Monday, October 5, 2009

RSA doesn't know Kerckhoff

I found this in RSA Security's guide for their Authentication Manager (a.k.a. RSA SecurID) application suite:
"This reference guide is meant only for security administrators and trusted personnel.
Do not make it available to the general user population."
So much for Kerckhoff's Principle from the world's leading cryptography vendor:
"[S]tated by Auguste Kerckhoffs in the 19th century: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge."