Security by obscurity relies on keeping implementation details secret — hiding services, changing default ports, using proprietary algorithms. Insufficient as a primary security control.
Kerckhoffs's principle: a system should be secure even if everything about it (except the key) is public knowledge. Obscurity can be a defense-in-depth layer but must never be the primary control. Open standards (AES, TLS) withstand public scrutiny — proprietary schemes don't.