Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

4
  • Hypothetically, if I was to create an encryption algorithm, and then invite the best cryptographers in the world to review it at an undisclosed underground facility, and after they all agree it is secure I was to have them executed, would security through obscurity work? Commented Feb 27 at 1:28
  • 1
    @suchislife: If the cryptographers agree that your algorithm is secure, then what do you need obscurity for? Shouldn’t the algorithm work just fine even if it’s publicly known? Security through obscurity is typically used when you aren’t convinced that an algorithm/protocol/application/system is secure and now try to hide its weaknesses. I know some people (like the OP) justify security through obscurity as a defense-in-depth mechanism. But I’m very skeptical of this. In reality, you cannot simply keep ideas away from everybody else. Commented Feb 27 at 2:13
  • I just thought: What would Lex Luthor do? Commented Feb 27 at 2:23
  • @Ja1024 - I know I'm a bit late to the response, but just to clarify: I am not trying to justify security through obscurity as a defense-in-depth mechanism-- I am trying to separate the two to avoid conflation. In my opinion, my approach is not STO as it's not inventing a new encryption scheme, hashing scheme, etc. STO is something like XORing a password with the reverse of the plaintext, and knowing that defeats the entire scheme. With this hypothetical auth scheme, even if the attacker knew the "hidden parameters", it doesn't defeat or break the scheme. Argon, ChaCha, etc are still secure Commented Mar 9 at 17:37