Re: How secure is XOR encryption?

A few comments on XOR encryption:

It is easy to crack if the cracker knows what to look for - assuming you can hide this fact (ie, cracker has no availability to code and/or program that decrypts) it can be fairly hard to crack. But: a) Any cracker mindbent on getting that password will try XOR as one approach, and b) that is Security through Obscurity which is a bad thing to rely on.
A long password can be hard to crack with brute force, again providing that the password is entered, and nothing that can possibly be extracted from a program available to the cracker. But (again) XORs are fast to try compared to other "guessing" algorithms. And if the password is possible to see somewhere, well you are out of luck anyways. :)
XOR has the benefit of being easy to implement with just about anything - as you have seen. If you are gonna stick with that, try to add some extra garbling too - for instance change the order of the encrypted characters and introduce garbage. It will make it harder to guess the algorithm. Again, this is null and void if the algorithm may be extracted from a program somehow.
Noone(?) uses XOR for stuff that needs real security. I guess there is a reason. :)

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

Comment on Re: How secure is XOR encryption?

Replies are listed 'Best First'.
Re: Re: How secure is XOR encryption? by cjf (Parson) on Apr 25, 2002 at 04:54 UTC
that is Security through Obscurity which is a bad thing to rely on. You've stumbled across a pet peeve of mine. Despite what Elias Levy preaches unto the masses, "Security through Obscurity" is not a bad thing. Consider a basic staple of security, the username/password combination. This is obscurity. You are betting that someone will not guess that combination. Granted, you should restrict access to certain hosts, have layers of security, proper logging to detect password cracking and other bad stuff, blah blah blah, but if someone guesses all your 14 character lowercase uppercase alpha numeric passwords (with that exclamation mark at the end, yes I know ;) on the first shot, you're probably screwed. There is nothing wrong with this though, security is just Playing the odds and chances are, if you pick good passwords and follow some basic practices, you're system will be compromised via some other method :). I should also note that many people, possibly including you, might say I'm bending the meaning of the term a bit. They only use the term "Security through Obscurity" to refer to the belief that if the details of a system are not made publicly available the system will be more secure. People who hold this belief sometimes also suggest that vulnerability details should be restricted to vendors and a small number of people. While I do believe that giving too much information out does make it more likely that your system will be compromised, I do not believe restricting vulnerability disclosure would be a good idea. Giving a little notice to the vendor is polite though.	[reply]
Re: Re: Re: How secure is XOR encryption? by Dog and Pony (Priest) on Apr 26, 2002 at 13:00 UTC
I understand what you mean, and don't really disagree, but that is just semantics. People do know what you mean; it is like when people say that "drinking is bad for you, or for your brain", they don't mean that all intake of liquid is bad (it is after all a necessity). Even though it may seem a silly example, context is the key to most of our communication, although a certain expression may not be "true" verbatim. You did know, as did most others, exactly what I meant, and as an expression, in this context, it means the subset described approximately in the link I gave to the Jargon files. And no, I will not battle you over it, really. I just couldn't resist. Heheh. Like I said, you are correct, also. :) You have moved into a dark place. It is pitch black. You are likely to be eaten by a grue.	[reply]
Re: Re: Re: Re: How secure is XOR encryption? by cjf (Parson) on Apr 26, 2002 at 18:06 UTC
I understand what you mean, and don't really disagree, but that is just semantics. Exactly, it is just semantics. People often misuse the term "Security through Obscurity" and it generates a lot of confusion. This leads to the attitude that you shouldn't hide any information about your system and that obscurity is a bad thing when it comes to security. Both of which are not true. From the Jargon file on "Security through Obscurity": A term applied by hackers to most OS vendors' favorite way of coping with security holes -- namely, ignoring them, documenting neither any known holes nor the underlying security algorithms, trusting that nobody will find out about them and that people who do find out about them won't exploit them. As you can see, this has very little to do with many common usages of the term. And no, I will not battle you over it, really. Well that's no fun ;-).	[reply]
Re: Re: Re: Re: Re: How secure is XOR encryption? by Dog and Pony (Priest) on Apr 27, 2002 at 01:07 UTC