Are Open Standards Bad for Encryption?

An Anonymous Coward asks: "Open standards for most things are good -- they keep the big fish from closing the pond. For encryption, though, open standards make things easier to break. What will happen to computer security when someone finds a way to factor very large numbers? Every implementation on every computer will suddenly be obsolete. How would that effect the much heralded 'new economy' and how quickly would the encryption industry be able to reestablish a standard?"

Obscurity in Security..

[mindstrm]

Yeah... everyone likes to blindly shout the mantra 'Security through Obscurity is no security at all!'.

Well... that all too often gets taken out of context.

What it means is, if your only security is the fact that nobody knows anything about your security measures, then you are deluding yourself. This is most commonly quoted due to the mass numbers of security loopholes in software in the last 15 years; companies keeping it 'queiet' that there was a bug, hoping nobody would find out, and hence, keeping things secure. That's the kind of bad 'obscurity' we don't need.

On the other hand, obscurity can be an important aspect of a system's security. Take any old job. The supermaket I used to work in (and my family owned). Due to the fact that my family owned it, I got to observe who what and when with regards to handling large amounts of cash. That's not to say that we had no security, but the fact that the common person who might want to rip us off has no idea how the money handling process works is *part* of that security. If he knew what I knew, he'd be at an advantage.

And take system security. Why on earth would I publish my security? Certainly, if I have sensitive documents that are encrypted, I'm also going to keep it a secret which algorithms I used...that's part of the system.