Difference between revisions of "Talk:Simple Encryption"

1. XOR is not encryption.
2. It is possible to decode the messages without resorting to pure brute force. In addition it is possible to ensure that the decode is in fact the message.
   • Worst case scenario is if the message is the password. Could require 2^128 to try all possibilities (depends what information can be gleaned from the message).
     • If the user can feed the encoder arbitrary strings they can brute force the secret directly. This is possible because the MD5 digests would match and subsequent XOR would result in a 32 nulls.
   • The longer the message the easier it is to determine the XOR.
   • Byte analysis:
     • If the message contains any characters with a value greater then 128 then bit 6 can be determined in the XOR and consequently reduce the choices available to the xor in the affected byte positions.
     • On average about 5.9 bits of information about the XOR can be gleaned from the perpended md5 message digest.
     • If bit 3 can be pinned down the number of available choices is greatly reduced.
3. Once the message has been decoded, the password can be attacked by bruteforcing the xor.
4. Once a message has been decoded the XOR can be applied to any message in the future baring the same nonce.

I have several ideas on how to improve the security of this algorithm. -- Strife Onizuka 06:09, 1 January 2008 (PST)

Response to Strive Onizuka

1. The message digest is stored within the XOR. Q:Should it be clear text? Should the digest even be present, or perhaps a checksum of the digest? --Dedric Mauriac 11:58, 1 January 2008 (PST)
2. The passkey has now been extended to be as long (or longer) than the message. (one-time pad). --Dedric Mauriac 11:58, 1 January 2008 (PST)