Gaming security by obscurity

Dusko Pavlovic

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    13 Citations (Scopus)
    45 Downloads (Pure)


    Shannon sought security against the attacker with unlimited computational powers: if an information source conveys some information, then Shannon's attacker will surely extract that information. Diffie and Hellman refined Shannon's attacker model by taking into account the fact that the real attackers are computationally limited. This idea became one of the greatest new paradigms in computer science, and led to modern cryptography. Shannon also sought security against the attacker with unlimited logical and observational powers, expressed through the maxim that "the enemy knows the system". This view is still endorsed in cryptography. The popular formulation, going back to Kerckhoffs, is that "there is no security by obscurity", meaning that the algorithms cannot be kept obscured from the attacker, and that security should only rely upon the secret keys. In fact, modern cryptography goes even further than Shannon or Kerckhoffs in tacitly assuming that if there is an algorithm that can break the system, then the attacker will surely find that algorithm. The attacker is not viewed as an omnipotent computer any more, but he is still construed as an omnipotent programmer. The ongoing hackers' successes seem to justify this view. So the Diffie-Hellman step from unlimited to limited computational powers has not been extended into a step from unlimited to limited logical or programming powers. Is the assumption that all feasible algorithms will eventually be discovered and implemented really different from the assumption that everything that is computable will eventually be computed? The present paper explores some ways to refine the current models of the attacker, and of the defender, by taking into account their limited logical and programming powers. If the adaptive attacker actively queries the system to seek out its vulnerabilities, can the system gain some security by actively learning attacker's methods, and adapting to them?
    Original languageEnglish
    Title of host publicationNSPW '11
    Subtitle of host publicationNew Security Paradigms Workshop
    Place of PublicationNew York, NY
    PublisherAssociation for Computing Machinery (ACM)
    Number of pages16
    ISBN (Print)978-1-4503-1078-9
    Publication statusPublished - Sep 2011
    Event2011 New Security Paradigms Workshop, NSPW 2011 - Marin County, United States
    Duration: 12 Sep 201115 Sep 2011


    Workshop2011 New Security Paradigms Workshop, NSPW 2011
    Abbreviated titleNSPW
    CountryUnited States
    CityMarin County


    • SCS-Cybersecurity
    • Security by obscurity
    • Kerckhoffs principle
    • Cyber security
    • Algorithmic information
    • Logical complexity
    • Game of incomplete information

    Fingerprint Dive into the research topics of 'Gaming security by obscurity'. Together they form a unique fingerprint.

    Cite this