In the movies (Clue, The Adams Family, Young Frankenstein, various batman films ...) all the cool people have secret rooms or secret passages that are accessed by pulling on a book or a lamp or some other form of secret switch. These "secret switch" systems are the coolest, and I want one. In fact, a secret room and a secret switch are two of the things on my home owning wishlist, along with a reading room/library and an in-wall usb hub in the game room. (I am prepared to accept that these will mostly be DIY projects). I could talk here about how to build a secret switch (I may have built one over the weekend), but I think I would rather talk about how secrecy and security relate in regards to a secret switch. (Why? well my switch build is 1. a bit sloppy 2. not very exciting actually and 3. a secret!)
Before I begin let me just say that I am not a security professional (computer or otherwise), and my musings should not be taken as a comprehensive discussion of the principals of information security. With that said, there are generally two perspectives on security - security through obscurity and security by design.
Security through obscurity focuses on being secure by being hidden. This covers things like secret switch systems, or stenography, where the key protection is that no one knows that security is occurring. For example, I could encode a message in the low order bits of an image on my blog. The difference between that image and a normal image would be so small the human eye couldn't recognize it. If you have no reason to suspect a message in that image, there would be no reason to check it more carefully and the message could get through securely.
Security by design, on the other hand, says security should not be an accident or rely on not being noticed. Instead, in security by design your security is something you can show off proudly. You should be able to yell to the world: look at this security! isn't it secure? This type of security is typified by locks and cryptology. If you find a locked door you know right away that it is locked and you can probably guess at the type of lock being used to secure the door. Even with that knowledge, however, without a key most people aren't getting through that door.
I personally find security through obscurity fascinating. Secret messages, secret switches, hidden doors and innocuous coded messages, it's all fantastic. But I will admit that this approach is not without drawbacks. I am at best a novice electrician, and a nearly incompetent carpenter. The thought that I could get a build like a hidden door right without someone double-checking my design is silly. And this is where we get into trouble. A security through obscurity setup is only as good as the secret about it is kept, so how can I get design feedback. This problem is one of the reasons security by design exists, and is so heavily relied on for securing the Internet.
Secret Doors - Secure By Design
So lets try to approach a secret door from security by design. In this case how do I make the system actually secure. After all, if I publish the full design of the door and switch for feedback then anyone can find those designs and break my security. Even security through design normally relies on secrets in the form of keys. So how much of my system should be the key?
This is where I want to bring up one of my favorite security principals Kerckhoff's Principal: A security system should be provably secure even if others are aware of the design of the system (but not the key). A traditional secret switch system is in clear violation of Kerckhoff's principal. The security relies on the switch going unnoticed, not on a well designed unbreakable system.
So how do I fix this? Lets say I publish how the secret door would be made. I could even give enough information about the door that people can find it so long as we can all agree that the door only opens when the proper switch is activated. If I stop there my system is not provably secure. I could use a bad, subpar, very obvious switching system, in which case the "no one could guess how to unlock the door" argument isn't sound and the door isn't safe. If we want this to be secure we also need to release details on the switch.
Lets say I'm using a book switch. So to unlock and open the secret door you need to know which book in my library is part of a secret switch system such that pulling the book will activate the switch. So long as I can publish how I made the book into a switch without betraying the actual book or its location in my house I have satisfied security by design. My system can be published audited and celebrated without actually allowing anyone access to my secret room without my permission. Within this framework we can now even ask how secure is my secret room?
how secure is my secret room?
I estimate I have around 100 shelved books, maybe more. One of these books has a switch under it that will open a secret door. Your goal, to get into my secret room, is to guess which one book out of my many books is the secret switch. Unfortunately, this system is about as secure as a two digit long pin, or a single typeable letter, with a chance of guessing around one in one hundred. If I care about security this system isn't going to cut it.
So how can I make this cool and secure? One approach is to add more books. Lets say my target level of security is around that of a six digit pin. Then I would need around 100,000 books. My local library branch growing up claims to have around 250,000 books. So, to have a public but secure "pull the book" secret switch system I would need to have a small library's worth of books. I'm actually OK with that. But I think we can do better.
What if we bring in one more security principal: security in depth? The principal of security in depth argues that you can and should have multiple layers of security securing your system. In the secret door system, the first layer of security is secrecy. A well built system would be indistinguishable from a modest book collection to the untrained observer.
In this new design the second later of security would be finding the switch. However, this time, instead of one book switch, there are ten, in a more manageable one thousand books. Correctly guessing all ten books is nearly impossible as there are more than 10^23 possible combinations. Of course, "guessing" is pretty easy, and if the switches have any feedback an exhaustive search would only take so much time. Regardless, finding the set of books would add meaningful security and delay from attack.
Finally, the really clever part: with multiple books we could add a password style system. Once all ten books are pulled, to access the secret room you would have to reset the correct set of books to enter in the "password". This is the final layer of security, and even if the first two layers are violated through any form of disclosure, this layer can remain secure (as passwords like this can be changed). While this system only allows 1024 possible options, testing an option is time consuming rendering a brute force attack slow and impractical.
So there we go, problem solved. I can have a hidden door, and I can get feedback on its design and build while still maintaining secrecy. All it means is that I am going to need a well stocked library, or a lot of switches. Either option is fine by me. Feel free to shoot me some feedback on my design over twitter or email.