Then I posit a philosophical question.. What exactly is "obscure"?
Is it 1 in 10?
Is it 1 in 10e6?
Is it i in 10e77 (2^256)?
Is it 1 in 10e174 (2^512)?
Is it 1 in 10^1233 (2^4096)?
Where is the value where its no longer "security by obscurity" to security? Is a simple password enough? What about a login/password? What about Login/password/2fa? Or is a 4096 bit key acceptable as security instead of obscurity?
> The problem with obscurity is that it doesn't really impose asymmetric costs on the attacker.
If you don't know the "number", and all you can do is guess, adding another binary digit increases the keyspace by 2x. I can add 2's faster than you can guess.Mines sales linearly. Yours scales exponentially.
> Do they find your secret URL on accident?
Does the same apply if they find a 4096 bit key by "accident"? Or lets take a ZKP - if I successfully make 128 correct guesses at 4096 bits each, is that just a "lucky guess"? According to gambling and odds, that's pretty much a 0% chance to just guess it.
> Were they an ex-employee who simply knew?
And the employee should have been deactivated. This specific secret should never have been memorable or copy-able.
It's an interesting question. For me, the difference is that obscurity strategies are ad-hoc and unproven and perhaps unprovable. We should be able to make a strong argument that our systems have particular security properties, such as asymmetric costs.
So, asking how much entropy is "obscurity" and how much is "security" is the wrong question. If you can measure the amount of entropy, you're already in the "security" sphere, and you're talking about security and insecurity.
For instance, if you invent your own passwords rather than using a password generator, and you use an ad-hoc strategy without employing any sort of reasoning about how much entropy you're generating, I think it is fair to say you're employing obscurity. For the initiated, it is not reasonable to expect this strategy to do better than "hunter2". "Security", in this case, would be using a password generator or some other strategy that we can reasonably believe is sound.
You seem to be arguing for something provable which you can reason about mathematically, and not something ad-hoc which we cannot be certain of.
If you happen to see my response and read the whole thing, then I pose to you a second question; is creating a fake copy of your data, which you do not protect as carefully as your real data, a security or obscurity strategy? Or something else entirely?
Is it 1 in 10?
Is it 1 in 10e6?
Is it i in 10e77 (2^256)?
Is it 1 in 10e174 (2^512)?
Is it 1 in 10^1233 (2^4096)?
Where is the value where its no longer "security by obscurity" to security? Is a simple password enough? What about a login/password? What about Login/password/2fa? Or is a 4096 bit key acceptable as security instead of obscurity?
> The problem with obscurity is that it doesn't really impose asymmetric costs on the attacker.
If you don't know the "number", and all you can do is guess, adding another binary digit increases the keyspace by 2x. I can add 2's faster than you can guess.Mines sales linearly. Yours scales exponentially.
> Do they find your secret URL on accident?
Does the same apply if they find a 4096 bit key by "accident"? Or lets take a ZKP - if I successfully make 128 correct guesses at 4096 bits each, is that just a "lucky guess"? According to gambling and odds, that's pretty much a 0% chance to just guess it.
> Were they an ex-employee who simply knew?
And the employee should have been deactivated. This specific secret should never have been memorable or copy-able.