We saw that throughout the vast majority of history,
the security of cryptosystems relied on the entire system remaining secret from
the enemy, a practice now known as security through obscurity.
Once the workings of the algorithm became known, the residual security provided by
whatever key remained, was minimal and easily defeated.
As a result, the entire cryptosystem had to be discarded, and a new one deviced.
In examining the history of cryptographic failures, the Dutch cryptographer,
Auguste Kerckhoffs, laid out a set of design principles in 1883 that should
guide the design of cyphersystems.
One of these principles was that the system should be easy to use,
and not require the user to know or comply with long lists of rules.
Consider how violating this principle with regards to the Enigma machine
changed the course of World War II more than half a century later.
Another of Kerckhoffs' design principles is so
critically important that it, by itself, is now known as Kerckhoffs' Principle.
This principle merely states that the design of the cryptosystem should
not require secrecy and
that the system should remain secure even if its design falls into enemy hands.
This is often expressed by saying that you should be able to turn over
all of your design documents to your enemy and
pay them to build your cipher machines for you.
A major advantage of complying with this principle is that instead of relying on
the expertise of a small handful of people to test the security of a cryptosystem,
which is done by trying to find clever ways to break it,
the design can be made public.
And now millions of highly skilled people can try to find weaknesses and
publish those results.
At first glance, this might seem the very essence of insanity,
as it would appear that you're making your enemy's job that much easier.
The thing to remember is that you should assume that your enemy is willing to put
many times the resources available to you at work to break your system.
And that they have access to people at least as talented as any of yours.
Hence, if there are weaknesses that your small team of experts missed,
your enemy is probably going to find them.
But if the entire world is looking at your design,
then it becomes highly unlikely that any significant weaknesses discovered by your
enemy isn't also going to be discovered by several other people and made public,
thus giving you the opportunity to revise your design and remove that weakness.
This is why it's become quite common for the designers of cryptographic algorithms
to issue public challenges, sometimes with prizes worth millions of dollars,
to the first person that can break the system,
and some of these prizes have been successfully claimed.
Kerckhoffs also recognized that a direct consequence of this principle is that
the security of the system must therefore rest in the security of a key, and
that this key should be as simple and small as possible.
It should be easily communicated, and
the parties should be able to change it as needed.