It's not security through obscurity. In fact, it's the very opposite. You can see the process exactly. The reason this is secure is because the process itself doesn't work backwards. You can create a hash using this algorithm, but you'll never reverse that hash back into the original text.
I'm also wondering, how does this prevent preimaging attacks (or whatever they're called)? That is to say, what's stopping people from reliably producing output based on input?
> I'm also wondering, how does this prevent preimaging attacks (or whatever they're called)?
First, see the Wikipedia entry about preimage attacks.
Second, I am not a cryptographer but I think in practice there is a couple of things to be aware of:
- make sure slightly different inputs have wildly different outputs
- make sure no parts of the input survives
- practically speaking there are an unlimited number of inputs that map to most (all? I'm not sure how uniform the distribution of sha256 is) output (since input is unlimited and output is a short string.
- the classic preimage attack, rainbow tables, works because 1.) inputs, i.e. passwords, are often short and predictable
- in ancient times password systems didn't use salts
> That is to say, what's stopping people from reliably producing output based on input?
I assume this should be the other way around, which is what I have tried to explain above.
