"Security through Obscurity" doesn't have to be a bad thing

It’s been well established that something which is hidden is rarely secure. This is the basis for the phrase in the title of this post. It has become a dirty word in the world of cryptography and software development where it is generally accepted that the only secure mechanisms are those which are fully known to all parties (both good and bad) and yet still maintain their integrity when attacked.

Although as a software engineer I agree with and follow this logic, I have always felt that obscurity can also be a tool to be leveraged and “obscurity” can mean more than just hiding the source code from outside perview. And I do believe there are creative ways of implementing it to benefit existing security practices.

For some real world practical applicability, look no further than laser printers leaving behind tracking dots and there are many examples of “watermarks” being left by artists in their work. This is done by almost everyone in the industry, from amateur photographs who want credit for their work to music labels and movie houses attempting to prevent piracy.

But beyond the intellectual property world and classic gimmicky applications, my personal goal has been to explore other practical applications for the technology. Particularly, my ideas have been focused in the realm of companion tools to cryptography and applications that will add layers to defense in depth security strategies for software.

To that end, i’ll briefly explore the concept of SNOW. This will serve as a good starting point for future posts about obscurity applications I have envisioned.

Finding a polar bear in a snow storm
Steganography is the age old practice of hiding messages in plane sight. The practice is alive and well today and can even exist in the blanks and tabs that occur naturally in text files on your computer. This is the basis for SNOW, an open source tool that can take any text based file and insert a secret message.

As an illustration, check out the highlighted source code of this webpage.

You’ll notice that the first few lines have some extra highlighting. This is where a secret message has been encoded into blanks and tabs.

But not just encoded, snow also encrypts the message before encoding. Since snow occurs naturally in webpages, an adversary has to first feel confident that a message is there before wasting their time trying to crack the encryption.

The tools for playing around with this technology are readily available. (being an engineer is not required) If you are interested, you can find the original tools/source code on the author’s website. In addition, my former professor Rick Perry hosts the example page above and created a webpage that will do the encryption for you. His site is also a good starting point.

Edward Romano Written by:

I dabble in, and occasionally obsess over, technology and problems that bug me