Cryptography can be applied so as to provide strong security or weak security. Generally, since cryptography is expensive and introduces risk, you want only as much security as is necessary. This book uses the term obfuscation to describe situations where encryption is used to provide a minimal amount of security. Obfuscation is used simply to make reading data more difficult and thereby prevent casual attacks.
Obfuscation should be used rarely. Strong encryption, not obfuscation, is necessary for nearly every threat requiring a cryptographic solution. Obfuscation is generally appropriate only as a solution of last resort and relies on other controls for adequate protection. For instance, consider the situation described in the previous section, where a program must, in order to decrypt data, log into a dedicated decryption machine over the internal network. The dedicated machine requires a password, so the program must have access to that password. The problem of how to protect that password is an issue.
Encrypting the password makes sense, but how would it be decrypted? The strong cryptographic solution would be to use the dedicated decryption machine, but that won’t work because the decrypted password is necessary to access the machine. Another option would be to encrypt the password with a key stored elsewhere and not use the dedicated machine. Then the problem becomes a matter of protecting that key while also making it available to the program when it needs to use the password.
Complicated schemes where the credentials are entered manually by a security administrator when the program first starts and are then stored only in primary memory, perhaps split into several pieces, further shift the problem to one of protecting the key when it is in the administrator’s possession. Such measures also increase the program’s fragility and introduce dependencies for restarting the program. Additionally, the security of such techniques is, ultimately, questionable. A skilled and patient attacker with the right tools and access can simply wait until the program decrypts the password, at which point the attacker picks it out of memory. While this isn’t trivial, it certainly isn’t impossible. The threat model helps you determine if such a complex scheme is appropriate in a given situation.
Alternatively, the password could simply be obfuscated. An obfuscated password might be encrypted and stored in one file while the key used for the encryption is stored in another file. Anybody simply browsing through files won’t accidentally compromise the password, but, obviously, if that individual were dedicated to retrieving the password, it would not be difficult to get both the encrypted password and the key. Various schemes could be employed to increase the difficulty, but by calling the protection obfuscation, we recognize that the security is rather easily broken, so we are reminded to maintain other controls appropriately. In this case, we want to ensure that only administrators and the necessary programs have access to both files.