone believe
that Shannon's maxim means you must never use a secret algorithm?
The reason I think is serendipity. It just happens to match the open
source community's treasured concept of open source. As the Internet is
built on open source, the whole Internet community is politically
aligned towards open source, now, then, always. This is a good thing.
And that means open crypto algorithms. Shannon's maxim gives the open
source community a powerful weapon - a law from the sexy field of
cryptography - to carry on their campaign for the open Internet. It's
completely uninteresting to them that they've misunderstood its
application through gross simplicity. It's too powerful, too sexy, too
catchy to avoid abuse by over-extension.
> Can anyone help with pointers to particular cases?
Skype: still secret today ...
GSM: cracked in 1998, didn't worry it at all.
Netscape: 40 bit crypto crunched by a couple of bored students
in 1997?, didn't slow down the web one iota.
Suite A: so secret, we don't even know if it exists...
RC4: reverse engineered as ARC4, still in use,
by Skype for example!
(*) Lucky Green extracted the algorithms from the GSM phone, took about
3 months of probing to extract all the bits out. Then, the same couple
of bored students as in the Netscape hack, Dave Warner and Ian Goldberg,
gave him a hand and cracked the algorithms "in a day" or so the media
said at the time... Technically, not all of algorithms were cracked,
but that's mostly irrelevant to the story.
(&) The designated enemy for the GSM phone was twofold: papparazi
listening to private calls (typically, secret affairs between notable
people), and time-stealing by cloning the phone. Both of these
disappeared completely with the GSM.
More information about the cryptography