Talk:Kerckhoffs's principle
This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||
|
Nitpick
[edit]A nit, but a philiosophically important one. In his law, K noted something, which happens to be true about crypto use and about what its users should assume about the threat environmetn and how they can / should best respond. It is only because this is true that 'the majority of civilian crypto...'. It is not because of his statement of it. One might equally say the same thing about Shanno's Maxim, and be equally skew to the actual situation.
It is this, among many related points, that I'm struggling with at crypt engineering and crypto system. That's why they've been under construction for so long. ww 16:09, 17 Apr 2004 (UTC)
- OK, I've gone with "In accordance with", not "because of". Note that here (and presumably cryptoengineering and cryptosystem), we cannot assert that Kerckhoffs' law is true because of NPOV, even if we think it is. — Matt 16:39, 17 Apr 2004 (UTC)
I've never heard of this principle referred to as a "law", except in Wikipedia (and I just checked three different independently-authored crypto books). I've heard of the circuit-theoretic "Kirchhoff's laws", but I've never heard the term used in cryptology. I think the author of the article was confused, and I think this article should probably be renamed as "Kerckhoff's principle" (or, alternatively, "Kerckhoff's assumption"). -- Wonderstruck 05:26, 17 May 2006 (UTC)
- I think you might be right. — Matt Crypto 20:41, 18 May 2006 (UTC)
- Ok, I've moved the article to "Kerckhoffs' principle". I chose "principle" over "assumption" to be consistent with the corresponding non-english articles. Wonderstruck 07:28, 12 June 2006 (UTC)
Secret cryptosystems
[edit]I removed the following text from the article, which was added by 85.178.217.26 on 7 July 2006:
It's possible to have a secret cryptosystem while still reaping the benefits of public cryptography research: make a non-weakening change to a public algorithm, like changing the Nothing up my sleeve numbers, or, in the case of Symmetric-key algorithms, chaining the public cipher with an unrelated secret cipher.
I have a few problems with this paragraph:
- The paragraph's wording is confusing:
- "chaining" is easily confused with cipher block chaining (the technique this paragraph refers to is called "cascading");
- "public algorithm/cipher" is easily confused with public-key cryptography; and
- "secret cipher" is easily confused with secret-key cryptography.
- The claim that making "non-weakening" private modifications to published algorithms allows one to "[reap] the benefits of public cryptography research" is controversial if not factually incorrect:
- Schneier's Law makes this form of security through obscurity likely to be ineffective, since the people making the modifications are unlikely to know what modifications are "non-weakening".
- It is well-established that small changes to an algorithm can have a large impact on its security. For example:
- SHA-1:
"SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security."
- The resistance of DES to differential cryptanalysis:
"It was noted by Bamford in Puzzle Palace that DES is surprisingly resilient to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible"
- SHA-1:
- The paragraph advocates cascading published and unpublished ciphers:
- Dealing with multiple encryption algorithms is error prone. In this example, if you use identical or related keys for both the published and unpublished ciphers, you risk having one of the ciphers (or the interaction of both ciphers) leak information about the key. A similar problem occurred with GSM. Quoting the article on A5/1:
"In 2003, Barkan et al published several attacks on GSM encryption. The first is an active attack. GSM phones can be convinced to use the much weaker A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm."
- Cascades do not necessarily add security, and can reduce it. Furthermore, if the security of the published algorithms isn't enough for you (the U.S. government has certified AES for protecting TOP SECRET information, for example), then adding more cryptography probably isn't the solution to your problem. [1]
- Cascades add complexity, and complexity is the worst enemy of security.
- Dealing with multiple encryption algorithms is error prone. In this example, if you use identical or related keys for both the published and unpublished ciphers, you risk having one of the ciphers (or the interaction of both ciphers) leak information about the key. A similar problem occurred with GSM. Quoting the article on A5/1:
For at least those reasons, I think the paragraph I removed should stay removed.
-- Wonderstruck 11:52, 13 February 2007 (UTC)
New Research?
[edit]I saw this tidbit on the article that I think should be removed or at least completely reworked because they compromise new research.
It is worth expanding on what Schneier means by brittleness: after all, any security system depends crucially on keeping some things secret. What Schneier means is that the things which are kept secret ought to be those which are least costly to change if inadvertently disclosed. A cryptographic algorithm may be implemented by hardware and software which is widely distributed among its users; if security depended on keeping that secret, then disclosure would lead to major logistic headaches in developing, testing and distributing implementations of a new algorithm. Whereas if the secrecy of the algorithm were not important, but only that of the keys used with the algorithm, then disclosure of the keys would require the much less arduous process of generating and distributing new keys.
- I agree that original research is against Wikipedia policy (WP:OR) -- such things belong elsewhere, perhaps on Cryptodox.
- However, explaining a pithy quote doesn't count as original research.
- Do you think this text says things that are not implied by that pithy quote? Or worse, that Schneier would not agree with this text?
- I think I'll change the tone of this text -- making it make a bunch of (hopefully verifiable) statements about Kerckhoff's principle, and then use Schneier as a reference, rather than trying to dissect "what Schneier means", which is already one step removed from the subject. --68.0.124.33 (talk) 03:31, 3 September 2008 (UTC)
Grammar
[edit]Move to rename article "Kerckhoffs's Principle" to more accurately portray ownership. —Preceding unsigned comment added by 69.199.23.90 (talk • contribs) 21:22, 26 June 2009
- I agree. This is a principle formulated by a guy named Kerckhoffs. It is not a principle formulated by several entities called Kerckhoff. Noel Bush (talk) 19:40, 27 September 2010 (UTC)
- And here are several sources supporting the use of the grammatically correct designation:
- Noel Bush (talk) 19:52, 27 September 2010 (UTC)
- There seems to be no active objection to this fix, so I will go ahead and make it. Noel Bush (talk) 05:29, 29 September 2010 (UTC)
""New evidence that renders Kerckhoff Principle outmoded"" in a global environment where analog life is "re-directed" by overwhelming frequency of digital communications will be added in-due-time. Bobkiger (talk) 18:17, 2 October 2011 (UTC)Bobkiger
Umm, could we then at least correctly respect the rules of English for possessive nouns? It is correct that the person is called "Kerckhoffs", but that means you just add an apostrophe, not a catastrophe (which adding a full 's to a name ending in 's' really is). I cannot change the title, lowly contributor as I am, but I really recommend you correct this ASAP. — Preceding unsigned comment added by Cheros (talk • contribs) 10:25, 29 April 2014 (UTC)
- You are referring to local rules. WP respects retaining variant in place. I reverted your edit. —Quondum 13:17, 29 April 2014 (UTC)
- WP does respect retaining the current variant, but MOS:POSS also says "Apply just one of these two practices consistently within an article." If we are going to use "Kerckhoffs's" in the title then there are multiple "Kerckhoffs'" in the text which need to be changed. Especially Lime (talk) 09:15, 8 August 2016 (UTC)
- Sorry, looking at the history, I see that the possessive used in the body of the text was changed again after that discussion by an anonymous user. I'll revert that for consistency with the article title. Especially Lime (talk) 09:25, 8 August 2016 (UTC)
Generalization to include randomizer data in the principle
[edit]I came across a generalization (James L. Massey, Cryptography: Fundamentals and Applications, course notes 1993, page 2.5): "Kerckhoffs' Principle (Auguste Kerckhoffs 1935-1903): The cipher should be designed so as to be secure when the enemy cryptanalyst knows all the details of the enciphering process and deciphering process except for the values of the secret key and private randomizer." While Massey stated it as though the final part (about the private randomizer) was part of Kerckhoffs's principle, it seems that this is not the case, and the Wikipedia article is thus accurate in this respect. Nevertheless, it is evident (to me, at least) that Massey's generalization is valid. It is even implicit in the sentence (under "Explanation of the principle"): "Another way of putting it is that a method of secretly coding and transmitting information should be secure even if everyone knows how it works." For example, consider the DH (Diffie-Hellman) protocol: there is no secret other than the private randomizers and of course the shared secret output of the DH protocol; the security of the protocol critically depends on this secrecy. So, in a sense, Kerckhoffs's principle would be more complete with some statement along the lines given by Massey about the secure random number sources that are integral to so many modern cryptographic protocols. Is there support the addition of a section mentioning this generalization (or alternately the explicitly generalization of the concept "key" to include private randomizer data), or is the article's focus too "historical" for this? Quondum (talk) 14:10, 7 March 2011 (UTC)
- As there has been no comment, I have now added a minor change to reflect what I believe is a more rigorous statement of the intent of the principle; others may choose to rephrase what I inserted to note that this may have not been historically recognised. Quondum (talk) 12:04, 17 July 2011 (UTC)
Requested move
[edit]- The following discussion is an archived discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.
The result of the move request was: page moved. NW (Talk) 14:52, 9 October 2011 (UTC) NW (Talk) 14:52, 9 October 2011 (UTC)
Kerckhoffs's Principle → Kerckhoffs's principle – Inappropriate capitalization, unlike other named principles and laws. Note that 8 of 10 books use lower-case "principle". Dicklyon (talk) 04:55, 3 October 2011 (UTC)
- Support. As the nom says, common practice in reliable sources is not to capitalise. Jenks24 (talk) 23:59, 3 October 2011 (UTC)
- Support. While usage is probably variously intended as a proper noun (which would retain the capitalization) and as a descriptive phrase (which would use the lower case), the trend is invariably towards the latter use, and as noted, the balance is already strongly on the side of the lower case usage. Quondum (talk) 07:55, 4 October 2011 (UTC)
- Support, but check name first. Should it be Kerckhoffs' principle, or Kerckhoffs's principle? The article itself is not consistent - the mention of the term in the lede (and onward) does not match the title, for one thing. This should be decided now to avoid a future move request. MSJapan (talk) 05:17, 5 October 2011 (UTC)
- Note: There was a move (on this talk page) by Noel Bush at 19:40, 27 September 2010 (UTC), to use Kerckhoffs's, not Kerkhoffs' on grammatical grounds. I agree that the article should be made consistent in this respect. Quondum (talk) 07:58, 5 October 2011 (UTC)
- Yes on both counts. Support. Tony (talk) 03:03, 8 October 2011 (UTC)
- Note: There was a move (on this talk page) by Noel Bush at 19:40, 27 September 2010 (UTC), to use Kerckhoffs's, not Kerkhoffs' on grammatical grounds. I agree that the article should be made consistent in this respect. Quondum (talk) 07:58, 5 October 2011 (UTC)
- The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.
Bad Example in section 4 Security through Obscurity
[edit]Section 4 contains a bad example of security through obscurity:
it quotes Sean Stephens (CEO LassoSoft Inc) as if the security through obscurity of the german enigma code was effective
Eppur si muove, And yet it moves... as we all know, the enigma code was cracked, and the Nazi's lost the war.
I can quote the same | SeanStephens to say (X):
- "The original Enigma machine was a tool developed by the Germans in WWI to encrypt messages to one another though a complex analog device. It enabled the transformation of what seemed to be a jumbled code into something readable by a human being. In WWII, it became a critical strategic step for the Allied forces when they were able to decipher code sent by the Germans.
- Winston Churchill called the cracking of the German Enigma Code “the secret weapon that won the war.” "
so the same example (Enigma Code) could be used as an argument against security through obscurity
it is neither a good example for or against Security through Obscurity since we dont know what code they would have used if they had restricted themselves to public key cryptography.
Can a better example be found? Its also quite strange to need an example supporting obscurity on the article on Kerckhoffs principle, unless its headed under Criticisms.
Citing rule 2:
(Y) It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;
(Z) or according to Sean Stephens: "The system must not require secrecy and can be stolen by the enemy without causing trouble,"
According to the second citation (X) the cracking of the enigma code was "the secret weapon that won the war"
I would definitely call that trouble according to both Y and Z. Sean is contradicting himself, its not a different interpretation (an interpretation does not self-contradict) of Kerckhoff's principle, its one of 2 contradicting criticisms (Sean doesnt seem to be sure what stance to take).
Originally I was too bold (originally the talk page was write protected while the article was not) and used poor phrasing (such as "Others argue...") to edit the section, so I kindly invite help from others to take over if they both understand and agree with my (small) problem with the article.
Another question: is Sean Stevens in the know of his citation on WP? — Preceding unsigned comment added by 83.134.157.9 (talk) 03:44, 24 January 2012 (UTC)
Classification and rating
[edit]I've listed this as mid-importance, but can certainly see arguments for it being elevated to high-importance. It certainly seems to be a pretty foundational requirement for any (good) cryptosystem. — Sasuke Sarutobi (talk) 12:09, 15 December 2016 (UTC)
"Kerckhoffs' principle" or "Kerckhoffs's principle"?
[edit]Per [2] have chanced all instances of "Kerckhoffs' principle" to "Kerckhoffs's principle". If anyone objects this is the place to discuss it. Whichever name we choose, there should be consensus and the final result should be that the name in the title matches the name in the body. --Guy Macon (talk) 02:15, 2 November 2020 (UTC)