Security Through Obscurity
by Ed Sawicki
Accelerated Learning Center
Tailored Computers
May 15, 2003
The 1986 bombing of Libya by the United States teaches an important lesson about Security Through Obscurity. The U.S. raid was in response to the bombing of a West Berlin discotheque that targeted and killed two U.S. soldiers. The U.S. National Security Agency (NSA) learned that Libya was responsible for the bombing by eavesdropping on the encrypted radio communications between Tripoli and the Libyan embassy in West Berlin. President Ronald Regan had the proof he needed to order the attack.
The Libyans didn't know that they had purchased encryption equipment from a firm, called Crypto AG, that had links to the German intelligence community and the NSA. Crypto AG embedded the decryption key in the cipher text allowing the NSA to monitor the encrypted communication in real-time.
The Libyans learned the lesson of Security through Obscurity the hard way. They thought their communications channels were secure because the encryption equipment came from a manufacturer in a neutral country. However, the algorithms and ciphers in these black boxes were never subjected to public revue. Independent cryptographers were not able to verify the equipment's effectiveness. Libya was not the only country that made poor decisions when purchasing crypto equipment. Iran was also using Crypro AG equipment at the time.
Far better security can be achieved using Free/Open Source software that has already been scrutinized by an army of cryptographers.