views:

75

answers:

3

XOR encryption is known to be quite weak. But how weak is it if I have a key that is made up of multiple keys of different (ideally prime) lengths which are combined to make a longer key. eg I have a text keys of length 5, 9 and 11. If I just apply the first key using XOR encryption then it should be easy to break as the encryption byte will repeat every 5 bytes. However if I 'overlay' the 3 of these keys I get an effective non-repeating length of 5*9*11 = 495. This sounds to me pretty strong. If I use a couple of verses of a poem using each line as a key then my non-repeating length will be way bigger than most files. How strong would this be (providing the key remains secret! :) )

+4  A: 

XOR encryption is exactly as strong as the key stream. If you XOR with a "One time pad" - a sequence of physically generated random numbers that you only use once, then your encryption is theoretically unbreakable. You do have the problem however of hiding and distributing the key.

So your question comes down to - "how secure/random is a keystream made of three text strings?" The answer is "not very secure at all". Probably good enough to keep out your little sister, but not necessarily if you've got a smart little sister like I have.

Nick Fortescue
@Nick :) I've been reading [this question](http://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption) - I see what your saying about 3 strings not being strong enough. But if I use the poem example for instance and end up with an effective key length which is longer than the file being encrypted it should be pretty secure right?
El Ronnoco
No, definitely not, but it would take too long to explain why in this post. It depends why you are writing it. If you are writing it to learn about security, then I'd start with the one word version, then write a program to break it, then go to 2 words, write a program to break that etc. You'll work out why it is insecure, and learn a lot for yourself.
Nick Fortescue
If you actually want a secure algorithm to use, take your poem, hash it to a key, and then use a free, well tested algorithm someone else has written - eg http://en.wikipedia.org/wiki/Advanced_Encryption_Standard. You'll have the benefits of hundreds of brilliant minds having inspected it and not found anything wrong with it yet.
Nick Fortescue
+3  A: 

What about the 'known plaintext' attack? If you know the encrypted and the cleartext versions of the same string, you can retrieve the key.

http://en.wikipedia.org/wiki/XOR_cipher

http://en.wikipedia.org/wiki/Known-plaintext_attack

http://en.wikipedia.org/wiki/Stream_cipher_attack

Marcin
Yes, but the known plaintext attack is only good for determining the part of the key which was used to encode the known plaintext. If the key is a non-repeating sequence as long or longer than the message then this attack has no value.
El Ronnoco
Yea but you can snatch that one message, and sometimes that's all you need ;) Besides, the one-time pad algorithms have their own problems, mainly how does the other side knows what key is going to be this time.
Marcin
+1  A: 

If P and Q are two independent cryptographic methods, the composite cryptographic function P(Q(x)) won't be any weaker than the stronger of P(x) or Q(x), but it won't necessarily be meaningfully stronger either. In order for a composite cryptographic function to gain any strength, the operations comprising it have to meet certain criteria. Combining weak ciphers arbitrarily, no matter how many one uses, is unlikely to yield a strong cipher.

supercat