Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this kind of encryption "safe"?

I must first say I have never studied cryptography, and everything I know on this topic is just basic notions.

We were looking at a fast and easy way to encrypt some data (to be stored into a database) using a password. I know the "safest" algorithm is AES, but it's probably too complicated for us and I know it requires us to obtain authorizations from the US government, etc.

We thought about this (simple) algorithm, which reminds me (but I may be wrong) a sort of "One time pad". (it's not written in any specific language... it's just the idea :) )

// The string we need to encrypt
string data = "hello world";

// Long string of random bytes that will be generated the first time we need to encrypt something
string randomData = "aajdfskjefafdsgsdewrbhf";

// The passphrase the user selected
string passphrase = "foo";

// Let's generate the encryption key, using randomData XOR passphrase (repeating this one)
string theKey = "";
j = 0;
for(i = 0; i < randomData.length; i++)
{
    theKey += randomData[i] ^ passphrase[j];
    j++;
    if(j == passphrase.length) j = 0;
}

// Encrypt the data, using data XOR theKey (with theKey.length >= data.length)
string encryptedData = "";
for(i = 0; i < data.length; i++)
{
    encryptedData += data[i] ^ theKey[i];
}

On disk, we will store then only randomData and encryptedData. passphrase will be asked to the user every time.

How safe will an algorithm like this be? Except with a brute force, are there other ways this could be cracked? I don't think statistical analysis will work on this, does it? Is it "as safe as" a One Time Pad?

Thank you!

like image 502
ItalyPaleAle Avatar asked Nov 30 '22 16:11

ItalyPaleAle


2 Answers

You can just import an AES library and let it do all the heavy work. Authorizations from the US government? It is a public function, and the US government also uses it.

like image 158
CQM Avatar answered Dec 04 '22 23:12

CQM


No, this is not secure.

If the random data is stored alongside the encrypted data, then it is simply equivalent to XORing with the passphrase: this is because the attacker can simply XOR the encrypted data with the random data, and obtain plaintext XOR passphrase as the result.

like image 33
caf Avatar answered Dec 04 '22 23:12

caf