Kerckhoffs's Principle
The most important rule in cryptography: assume your adversary knows everything about your system except the key.
Why This Matters
Kerckhoffs's Principle — articulated by Dutch linguist Auguste Kerckhoffs in his 1883 paper La Cryptographie Militaire — is the foundational design rule of modern cryptography. It states that a cryptographic system must remain secure even if everything about the system, except the key, is publicly known. The corollary is profound: security through obscurity (hiding the algorithm) is not security at all, because algorithms can be reverse-engineered, leaked, or discovered; only a short, easily changed key needs to remain secret. Every major cipher used today — AES, RSA, the Diffie-Hellman key exchange, TLS — is fully published and open to public scrutiny, with security depending entirely on key secrecy.
Kerckhoffs stated six design criteria for military ciphers: (1) the system must be practically, if not mathematically, indecipherable; (2) the system must not require secrecy and can be stolen by the enemy without causing trouble; (3) it must be easy to communicate and remember without written notes; (4) the cipher must be applicable to telegraph correspondence; (5) the apparatus must be portable and operable by a single person; (6) the system must be easy to use. Criterion 2 is what posterity calls "Kerckhoffs's Principle."
Obscuring an algorithm provides only temporary security — the time until the algorithm is reverse-engineered, the circuit board is captured, or an insider defects. Once exposed, every message ever sent with that algorithm can potentially be re-examined. A Kerckhoffs-compliant system with a strong key: even if the algorithm is known for decades, every message remains protected by its unique key. Changing a compromised key takes minutes; redesigning and deploying a new secret algorithm takes years and may introduce new weaknesses.
Nazi Germany fundamentally violated Kerckhoffs's Principle when it believed Enigma's machine design could be kept permanently secret. Captured machines (from the submarine U-110 and elsewhere), captured key documents, and operator errors gave Bletchley Park everything needed to break the system — because the underlying cipher machine's wiring was not designed to be secure if known. A Kerckhoffs-compliant system would have been designed so that machine capture only helped if the specific daily key settings were also known.
AES was selected by the US NIST through a public five-year competition (1997–2001). The algorithm was published, attacked by the world's best cryptanalysts, analyzed for weaknesses, and refined through open peer review. The competition's winning algorithm — designed by Joan Daemen and Vincent Rijmen (Belgian) — is used in virtually every encrypted communication on earth. Its security has been publicly scrutinized for 25 years. This is Kerckhoffs's Principle in action at planetary scale.
| Author | Auguste Kerckhoffs van Nieuwenhof (1835–1903) |
| Published | La Cryptographie Militaire, 1883 |
| Principle | System security must depend only on key secrecy, not system secrecy |
| Shannon equivalent | Shannon's maxim: "the enemy knows the system" |
| Violated by | Security through obscurity, DRM, most "proprietary" crypto |
| Modern Lesson | Open design allows public scrutiny that defeats hidden flaws |