Kerckhoffs' principle
Encyclopedia
In cryptography
, Kerckhoffs's principle (also called Kerckhoffs's Desiderata
, Kerckhoffs's assumption, axiom, or law) was stated by Auguste Kerckhoffs
in the 19th century: A cryptosystem
should be secure even if everything about the system, except the key, is public knowledge.
Kerckhoffs's principle was reformulated (perhaps independently) by Claude Shannon as "The enemy
knows the system." In that form, it is called Shannon's maxim. In contrast to "security through obscurity
," it is widely embraced by cryptographers.
wrote two journal articles on La Cryptographie Militaire,
in which he stated six design principles for military cipher
s. Translated from French, they are:
Some are no longer relevant given the ability of computers to perform complex encryption, but his second axiom, now known as Kerckhoffs's principle, is still critically important.
should depend solely on the secrecy of the key and the private randomizer. Another way of putting it is that a method of secretly coding and transmitting information should be secure even if everyone knows how it works. Of course, despite the attacker's familiarity with the system in question, the attacker lacks knowledge as to which of all possible instances is being presently observed.
There are a large number of ways the internal details of a widely used system could be discovered. The most obvious is that someone could bribe, blackmail or otherwise threaten staff or customers into explaining the system. In war, for example, one side will probably capture some equipment and people from the other side. Each side will also use spies to gather information.
If a method involves software, someone could do memory dumps or run the software under the control of a debugger in order to understand the method. If hardware is being used, someone could buy or steal some of the hardware and build whatever programs or gadgets needed to test it. Hardware can also be dismantled so that the chip details can be seen with microscopes.
Bruce Schneier
ties it in with a belief that all security systems must be designed to fail as gracefully
as possible:
Any security system depends crucially on keeping some things secret. However, Kerckhoffs's principle points out that the things kept secret ought to be those least costly to change if inadvertently disclosed.
For example, a cryptographic algorithm may be implemented by hardware and software that is widely distributed among users. If security depends on keeping that secret, then disclosure leads to major logistic difficulties in developing, testing, and distributing implementations of a new algorithm: it is "brittle." On the other hand, if keeping the algorithm secret is not important, but only the keys used with the algorithm must be secret, then disclosure of the keys simply requires the simpler, less costly process of generating and distributing new keys.
). However, it should not be assumed that government/military ciphers must be kept secret to maintain security. It's possible that they are intended to be as cryptographically sound as public algorithms, and the decision to keep them secret is in keeping with a layered security posture.
Eric Raymond
extends this principle in support of open source
security software, saying, "Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, never trust closed source."
s, Kerckhoffs's principle neatly divides any design into two components. The key can be assumed to be secret for purposes of analysis; in practice various measures are taken to protect it. Everything else is assumed to be knowable by the opponent, so everything except the key should be revealed to the analyst. Perhaps not all opponents know everything, but the analyst should because the goal is to create a system that is secure against any enemy except one that learns the key.
John Savard describes the widespread acceptance of this idea:
Steve Bellovin commented:
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, Kerckhoffs's principle (also called Kerckhoffs's Desiderata
Desiderata
Desiderata is a 1927 prose poem by American writer Max Ehrmann...
, Kerckhoffs's assumption, axiom, or law) was stated by Auguste Kerckhoffs
Auguste Kerckhoffs
Auguste Kerckhoffs was a Dutch linguist and cryptographer who was professor of languages at the École des Hautes Études Commerciales in Paris in the late 19th century....
in the 19th century: A cryptosystem
Cryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...
should be secure even if everything about the system, except the key, is public knowledge.
Kerckhoffs's principle was reformulated (perhaps independently) by Claude Shannon as "The enemy
Adversary (cryptography)
In cryptography, an adversary is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal...
knows the system." In that form, it is called Shannon's maxim. In contrast to "security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
," it is widely embraced by cryptographers.
Origins
In 1883 Auguste KerckhoffsAuguste Kerckhoffs
Auguste Kerckhoffs was a Dutch linguist and cryptographer who was professor of languages at the École des Hautes Études Commerciales in Paris in the late 19th century....
wrote two journal articles on La Cryptographie Militaire,
in which he stated six design principles for military cipher
Cipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
s. Translated from French, they are:
- The system must be practically, if not mathematically, indecipherable;
- It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;
- Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents;
- It must be applicable to telegraphic correspondence;
- It must be portable, and its usage and function must not require the concourse of several people;
- Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.
Some are no longer relevant given the ability of computers to perform complex encryption, but his second axiom, now known as Kerckhoffs's principle, is still critically important.
Explanation of the principle
Stated simply, the security of a cryptosystemCryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...
should depend solely on the secrecy of the key and the private randomizer. Another way of putting it is that a method of secretly coding and transmitting information should be secure even if everyone knows how it works. Of course, despite the attacker's familiarity with the system in question, the attacker lacks knowledge as to which of all possible instances is being presently observed.
Advantage of secret keys
Using secure cryptography is supposed to replace the difficult problem of keeping messages secure with a much more manageable one, keeping relatively small keys secure. A system that requires long-term secrecy for something as large and complex as the whole design of a cryptographic system obviously cannot achieve that goal. It only replaces one hard problem with another. However, if a system is secure even when the enemy knows everything except the key, then all that is needed is to manage keeping the keys secret.There are a large number of ways the internal details of a widely used system could be discovered. The most obvious is that someone could bribe, blackmail or otherwise threaten staff or customers into explaining the system. In war, for example, one side will probably capture some equipment and people from the other side. Each side will also use spies to gather information.
If a method involves software, someone could do memory dumps or run the software under the control of a debugger in order to understand the method. If hardware is being used, someone could buy or steal some of the hardware and build whatever programs or gadgets needed to test it. Hardware can also be dismantled so that the chip details can be seen with microscopes.
Maintaining security
A generalization some make from Kerckhoffs's principle is, "The fewer and simpler the secrets that one must keep to ensure system security, the easier it is to maintain system security."Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
ties it in with a belief that all security systems must be designed to fail as gracefully
Graceful exit
A graceful exit is a simple programming idiom wherein a program detects a serious error condition and "exits gracefully" in a controlled manner as a result...
as possible:
Any security system depends crucially on keeping some things secret. However, Kerckhoffs's principle points out that the things kept secret ought to be those least costly to change if inadvertently disclosed.
For example, a cryptographic algorithm may be implemented by hardware and software that is widely distributed among users. If security depends on keeping that secret, then disclosure leads to major logistic difficulties in developing, testing, and distributing implementations of a new algorithm: it is "brittle." On the other hand, if keeping the algorithm secret is not important, but only the keys used with the algorithm must be secret, then disclosure of the keys simply requires the simpler, less costly process of generating and distributing new keys.
Applications
In accordance with Kerckhoffs's principle, the majority of civilian cryptography makes use of publicly-known algorithms. By contrast, ciphers used to protect classified government or military information are often kept secret (see Type 1 encryptionType 1 encryption
In cryptography, a Type 1 product is a device or system certified by the National Security Agency for use in cryptographically securing classified U.S...
). However, it should not be assumed that government/military ciphers must be kept secret to maintain security. It's possible that they are intended to be as cryptographically sound as public algorithms, and the decision to keep them secret is in keeping with a layered security posture.
Eric Raymond
Eric S. Raymond
Eric Steven Raymond , often referred to as ESR, is an American computer programmer, author and open source software advocate. After the 1997 publication of The Cathedral and the Bazaar, Raymond was for a number of years frequently quoted as an unofficial spokesman for the open source movement...
extends this principle in support of open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
security software, saying, "Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, never trust closed source."
Implications for analysis
For purposes of analysing cipherCipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
s, Kerckhoffs's principle neatly divides any design into two components. The key can be assumed to be secret for purposes of analysis; in practice various measures are taken to protect it. Everything else is assumed to be knowable by the opponent, so everything except the key should be revealed to the analyst. Perhaps not all opponents know everything, but the analyst should because the goal is to create a system that is secure against any enemy except one that learns the key.
John Savard describes the widespread acceptance of this idea:
Security through obscurity
It is moderately common for companies and sometimes even standards bodies as in the case of the CSS encryption on DVDs – to keep the inner workings of a system secret. Some argue this "security by obscurity" makes the product safer and less vulnerable to attack. A counter argument is that keeping the innards secret may improve security in the short term, but in the long run only systems that have been published and analyzed should be trusted.Steve Bellovin commented: