Back

Move on, there’s nothing to see! or why “security by obscurity” is not a solution

We don’t know what’s hidden in the obscurity.
David Lynch

security

At the end of the 19th century, Auguste Kerckhoffs published the principles of military cryptography [01]. In this document (accessible on the Web for free), we learn that an encryption system can be known by the enemy and its security must be based on the non-disclosure (and unlimited change) of the keys used to configure the system.

Appendix B1 of the RGS (Référentiel Général de Sécurité that is General Security Repository)of the ANSSI (French National Cybersecurity Agency) [02] does not directly mention the Kerckhoffs principle above, but recommendations “RecomAlgoBloc-1” and “RecomChiffFlot-2” suggest it from my point of view: “it is recommended to use algorithms […] that have been widely tested in the academic environment“. Indeed, these two recommendations clearly state that it is mandatory to use systems studied by the community and I would also add that particular attention must be paid to the keys used (their life cycle and, in particular, their generation and use).

The principle mentioned above can be generalized to all security products. Indeed, it is preferable to communicate (at the developer’s discretion of course) how security is ensured without revealing any trade secrets or keys.

I would actually tend to trust a product that clearly specifies the cryptographic primitive used to provide a service that ensures confidentiality and/or integrity, rather than a product which does not specify the algorithm used or uses an “exotic” or modified algorithm. Personally, “black box” products have never inspired me much confidence…

For example, Systancia’s IPdiva Secure product is a cybersecurity solution that provides secure access to the resources of an information system for all types of users (traveling or telecommuting employees, service providers, third parties, etc.). Systancia’s solution has been qualified, in the technical field of “identification, authentication and access control”, by the ANSSI ([03]) following a certification issued after an evaluation carried out by an independent, accredited and competent laboratory. In summary, the level of security and confidence of this solution has been verified.

The first step of the security evaluation of IPdiva Secure has consisted in validating that known vulnerabilities or attacks did not make the solution fail. In a second step, the evaluator checked whether the product suffered from unknown vulnerabilities within the time available to him (undiscovered vulnerabilities at time t). In addition to these studies, as a third step, a dedicated expertise on cryptographic mechanisms was also carried out, in accordance with the RGS of the ANSSI.

To summarize, the security evaluation has validated the compliance and effectiveness of the IPdiva Secure solution in an operational context provided that the recommendations are respected. The IPdiva Secure solution has therefore been “tested” by an independent laboratory, recognized and above all approved by the ANSSI. In particular, Systancia provided this laboratory and the ANSSI with the implementation of its cryptographic mechanisms, which has been subject to special and dedicated expertise (including a code analysis from a functional and compliance perspective).

To conclude, I do not advocate that any security product should reveal its source code (industrial or other confidentiality needs in some cases). It must be possible to obtain its internal functioning in terms of security, at least by an accredited laboratory so that it can carry out expertise work in total independence. Security by obscurity has clearly never been successful.

 

 

Antoine COUTANT – Chief Cybersecurity Officer

References

[01] Military Cryptography, Auguste Kerckhoffs, Journal of Military Science, January 1883

[02] Référentiel Général de Sécurité version 2.0 – Annexe B1, version 2.03 from 02/21/2014

[03] Feedback on the ANSSI’s qualification of IPdiva Secure, Antoine Coutant, March 2018

https://www.systancia.com/en/feedback-on-the-anssis-qualification-of-ipdiva-secure-8/