-1

Are there any advanced security technologies, for example, establishing a secured connection, which first require authentication based on security through organic-like changing obscurity of secrecy?

I'm not a fan of "regular" security through obscurity, because hackers will eventually discover and bypass the vulnerabilities of "obscurity".

But what about security through an adaptive, changing, updating organic-like obscurity based on secrecy?

What this means is that the security is relying on infinite intelligent-like unique obscurities which will always update for a given time period, regardless of being hacked or not.

It's like organic software fighting off hackers (viruses), a living breathing organism that is alive and adaptive, ** it's not static anymore**.

The organic-like obscurity will always change on a daily basis.

This means that hackers are now required to reverse engineer the obscurity algorithm on a daily basis. This also means hackers are now behaving like organic viruses and will be extremely hard for them to reverse engineer the organic-like self-changing obscurity based on secrecy.

Which also means, if hackers found out vulnerabilities of obscurity, it's completely useless since tomorrow the discovered obscurity will change again and will be more complex and is required to reverse engineer again. No AI can do reverse engineering in a practical manner and no hacker is going to waste hours and years for reverse engineering organic-like obscurity based on secrecy.

I can have a team of software engineers to do this, but has anyone ever done or thought of doing this before? I bet the future of web security is going to be based on this concept.

Today there are thousands of companies providing smart AI detection of malicious activity and various security vulnerability detection but I do not think they design the security system which adapt or change due to AI's decisions.

There are no global authoritative standards that give a practical solution of implementing security through "organic-like" obscurity based on secrecy for simple secured communication between client and server to prevent man-in-the-middle attacks.

Various algorithmic "secrecies" need to be implemented by the programmers following guided rules required to make a strong obscurity which will be difficult for hackers to reverse engineer in a short period of time before it self updates.

Obviously, a "trusted" programmer is required and will be needed to tweak and update the secret algorithm once or twice a week to maintain valid and strong security through organic-like obscurity which adapts daily.

schroeder
  • 129,372
  • 55
  • 299
  • 340
S To
  • 1
  • 1
  • Welcome - I don't know if there are any adaptive, organic-like security mechanisms, however, I do know of maladaptive, organic-like breach mechanisms Obligatory XKCD – brynk Apr 19 '21 at 23:54
  • But what about security trough ... - Such broad questions are out of scope on this site. I suggest to close this question. – mentallurg Apr 20 '21 at 02:35
  • 4
    "I'm not a fan of "regular" security through obscurity" - me neither and this includes "organic-like" obscurity, whatever this actually is. Proper authentication does not rely on obscurity in the first place. I also think that the question should be closed. Basically all the details you provide is that you have "something special" which you don't really explain how it exactly works but invest lots of time to claim that it is better. Maybe understand first on what principles proper authentication relies on (not obscurity) and then explain in detail how your idea is better than that. – Steffen Ullrich Apr 20 '21 at 04:26
  • 1
    Welcome to Sec.SE. Your question lacks clarity since it does not explain how your imagined system will work in practice. As far as I can see, once a hacker reverse engineers the system, they can identify the weaknesses in the system. Changing the "organic-like obscurity" around those weaknesses will not make the weaknesses go away. Also "needs to be implemented by the programmers following guided rules" - Good luck with that. – nobody Apr 20 '21 at 08:15
  • 2
    This is total insanity. It's as if you wanted to reinvent the wheel, but also wanted to make it square for some reason. Round wheels work, square wheels don't, and this has been known for a very long time. It's not clear what problem you are trying to solve with your convoluted solution. – reed Apr 20 '21 at 10:26
  • Before posting nonsense on here, and insisting you know better than the many seasoned professionals here, please rethink your approach. If everyone is telling you your ideas are fallacious, they probably are. If you are convinced they are not, provide proof. But do not come here with insults and rants and ideas which have been thoroughly debunked ages ago. – Rory Alsop Apr 23 '21 at 11:54

1 Answers1

2

There might exist, somewhere, something that does what you imagine, but it would never have widespread adoption and it would be a waste of time and resources.

There are two reasons why:

Security systems are designed with Kerckhoff's principle in mind, so that the algorithm or process to secure something does not need to be a secret for the system to remain secure.

We already have "simple secured communication between client and server to prevent man-in-the-middle attacks" through the use of TLS. The encryption key changes with each session. The algorithm doesn't need to change. There is your "constantly changing secure obfuscation".

Your idea also lacks scalability. You are wanting a "team of software engineers" to come up with new and untested security algorithms "once or twice a week". What we currently have are algorithms designed by the best cryptographers in the world, whose work is tested for years to prove their use in security contexts. You appear to assume that a random collection of programmers can accomplish the same thing.

So, to answer your question directly: "maybe" something like this exists. But it doesn't matter if it does or not. Because it's the wrong approach.

schroeder
  • 129,372
  • 55
  • 299
  • 340
  • "What we currently have are algorithms designed by the best cryptographers in the world" - No this is not true. The "best" cryptographers works for NSA and private companies providing "organic-like" security through obscurity (aka patented technology), Snowden leaked documents off all the vulnerabilities of today's modern security. There are plenty of companies and top university researchers stating that today's internet security cryptography will not be safe in few years and proven it has been cracked. Man in the middle attacks are so advanced that today's cryptography security is useless. – S To Apr 20 '21 at 20:47
  • The article says it fails when you re-use keys. that's not a problem with the algorithm. Please make sure you understand the articles you post. – schroeder Apr 20 '21 at 22:11
  • It cannot be "a tiny little of the puzzle" when it doesn't even fit the puzzle. This is what I said. You are claiming this example as evidence of "how TLS "made by the best cryptographers just fails"" but it is not a fault of the cryptographers. So, the example doesn't apply. – schroeder Apr 21 '21 at 14:13