Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is this kind of encryption "safe"?

Tags:

security

cryptography

encryption

I must first say I have never studied cryptography, and everything I know on this topic is just basic notions.

We were looking at a fast and easy way to encrypt some data (to be stored into a database) using a password. I know the "safest" algorithm is AES, but it's probably too complicated for us and I know it requires us to obtain authorizations from the US government, etc.

We thought about this (simple) algorithm, which reminds me (but I may be wrong) a sort of "One time pad". (it's not written in any specific language... it's just the idea :) )

// The string we need to encrypt
string data = "hello world";

// Long string of random bytes that will be generated the first time we need to encrypt something
string randomData = "aajdfskjefafdsgsdewrbhf";

// The passphrase the user selected
string passphrase = "foo";

// Let's generate the encryption key, using randomData XOR passphrase (repeating this one)
string theKey = "";
j = 0;
for(i = 0; i < randomData.length; i++)
{
    theKey += randomData[i] ^ passphrase[j];
    j++;
    if(j == passphrase.length) j = 0;
}

// Encrypt the data, using data XOR theKey (with theKey.length >= data.length)
string encryptedData = "";
for(i = 0; i < data.length; i++)
{
    encryptedData += data[i] ^ theKey[i];
}

On disk, we will store then only randomData and encryptedData. passphrase will be asked to the user every time.

How safe will an algorithm like this be? Except with a brute force, are there other ways this could be cracked? I don't think statistical analysis will work on this, does it? Is it "as safe as" a One Time Pad?

Thank you!

like image 502
ItalyPaleAle Avatar asked Nov 30 '22 16:11

ItalyPaleAle

2 Answers

You can just import an AES library and let it do all the heavy work. Authorizations from the US government? It is a public function, and the US government also uses it.

like image 158
CQM Avatar answered Dec 04 '22 23:12

CQM

No, this is not secure.

If the random data is stored alongside the encrypted data, then it is simply equivalent to XORing with the passphrase: this is because the attacker can simply XOR the encrypted data with the random data, and obtain plaintext XOR passphrase as the result.

like image 33
caf Avatar answered Dec 04 '22 23:12

caf
Sign in to Comment

Related questions

Strength of RSA Encrypting an AES Key
Can I be sure my Java web app running on localhost:8080 is invisible from my fellow Starbucks customers?
Verifying the SSL certificate on iOS
saving passwords inside your application code
Is this PHP/MySQL delete function secure?
SecCertificateCreateWithData always returning null
How can I display a warning to users who open the Chrome console, like Facebook and Blockchain does?
Combination of more than one crypto algorithm
Is the password weak under dictionary attack
placing php script outside website root
Spring Session User Info retrieval in Dao layer
PostgreSQL's Security Compared to MySQL, etc
Is it a SQL injection?
In PHP, how can I detect that input vars were truncated due to max_input_vars being exceeded?
Regular expressions to prevent XSS or something else?
FOSUserBundle - How to redirect already logged-in users when trying to access the login_path
How vulnerable is my code to SQL injection?
Populating the PrimaryIdentity in WCF
Is this a safe use of python eval()?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!