What’s wrong with XOR encryption?

by

The problem with XOR encryption is that for long runs of the same characters, it is very easy to see the password. Such long runs are most commonly spaces in text files. Say your password is 8 chars, and the text file has 16 spaces in some line (for example, in the middle of ASCII-graphics table). If you just XOR that with your password, you’ll see that output will have repeating sequences of characters. The attacker would just look for any such, try to guess the character in the original file (space would be the first candidate to try), and derive the length of the password from length of repeating groups.

Binary files can be even worse as they often contain repeating sequences of 0x00 bytes. Obviously, XORing with those is no-op, so your password will be visible in plain text in the output! An example of a very common binary format that has long sequences of nulls is .doc.

More Related Contents:

  1. Fundamental difference between Hashing and Encryption algorithms
  2. Difference between Hashing a Password and Encrypting it
  3. Salt Generation and open source software
  4. Why is security through obscurity a bad idea? [closed]
  5. SHA512 vs. Blowfish and Bcrypt [closed]
  6. Encrypting/Hashing plain text passwords in database [closed]
  7. Are HTTPS headers encrypted?
  8. The necessity of hiding the salt for a hash
  9. Password hashing, salt and storage of hashed values
  10. Why is using a Non-Random IV with CBC Mode a vulnerability?
  11. What algorithm should I use to hash passwords into my database? [duplicate]
  12. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  13. Differences Between Rijndael and AES
  14. Is it worth encrypting email addresses in the database?
  15. Should I impose a maximum length on passwords?
  16. MD5 security is fine? [closed]
  17. Two-way encryption: I need to store passwords that can be retrieved
  18. How can pass the value of a variable to the standard input of a command?
  19. I need to securely store a username and password in Python, what are my options? [closed]
  20. How can bcrypt have built-in salts?
  21. Has reCaptcha been cracked / hacked / OCR’d / defeated / broken? [closed]
  22. Why are porn sites appearing in my Google Analytics data?
  23. Storing credit card details
  24. How to Secure Android Shared Preferences?
  25. Is there any possible ways to bypass cloudflare security checks?
  26. Send mail via Gmail with PowerShell V2’s Send-MailMessage
  27. Using Symfony2’s AccessDeniedHandlerInterface
  28. What’s the purpose of Django setting ‘SECRET_KEY’?
  29. Keygen tag in HTML5
  30. Understanding CSRF

Leave a Comment