Superconductor

In an 1883 article in Journal des Sciences Militaires, Auguste Kerchoffs defined six principles that a secure communication system should follow. Despite the considerable changes in technology, these principles are still as valid today as they were in the nineteenth century. The second of these principles is widely known today as "Kerckhoffs' Principle," and is often stated as the rule that the strength of a cryptographic system should rely only on the secrecy of a cryptographic key. Kerckhoffs' original statement, however, was actually more general than this, and deserves revisiting by many users of security technologies.

Kerckhoffs stated his second principle as "Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi," which can be translated roughly as "It must not require secrecy, and can be used even if it falls into enemy hands." So even if hackers know everything about your system, if they don't have the cryptographic keys you use to encrypt, any data they manage to get will be useless to them because they won't be able to unscramble the encrypted information.

In a more general sense, a hacker should be able know everything about your security systems and still be unable to defeat them unless he knows the secrets that you use to identify authorized users. Those secrets could be encryption keys, but they could just as easily be other secret information, like a password. So a good security architecture should always be designed under the assumption that attackers will know everything about the architecture except secret authentication information. This certainly includes assuming that attackers know what they're attacking. So “security through obscurity” is bad, and has been known to be bad for 125 years.

This principle seems to have been forgotten by many IT departments, who all too often require security vendors to agree to extremely draconian terms of secrecy in contracts for buying their products. This unnecessary secrecy clearly violates the tried-and-true principles that Kerckhoffs laid down in 1883, but it also causes considerable inefficiency in the information security market. This benefits neither security vendors nor their customers.

Knowing the quality of goods before they're purchased is important to the efficient operation of a market, and uncertainty in this area can lead to bad things happening. Understanding the consequences of such uncertainty can be very important. It's so important, that economist George Akerlof was awarded the Nobel Prize in Economics in 2001 for his analysis of how such uncertainty can adversely affect markets. Quality uncertainty can even drive high-quality products from the market and leave only low-quality products at high prices if market forces are left unchecked.

Withholding information about what security products are used and the experiences that users have had with them is almost certainly a way to increase the uncertainty in quality that's associated with these products, so it's also probably a step towards the failed markets that Akerloff described.

It benefits everyone if the quality of products is freely known. Users of security products benefit because they will more easily be able to avoid low-quality products and avoid pitfalls with the products that they have already deployed. It's tougher on the vendors of security products, because exposing the weaknesses in their products will cause additional work, and they will be more motivated to create more robust products and to fix existing problems in their shipping products.

On the other hand, the gains from more information about the quality of products should also benefit the vendors, at least those who make robust products. A significant part of the cost of enterprise security products is due to the long and expensive sales cycle that they require, and this cycle could almost certainly be reduced in both length and cost if more information was available to potential customers. If more information about the quality of security products was widely available, the cost of sales could be much lower, so the additional effort required to develop more robust products would probably be paid for through lower expenses that security vendors would experience.

So if you’re one of those organizations that require security vendors to agree to complete secrecy about the fact that you’ve purchased and deployed their products, you should might want to reconsider your policies in this area. In addition to ignoring best practices that have withstood 125 years of scrutiny, you are not really getting any additional security by doing this. And by restricting the flow of information about the quality of security products, you are contributing to a situation that makes things worse for both security vendors and users of security technologies. Security through obscurity has never been a good idea, and it still isn’t a good idea today.