Kerckhoffs published "La Cryptographie Militaire" in the Journal des sciences militaires as a practical guide for French military ciphers. He listed six requirements for a field cipher. The second one outlived the rest:
The system must not require secrecy, and it must be able to fall into the enemy's hands without inconvenience. Auguste Kerckhoffs, La Cryptographie Militaire, 1883
His reasoning was operational, not philosophical. Military cipher equipment gets captured. Codebooks get stolen. Operators defect. If the security of your communications depends on the enemy never learning how your cipher works, one captured machine ends the whole system. If it depends only on a key, you replace the key and keep going.
Claude Shannon, working on the mathematical foundations of cryptography in the 1940s, compressed the same idea into a sentence cryptographers still quote: assume the enemy knows the system. Design for the day the blueprints leak, because that day comes.
Why Secret Designs Get Broken Anyway
The counterargument sounds reasonable: surely a cipher the attacker has to reverse engineer is harder to break than one published in an RFC. The record says otherwise, for a structural reason. A secret design is a design that skipped peer review. The flaws that a public design would have accumulated in academic papers within months instead sit undiscovered inside the product, waiting for the first person motivated enough to look.
And reverse engineering is cheaper than its reputation suggests. Some well-documented cases:
| System | Secret design | What happened |
|---|---|---|
| DVD CSS | Proprietary 40-bit stream cipher for DVD copy protection | Reverse engineered in 1999; DeCSS decrypted any DVD. The cipher's effective strength was far below even its nominal 40 bits. |
| GSM A5/1 | Secret cipher protecting 2G phone calls | Design leaked and was reverse engineered in the 1990s; practical attacks followed, including rainbow-table decryption demonstrated publicly in 2009. |
| Mifare Classic | Crypto1, a secret cipher in billions of transit and building-access cards | Radboud University researchers recovered the cipher from the silicon in 2008 and broke it; card cloning became a hobbyist exercise. |
In each case, the vendor's security argument amounted to "nobody knows how it works." Somebody always ends up knowing how it works. The only question is whether the flaws were found by reviewers before shipping or by attackers after.
The Darker Failure Mode: Secrecy Hides Sabotage
A broken secret cipher is the good outcome. The worse one is a deliberately weakened cipher that secrecy protects from discovery.
The Crypto AG case is the canonical example. For decades, the Swiss firm sold cipher machines to roughly 120 governments. In 2020, reporting by the Washington Post and ZDF confirmed what researchers had long suspected: the CIA and West Germany's BND secretly owned the company and had rigged its machines so that the intelligence agencies could read the traffic of the governments buying them. Customers could not audit the designs. That was the point.
No open design could have sustained this. A published algorithm with a deliberate weakness gets found, because thousands of independent people can look. This is the same logic behind reproducible builds: openness does not prevent flaws, but it puts a short clock on how long a deliberate one can stay hidden.
In a well-designed system, the key is the only secret. Everything else, the algorithm, the protocol, the source code, should be publishable without weakening anything.
What the Principle Does Not Say
Kerckhoffs's principle is often flattened into "obscurity is worthless," which overstates it. Three clarifications keep it useful.
Obscurity as an extra layer is fine. Obscurity as the load-bearing layer is not. Running SSH on a nonstandard port cuts log noise from automated scanners. Nothing wrong with that, as long as the actual security still comes from the cryptography, so that an attacker who knows the port gains nothing decisive. The failure is a system that becomes breakable once its internals are known.
Publishing a design is necessary for trust, not sufficient for security. An open algorithm nobody qualified has reviewed is no better than a secret one. OpenSSL was open source throughout the years Heartbleed sat in it. What openness buys is the possibility of review, audits, and independent implementations. Whether that possibility gets exercised is a separate question worth asking any vendor.
The principle applies to designs, not to your operational details. Keeping your key material, your infrastructure layout, or your travel plans confidential is not a violation of Kerckhoffs. Those are keys, in the broad sense: replaceable secrets, not structural ones.
An Interesting Counterpoint: Skipjack
Not every secret cipher is weak. When the NSA declassified its Skipjack algorithm in 1998, after years of it being available only inside tamper-resistant Clipper chips, public cryptanalysis found attacks on reduced-round variants but nothing devastating against the full cipher. The agency's designers knew what they were doing.
But notice what the secrecy cost them. The Clipper program collapsed in large part because nobody outside the government could verify the cipher or the key-escrow mechanism wrapped around it. Matt Blaze found a flaw in the escrow protocol itself in 1994, from the outside, within a year of getting access. A competent secret design still forfeits the thing that makes people willing to rely on it.
Using the Principle as a Buyer
For anyone evaluating a security or privacy product, Kerckhoffs's principle converts into a short list of questions:
- Is the protocol documented? "Military-grade proprietary encryption" is a red flag phrase. AES, ChaCha20-Poly1305, the Signal protocol, and MLS (RFC 9420) are public specifications with years of published analysis.
- Can anyone inspect the implementation? Open source client code means the gap between what the vendor claims and what the software does is checkable.
- What happens if the vendor's design documents leak tomorrow? If the answer is "nothing, only keys matter," the design is sound. If the answer is unclear, the secrecy is doing work it should not be doing.
- Has anyone independent actually looked? Published third-party audits, academic papers, or a track record of externally reported and fixed vulnerabilities all count as evidence the review possibility is being used.
The 1883 version of the test was whether a cipher survives the capture of a machine. The 2026 version is whether a product survives its own documentation. The systems worth trusting are the ones whose designers wrote them down, published them, and let strangers try to tear them apart first.