Kerckhoff's 6th Principle
Everyone reasonably well-educated on security knows the importance of Kerckhoff's 2nd principle - that is, security through clarity, and the ability to change the key used in the cipher algorithm. But Kerckhoff origionally enumerated 6 principles, some others of which are still relevant.
The 5th says:
It must be portable,
and should not require
several persons
to handle or operate;
Of course, our laptops and hand-helds are portable now. At least
physically. But is it true of our secret-keeping softwares and
secret-keeping codebook? Let's try answer a few questions:
- Can you bring your codebook to and use it wherever you want?
- Does the software that decrypts your codebook run on all platforms that you'd use?
- If the software does not run on that platform, does the vendor provide software source code, or at least file format specification so that someone with the knowledge can help you decrypt it?
You see? The 5th princple for portability still matters.
The 6th says: given the circumstances in which it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules. When setting passwords when registering on websites, do you know the list of rules to comply? Do you feel stressful to comply with:
- Not to use personal information such as your or your close one's birthday as password?
- Use combinitions of letters, digits, and merchant-dictated set of punctuations, and must be at least ... how long did your website recommend?
- Not to use a password that you've previously used, but forgot, and the password reset request permanently invalidated it?
Voila! What does your stress meter say?
The perfect secret keeping system does not yet exist. It's arguable that it may never exist, because security is an arms race between the black-hat and the white-hat. The takeaway here, is that humen users are an important component in the system of security, that is often neglected by the developer of the said system.