What are the exceptions to Kerckhoffs's principle?

Question

Kerckhoffs's principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Yet the following are three exceptions:-

NSA Suite A cryptographic algorithms. There is an answer here that implies that the Suite B algorithms are broken therefore can be published so that the NSA can listen in on Suite B users. And by not publishing Suite A, no one knows for sure instead relying on security through obscurity.
Banks holding my money. They haven't published a security architecture diagram of their network, and probably wouldn't tell me over the phone how they've implemented AES. Perhaps they use ECB mode or even their own Barclay's mode. Banks are civilian organisations, not military like example 1. They're regulated yes, but (even redacted) security reports are not published.
Windows' Cryptography API. This is used by some people and they unknowingly might be using the dodgy Dual_EC_DRBG, or something even more decrepit. There is no code audit available to prove any particular mode of operation or algorithm. This particular API could easily be published to assuage users fears without revealing the rest of Windows' internals.

It seems to me that whilst Kerckhoff sounds plausible, many organisations ignore it. And get away with it. What are the real world exceptions or rules? Does it for example only apply to amateur cryptography?

Your quote only says that the system should still be secure even if it is public - not that it should ALWAYS be public. — Nova, Jul 07 '17 at 17:24
@Nova Isn't that implied? That's how I know that my improvements to AES are totally secure and my AES++ is totally unbreakable. I just know it. — Paul Uszak, Jul 07 '17 at 17:45
No, it's not implied. We typically advise people to publish their system, in part because most people do not have the resources to adequately review their design for cryptographical weaknesses. I find it plausible, at least in your first example, that the NSA might have the resources in house, and perhaps maybe even used those resources to analyze Suite A. — poncho, Jul 07 '17 at 18:16
I would strongly disagree with the fact that @e-sushi 's answer implies that Suite B crypto is "broken therefore can be published so that the NSA can listen in on Suite B users". There is no evidence this is the case and many smart people have looked very long and hard at this crypto since the 90s and have concluded it is secure. — SEJPM, Jul 07 '17 at 18:20
@SEJPM Last paragraph, 2nd sentence. I didn't write it, just paraphrasing... — Paul Uszak, Jul 07 '17 at 18:26
@PaulUszak That's not paraphrasing but misinterpreting. The words by NSA and others are meant to be read as a grouping. Besides, I also wrote (most of the time)… not always! Using NSA wording: "we can neither confirm nor deny" if any state has build in backdoors or weaknesses in their own crypto. What you point at wasn't meant to be read as being about the US & NSA exclusively. See, there are 200+ other countries and some have alike institutions with alike capabilities. Wanting to prove or disprove none of them contain "options to dismantle" is like trying prove the existence of a deity. — e-sushi, Jul 22 '17 at 05:47

score 12 · Answer 1 · edited Jul 22 '17 at 06:12

Kerckhoffs's principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

The principle does not state that it is unconditionally unacceptable to keep your algorithm or system a secret. (This answer provides an image of the original text Kerckhoffs used.)

Just keeping the used algorithm a secret is not itself a violation of the principle - as long as it would be secure even if the algorithm was known. AES would be secure even if it is known that you used it, keeping the fact that you used AES a secret does not hurt anything. In fact, it is possible that it could provide an additional layer of security, and can be used to provide "defense in depth".

NSA suite A/suite B is a good example of this: It is not an exception to Kerckhoffs princpiple, because the system would (most likely) be secure even if you knew what algorithms they were using. It simply adds a theoretical additional layer of difficulty if you don't know what they are using.

As for banks, I am not necessarily qualified to speak about their systems, as I do not know them; However, it is plausible that some of them were created quite a while ago, and consequently may not necessarily utilize all the best practices that we would build a new system with today. "It's in production already" can be hard to argue with.

As for Microsoft, well, you say they "get away with it" - many if not most people are not exactly thrilled about their decisions to keep everything a secret; However, they do that for way more then just the crypto API, and such decisions are probably made from a business perspective, rather then a crypto one.

edit: Apparently, if you are really so inclined and willing to sign stuff, you can view some of Microsofts source code. While that's not exactly "open", it implies that you could find out what they were doing if you really wanted to.

However...

Sometimes violation of the principle is simply an attempt to compensate for the inadequacy of the algorithm/system by keeping it a secret from the adversary - this is the situation where the principle will end up making a difference.

This has proven itself to be a poor strategy - instead of allowing the problems to become known so that they can be fixed, they chose to cover them up and hope that nobody finds them. When "hope" appears as an factor in your crypto-system, that's a sure sign of a problem.

Actually, the Windows source is semi-public. If you sign the appropriate NDAs you can review it "no problem", now I'd guess large-scale users (Nations? Really big Companies?) buy-in expertise and review such critical portions of the source for security... — SEJPM, Jul 07 '17 at 18:23
@SEJPM Okay we're making progress. Kerckhoff is now redefined to "... is semi-public knowledge." — Paul Uszak, Jul 07 '17 at 18:35
@SEJPM You forgot to mention (let's just call them) hackers. But then again, it was only "beta" code… ;) — e-sushi, Jul 22 '17 at 06:02
@PaulUszak Kerckhoff is now redefined to "... is semi-public knowledge." Just to be sure: do you really mean Kerckhoffs, or did you want to mock his 2nd principle? Btw: the name is Auguste Kerckhoffs… that's Kerckhoffs with an *"s"* at the end. — e-sushi, Jul 22 '17 at 06:06
@SEJPM There are still parts of the source code that are not released to anyone. — forest, Oct 10 '18 at 10:12

Patriot · Accepted Answer · 2019-08-10T13:05:42.073

Exceptions to Kerckhoffs's second principle do exist

Background

Kerckhoffs addressed the problem of how to use cryptography in military telegraphy. This was to be a critical issue during World War I (see the German ADFGX and ADFGVX ciphers).

In 1881, Kerckhoffs became professor of German at the Ecole des Hautes Etudes Commerciales and at the Ecole Arago, both in Paris. It was during this time that, aged 47, he wrote La Cryptographie militaire. [1]

What did Auguste Kerckhoffs actually say? We need go back to the original French of La Cryptographie militaire, which is very clearly shown and translated here.

He made two points:

It is necessary to distinguish carefully between a system of encipherment envisioned for a momentary exchange of letters between several isolated people and a method of cryptography intended to govern the correspondence between different army chiefs for an unlimited time. [Kahn; page 123]

And secondly, that encipherment systems could only be understood from the viewpoint of cryptanalysis.

From these two fundamental principles for selecting usable field ciphers, Kerckhoffs deduced six specific requirements: (1) the system should be, if not theoretically unbreakable, unbreakable in practice; (2) compromise of the system should not inconvenience the correspondents; (3) the key should be rememberable without notes and should be easily changeable; (4) the cryptograms should be transmissible by telegraph; (5) the apparatus or documents should be portable and operable by a single person; (6) the system should be easy, neither requiring knowledge of a long list of rules nor involving mental strain. [Kahn; p.123]

What did this really mean in the context of the time? It meant that code books were weak cryptography. It meant that there was an important distinction between key and system. The enemy can know the system, even capture it entire--but security can still be maintained because everything (the cryptographic service of confidentiality) now depends on a secure key.

“I have therefore thought that it would be rendering a service to the persons who are interested in the future of military cryptography … to indicate to them the principles which must guide them in the contrivance or evaluation of every cipher intended for war service." [Kahn]

Kerckhoffs is clearly talking about the design of cryptographic systems, and his main point is about compromise: losing the system should not entail a security disaster. However, he does not advocate publishing the details of one's cipher system.

Claude Shannon Weighs In--or Does He?

Simply quoting Shannon as saying, "the enemy knows the system", can be misleading:

A secrecy system can be visualized mechanically as a machine with one or more controls on it. A sequence of letters, the message, is fed into the in-put of the machine and a second series emerges at the output. The particular setting of the controls corresponds to the particular key being used. Some statistical method must be prescribed for choosing the key from all the possible ones. To make the problem mathematically tractable we shall assume that the enemy knows the system being used. That is, he knows the family of transformations Ti, and the probabilities of choosing various keys. [2]

In other words, in order to do cryptanalysis, let's assume we understand the system. If the system were unknown--the structure of the VIC cipher was a mystery to the NSA (from its inception--October 24, 1952) until 1957--cryptanalysis might have to stop. In the case of the VIC cipher it did--until a defector explained the system.

This is the "additional layer of security" that "can be used to provide defense in depth" that Ella Rose mentioned in her response. In other words, it can help provide at least one cryptographic service.

Notice the echo of things military in the phrase "defense in depth".

Argument

Exceptions and non-exceptions to Kerckhoffs's principle must be judged in terms of cryptographic services (authentication, confidentiality, integrity, non-repudiation, etc.), to include how long those services will be needed. But do we really acknowledge all services? In military matters, sometimes the goal is simply to reduce the power of the enemy. This is one way that "defense in depth" functions. The enemy gets weaker because of your defense in depth and therefore may give up. Moreover, because of the high costs, they might be unable to attack another area. The enemy makes contact, uses resources, fails, has to bypass your strongpoint, and then is weaker during their next attack. It is about maximizing costs.

Sometimes it may not matter if you are inconvenienced. What may matter more is that you made the enemy pay. This seems to be a valid cryptographic goal that goes against Kerckhoffs's second principle (at least partially). Besides, forward secrecy may not always be a concern, and side-channel attacks against an unknown system are surely more difficult than those against a studied system whose keys are relied upon completely.

Conclusion

Perhaps reduction should be seen as a valid cryptographic service because adding a layer of obscurity onto a system can be costly for the opposition, and increasing their costs and reducing their resources is surely an intended goal in some cases. Encryption can be designed to increase cryptanalytic costs and target specific collectors. In our current environment of "vulnerability by design" and the appalling way that standardization can assure that cryptography fails--in systems that are too complex, very easy to subvert, and easy for malicious actors to actively and passively control--one might sometimes suffer from doubt as to whether Kerckhoffs's second principle always applies. Yes, let's not utterly lose security if the enemy learns about our system, but what about our system of key generation? Do we want the opponent to hand it to us? Would it not be better if the opponent cryptanalysts had as little information as possible since our system was something they could hardly understand?

Otherwise, the key we use may be worthless because all members of the set of possible systems available to us may have been thoroughly studied and utterly subverted.