Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.eng.convex.com!newshost.convex.com!news.duke.edu!news.mathworks.com!fu-berlin.de!news.dfn.de!uni-muenster.de!news From: gutschk@uni-muenster.de (Markus Gutschke) Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc Subject: Re: need secure OS to entrust millions to Date: 03 Mar 1996 10:26:17 GMT Organization: Markus Gutschke, Schlage 5a, 48268 Greven-Gimbte, Germany Lines: 49 Message-ID: <GUTSCHK.96Mar3112617corpus@uni-muenster.de> References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> <y5ad974s4v4.fsf@graphics.cs.nyu.edu> <4gqf17$1lr@cynic.portal.ca> <1996Feb25.152559.8977@jarvis.cs.toronto.edu> <4gvchb$ln5@senator-bedfellow.MIT.EDU> <4h7rdd$qeu@park.uvsc.edu> NNTP-Posting-Host: pppe187.uni-muenster.de Mime-Version: 1.0 (generated by tm-edit 7.41) Content-Type: text/plain; charset=US-ASCII In-reply-to: Terry Lambert's message of 1 Mar 1996 21:49:33 GMT Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:92416 comp.os.linux.development.system:19457 comp.os.linux.networking:31905 comp.unix.bsd.bsdi.misc:2672 comp.unix.bsd.netbsd.misc:2480 comp.unix.bsd.freebsd.misc:15522 -----BEGIN PGP SIGNED MESSAGE----- In article <4h7rdd$qeu@park.uvsc.edu> Terry Lambert <terry@lambert.org> writes: > ghudson@mit.edu (Greg Hudson) wrote: > ] Chris Colohan (colohan@eecg.toronto.edu) wrote: > ] : 1. Security through obscurity. More people have access to the source > ] : code for your OS, so there is a greater chance of someone finding a > ] : security flaw and exploiting it before you can fix it. > ] > ] It's disappointing that some people still think that security through > ] obscurity is a net gain. > > Public key cryptography (RSA, et. al.) is the ultimate in > security through obscurity. People trust it every day. I cannot really see, why public key cryptography implies obscurity. The whole point of public keys is the fact that the algorithm and the encoding keys are public. The questions whether public key encryption is secure, is not related to it being public. The security of RSA is based on the assumption that there is no good algorithm for factorizing large prime numbers. As it is so far impossibly to *prove* whether this assumption is true, it is also impossible to say if RSA is really as secure as people believe it to be. Of course there are plenty of poor implementations of encrypting algorithms. Even if you use something as good (?) as RSA or triple-DES (or preferably a combination of both) you can still mess up with the implementation of your code and effectively render the security void. A well-known example is Microsoft's problem with encrypting network passwords. In this case it would actually have helped, if they had release the source code before distributing thousands of insecure copies, because people would then have been able to tell them that they screwed up :-) Markus -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAgUBMTlznhqJqDLErwMxAQHJoAP/Qu7C/MEoqzUwaE0F7sgSmjPeoK4rSGQd UAbnUhm6+8/wuL2SWDdj1NWpLcgGSuON5MLOJ91Muym3mRwQM21R04sx4PK2/6LP s0ngGtsS6BI5aqgQ9LbG+T4h9ZEPQQvjBMYs7lEGHcj/DYXX9mPNxyaaPtavHsKx /NbFmW8tECA= =cr2k -----END PGP SIGNATURE-----