"However, obscurity can never make a secure algorithm more secure."
If you're talking about the security of the algorithm, fine. But you're talking about the security of the system, and the algorithm is seldom the problem. If it takes two months to find the problem with the key management, then your obscurity that added two months just doubled the time to break in.
I still say you should use publicly vetted systems - but the community is in denial over the value (second rate, but still value) of security through obscurity.
Case in point: when Slashdot first released their source code, they didn't escape quotes in passwords, so it was possible to log in as an admin using an appropriately modified SQL statement. Sure, you could have figured what the command needed to be via trial and error before the code was released, but I was lazy. Releasing the code meant that I could now break into something I wouldn't try to break into before. The obscurity protected them from a certain threat model. It was still much better when they fixed the bug, of course.
If you're talking about the security of the algorithm, fine. But you're talking about the security of the system, and the algorithm is seldom the problem. If it takes two months to find the problem with the key management, then your obscurity that added two months just doubled the time to break in.
I still say you should use publicly vetted systems - but the community is in denial over the value (second rate, but still value) of security through obscurity.
Case in point: when Slashdot first released their source code, they didn't escape quotes in passwords, so it was possible to log in as an admin using an appropriately modified SQL statement. Sure, you could have figured what the command needed to be via trial and error before the code was released, but I was lazy. Releasing the code meant that I could now break into something I wouldn't try to break into before. The obscurity protected them from a certain threat model. It was still much better when they fixed the bug, of course.