103

Normally I preach that rolling your own custom crypto algorithm is a bad idea. But will it really hurt if it's the outermost layer though? Or will it make security worse?

AES -> CipherText -> CustomEncryptionAlgorithm-> CipherText

I'm thinking that the extra layer will help. Let's say even if CustomEncryptionAlgorithm is bug ridden mess, it can't possibly make things worse. That's because AES output is already indistinguishable from random noise.

On the other hand, something tells me that the following is problematic

CustomEncryptionAlgorithm -> CipherText -> AES -> CipherText

Is it bad? and why?

Please don't comment on company resources spent on security vs obscurity etc (I agree security comes out ahead) I am more interested in understanding the cryptographic theory behind vulnerabilities in this approach.

user3280964
  • 1,162
  • 2
  • 8
  • 13
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/78252/discussion-on-question-by-user3280964-security-by-obscurity-is-horrible-is-secu). – Rory Alsop May 31 '18 at 13:52
  • 3
    I'm confused by the way that you've listed the workflows. Is the first workflow `var x = plaintext; var y = aes(x); var z = custom(y); send(z)` and the second is `var x = plaintext; var y = custom(x); var z = aes(y); send(z);` - or do I have it backwards? And could you elaborate on why you feel the two are different in terms of cryptographic strength because it's not clear why you feel that. – corsiKa May 31 '18 at 15:24
  • It is fine, as long as the homebrew encryption uses a separate key. Otherwise you risk your encryption algorithm somehow undoing the original encryption or leaking the key. – BonsaiOak May 31 '18 at 21:28
  • This is known as "defense in depth," and it's a very good thing. Obscurity can be a valid component of such a strategy; the problem lies in making it the *only* component. – Mason Wheeler Jun 01 '18 at 03:30
  • 2
    Cheap answer: as long as there's security and it's not bothered in any way, there's security. – EKons Jun 01 '18 at 18:17
  • 2
    I would say that the plain term explanation is that "Security from obscurity is always short lived". So if your application is still secure after the obscure part is reviled to the world, it is by definition still secure. Of course the real problem with home-brew is unwittingly leaking some piece of information; thus, unknowingly making it less secure. – Tezra Jun 01 '18 at 19:07
  • 6
    A custom encryption algorithm isn't "security through obscurity". It is that **if you rely on the fact of the algorithm's secret status** for security. "Nobody has heard of this algorithm, therefore it is secure" is security through obscurity. – Kaz Jun 02 '18 at 02:14
  • 3
    The biggest problem with obscurity is that it prevent peer review which is immensely useful in this field. – Thomas Jun 04 '18 at 22:47
  • 1
    I would recommend asking yourself a roughly analogous question: if you already have a good pistol for self-defense, can you cause problems in a real life situation by fusing your own hand-made components onto the gun with a blow torch? The answer is "yes, unless you really know what you are doing", and cryptography is similar. – mtraceur Jun 05 '18 at 04:18
  • I'm not sure the analogy fits. However, even if we go with it, then the question is "If you have a good gun for self defense in one hand, and a custom made weapon in the other, will that really hurt and if so, how?" So far the answer seems to be is that it depends on how foolish your custom weapon is. It might help but it might also kill you. The discussion of the various ways in which that can happen has been very useful for me so far. – user3280964 Jun 08 '18 at 17:00

16 Answers16

90

Don't roll your own crypto!

From a purely cryptographic point of view, any length-preserving bijective function cannot reduce security. In fact, even the identity function, defined as f(x) = x, will not reduce security, assuming the keys used for the standard cipher and your homebrew cipher are mutually independent. The only possible way it could reduce security is if your homebrew function does not use a different, independent key and leaks the key in the ciphertext, for example with fk(x) = x ⊕ k done on each individual block of input x, a classic XOR cipher vulnerable to known-plaintext attacks.

From a practical standpoint, there are gotchas that can matter. I mentioned length-preserving above for good reason. A compression function is still a function, and sometimes compression and encryption can lead to very bad results. This is partially why your second example, with your custom algorithm applied before standard encryption, is indeed worse. It can leak information about the plaintext through length. There can also be bugs in your implementation that result in other security vulnerabilities. From a purely theoretical point of view, they are out-of-scope.


It was pointed out to me in a comment that I may not be sufficiently emphasizing just how bad of an idea this is. While it may be fine in theory, the real world works differently. Actually using your own homebrew crypto is a very bad idea, no matter how you use it. The only time you should ever actually do this is if you are a professional cryptographer. Bernstein can do this. Rivest can do this. Rijmen can do this. You cannot. Don't shoot yourself in the foot and instead use proper algorithms.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 4
    I agree. If there was an function such that `f(AES(x))` leaked any info about `x`, an attacker with access to cipher text could simply apply `f` herself. Indded, the existance of such a function would make AES unsafe. – Anders May 31 '18 at 13:41
  • 9
    I'm not sure I'm understanding *accidentally invent AES and set it to decrypt with the same key* correctly. If you're saying that the same key is going to be used for AES and CustomEncryptionAlgorithm, there's a decent chance CustomEncryptionAlgorithm might compromise the key itself, even if it's used to encrypt the AES ciphertext. – Dennis May 31 '18 at 15:23
  • 5
    Introducing additional complexity or obscurity is bad for maintenance. Someone (maybe you) will have to maintain this code / process in the future. Anything which hinders understanding is detrimental. Since it doesn't increase security in any meaningful cryptographic way, I'd argue complexity or obscurity for its own sake reduces maintainability, and hence indirectly, could be considered to reduce security in increased maintenance costs. – JesseM May 31 '18 at 17:44
  • I'm not sure about the veracity of the first part. The OP have `y = E(m, k)` in the first step and `z = E'(x, k')` in the second. It's possible for `E'` to be such that `x = z` for *some* `k'` (e.g. It can turn `k'` into `k` and then invert AES or it can be a less obvious dichotomy). In general, we don't know how to find such functions but do we have a proof they don't exist or one about their density? Since we already work under the hypothesis that AES is unbreakable, a daisy-chained cipher could only *lessen* or (at best) keep the original security. This seems a violation of Schneier Law – Margaret Bloom May 31 '18 at 18:36
  • 2
    @Dennis It was intended to be a non-sequitur to point out the absurd unlikelihood of creating a homebrew function that happened to be the identical of AES decryption with the same key as used for encryption hardcoded in it. – forest May 31 '18 at 23:22
  • Worst case is that the custom algorithm leaks the encryption key. This could be in a side channel attack or an error in the algorithm that lets you calculate the key. – OliverS Jun 01 '18 at 08:33
  • A thing to point out that in these cases you are assuming the keys to the AES and the homebrew are fully independent random variables. If there is any dependence you can easily lose security. – DRF Jun 01 '18 at 09:00
  • 2
    @Anders, I think the concern is not f(AES(x)) leaking information about x (which would indeed point to a mathematical vulnerability in AES), but f(AES(x, key), key) leaking information about the key; if the key was reused for both f and AES encryption rounds. – sehrgut Jun 01 '18 at 13:15
  • 2
    @sehrgut Ah, yes, that would indeed be bad. I just assumed `f` and `AES` would use independent keys, but it's not obvious from the question that it would be the case. Very good point! – Anders Jun 01 '18 at 13:21
  • 2
    Indeed, that would be very bad. While decent crypto, even if broken, doesn't have that problem, an amateur could easily create an algorithm which leaks key information even when encrypting uniformly distributed pseudorandom data. I've edited my answer to specify that the keys would need to be independent. – forest Jun 01 '18 at 13:24
  • "the worst case is that the attacker obtains the ciphertext": unless your cipher is self-inverting (like ROT-13), then the worst case is the absolute worst possible: the attacker obtaining the **plain** text! – NH. Jun 04 '18 at 19:23
  • This site, judging by the scope in the Help, is *vastly* more concerned with the practical application of security. Why are you de-emphasizing the major practical risks in favor of theoretical properties that we can't even be assured of without knowing what the "custom" algorithm is? -1 – jpmc26 Jun 04 '18 at 19:56
  • @jpmc26 I am not de-emphasizing the practical risk. The second half of my answer explains how badly this can go wrong, and even the first half of my answer explains that it is only acceptable from a _purely_ theoretic sense and should never be done in practice. What do you suggest I improve in my answer? – forest Jun 05 '18 at 01:21
  • @NH. Self-inverting for AES? – forest Jun 05 '18 at 01:21
  • 1
    @forest Anything less than, "This is an absolutely horrible idea that should not be attempted unless your custom algorithm has been battle tested by the best security experts for years" is de-empahsis. Home grown cryptography is notorious for containing vulnerabilities because it's so easy to get wrong. It's *that* bad an idea, and your answer fails to communicate the graveness of the risk. It's such a bad idea that even *mentioning* the actual cryptographic analysis is probably too much validation, but if you feel you must, then it should be crafted to scare away the attempt. – jpmc26 Jun 05 '18 at 02:13
  • 1
    @jpmc26 Thank you for the suggestions. I've edited my answer to add a prominent warning to re-emphasize how bad of an idea it is. Does it look good to you? – forest Jun 05 '18 at 02:35
48

There is a risk involved when you apply your custom encryption algorithm first.
This is based on the fact that an encryption like AES does leak information about the length of the plaintext.

Suppose the extremely hypothetical (and unpractical) example where you custom algorithm 'encrypts' a single byte plaintext like 0x40 into 64 zeros and a two byte plaintext like 0x02 0x00 into 512 zeros.

When you encrypt this using AES an attacker will still know the length of the custom encrypted result just by looking at the length of the AES encrypted text.
With this information the attacker can 'decrypt' this into the original plaintext without having the AES encryption key.

In summary: a very bad custom algorithm can indeed harm the security of a following AES encryption.

Jeff
  • 3,609
  • 4
  • 19
  • 23
  • 3
    That's an interesting example. Like you said "extremely hypothetical" – user3280964 May 30 '18 at 20:16
  • 34
    [Is it, really?](https://en.wikipedia.org/wiki/CRIME) – forest May 31 '18 at 01:53
  • 8
    You are right. This proves that if you apply the custom encryption first it's going to end badly. This doesn't answer the second (more important) part of the question. Do similar vulnerabilities exist when custom encryption is applied at the end? – user3280964 May 31 '18 at 05:13
  • 3
    @user3280964 Nope. From a purely cryptographic point of view, the worst that could happen with an independent custom encryption algorithm at the end is that it could be inverted and the attacker could obtain the AES ciphertext. – forest May 31 '18 at 23:23
  • 4
    @user3280964 Bear in mind that *more code* means *more security risk*, no matter what that code is. You can't *cryptographically* weaken soundly encrypted data by running your custom algorithm on top, but you *can* **practically** weaken the *system as a whole* if you have any bugs in all the code that implements your custom algorithm. – mtraceur Jun 05 '18 at 04:12
  • @user3280964 - When custom encryption is applied at the end, it may leak whatever inputs (keys, unintended memory accesses, etc.) it gets apart from the payload (where the payload equals the AES output). – Jirka Hanika Jun 05 '18 at 07:19
32

The first question to ask when assessing any sort of security system is "Who is the attacker, and what can they do?" At the low end, you're against an attacker who can just see the encrypted output of one of your messages. At the high end you're up against an attacker who knows the plaintext and ciphertext pairs of hundreds of other messages, who can coerce your computer into encrypting other messages with the same key, who can monitor the power lines to your building and measure the tiny variations in power draw as the encryption process proceeds, and all kinds of similar attacks. Standard encryption algorithms are vetted to make sure they're resistent even to these powerful adversaries.

If you use your own encryption first, even if the second layer is military grade encryption, you risk decreasing your security compared to just using the standard encryption.

For example, suppose that you are encrypting text. You first use a simple substitution cipher and then use your choice of heavy hitting algorithm. Unfortunately, substituion ciphers are inherently reliant on doing array lookups from private information (i.e. your plaintext and your key). This makes them vulnerable to timing attacks: because of the way CPU caches work if two letters in the plaintext are close together they will likely encrypt faster than two letters that are further appart. That doesn't sound like much information, but if an attacker can watch enough encryptions they can potentially work out what the plaintext is without having to crack AES or whatever you're using on top.

If your custom encryption layer does not interact at all with secret information: i.e. it works with data that has already been securely enough encrypted for transmission and doesn't touch the keys of the standard encryption, then it may be safe. At least, it won't be possible to bypass the standard encryption. There are still risks, though, because every extra piece of software carries additional risks. Perhaps a bug in your custom layer lets a remote adversary run arbitrary commands on your machine; then they could just email themselves the plaintext!

The take home message, then, is that having one lump of excellent security code that is well vetted and bug free like a standard encryption function can still be undermined if you put a buggy home grown program (of any sort, encryption or otherwise) onto the same system.

Josiah
  • 1,848
  • 9
  • 14
15

Simple. Don't do this.

First of all, Encryption algorithms are designed so that you, me, and everyone around us can look at it and try to break it. You can quite literally look a the math for AES. A lot of smart people have invest time in validating AES. This is a tenet of good encryption and why we can trust it.

Second, Obscurity is never a "Security" option. It doesn't provide any benefit. If you actually believe this, than I refer you to "Schneier's Law".

Anyone can invent a security system that he himself cannot break. I've said this so often that Cory Doctorow has named it "Schneier's Law": When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something. - Bruce Schneier, 2016

All you've done is:

  • Introduce unnecessary risk into your application
  • Increased debug time for issues
  • Added CPU time for a worthless function

The most basic principal in Security. Keep It Simple Stupid (KISS).

Shane Andrie
  • 3,810
  • 1
  • 13
  • 16
  • 5
    The reason why I'm considering this extra layer is to cover additional threat models. Let's say we have the following threat models: A) Bad actor with fully automated decryption/cracking capability of AES. B) Bad actor with capability A plus resources to manually decrypt things that fully automated method can't. For A I would argue that the extra obfuscation fully defeats that threat. By definition as soon as human eye balls and fingers have to intervene we are now dealing with threat model B. In threat model B you are likely to be ignored because of shortage of qualified cryptographers. – user3280964 May 30 '18 at 21:24
  • 8
    In other words AES defeats manual decryption efforts. Obscurity defeats mass-automated decryption. Combining the two covers both threat models. – user3280964 May 30 '18 at 21:28
  • 20
    Obscurity can keep the opportunist attacker away (one that does not attack because he has a target in mind, but is looking for the easiest targets). – rackandboneman May 30 '18 at 23:56
  • 2
    @rackandboneman Obscurity is not keeping them away. Good configuration management is. – Shane Andrie Jun 01 '18 at 14:09
  • 4
    Depends on what you mean by "obscurity" and what you're trying to protect against. Tinted windows in your car don't protect you from bullets, but they do protect you from random passersby seeing you pick your nose. – barbecue Jun 01 '18 at 18:42
  • 1
    Thank so much for the sanity, which is apparently in short supply. @user3280964 "Obscurity defeats mass-automated decryption." This makes no sense. If someone has gone to the trouble of collecting your encrypted messages, they're almost certainly not just some script kiddie who can be deterred by your unproven algorithm. Homegrown cryptography is rarely strong enough to withstand attack. If your custom algorithm is improperly constructed (**extremely** likely), then you've made your system weaker to the attacker. forest's answer **wrongly** assumes that your "custom" algorithm is safe. – jpmc26 Jun 05 '18 at 00:54
  • 1
    If I may offer a suggestion: Edit Schnier's law into your answer and make note that the only way we know whether an algorithm is secure is by letting cryptography experts try to break it for many years. Then point out that, having not gone through this process, the OP's algorithm is likely easy to break. – jpmc26 Jun 05 '18 at 01:00
9

Security by obscurity is good, sometimes even great, as long as it's not the only layer of security you rely on. But in your case I'm afraid it's not worth it.

Take GPG for example. If you use GPG to encrypt a file with AES, it will have a header that allows an attacker to recognize it as a GPG file encrypted with AES. If you then use custom encryption to encrypt the GPG file, you will get a file that might be unrecognizable. An attacker might wrongly suppose you are using whatever kind of encryption (and lose a lot of time for nothing), or might suppose you are using your custom encryption and then decide to use cryptanalysis techniques to analyze your file (and manage to decrypt it if he's good enough or your algorithm sucks enough). On the other hand, if you do it the other way around (first encrypt with custom algorithm and then with AES), the scenario doesn't change significantly after all.

That said, I'm afraid it is not worth it because custom encryption has a huge con anyway: you will have to store your encryption software somewhere, and your software is totally custom, meaning that if for whatever reason you lose it (lost or stolen backups, etc.) you are screwed and you won't be able to recover any of your data.

A better solution might be to use several layers of encryption using algorithms that are already known and available. For example GPG seems to support twofish, camellia, etc. I have no experience to know which algorithms should be considered the safest though, apart from AES. Anyway, just as an example, AES -> TWOFISH -> CAMELLIA is probably a much better solution that your AES -> CUSTOM_ALGO. Of course provided you use different strong passwords for each encryption layer!

reed
  • 15,538
  • 6
  • 44
  • 65
  • 5
    Or... They'll exploit a bug in your program and get a local shell or tamper with the file due to your custom crypto not using any authentication... – forest May 31 '18 at 01:39
  • 3
    @forest, how does the attacker know how to successfully exploit a bug in a custom program that they are not even aware of, have no chance to see it, and maybe have no chance to provide any input into it? Your logic could apply to any custom program then, or even any program at all. I think that if an attacker has the ability to exploit the custom program, chances are they are able to do it because of *other* very serious vulnerabilities that might allow him to steal the AES key anyway, regardless of custom encryption. So I think what you depict is an unrelated attack scenario. – reed May 31 '18 at 09:10
  • 3
    @reed What if, for example, the attacker is an ex-employee of the company that wrote this software? Or they are able to obtain and reverse-engineer a binary of the software? Whatever cryptographic algorithms you are using you should assume the algorithms themselves are public knowledge and only the key data is private, because it's much easier to *keep* key data private than it is to keep code private (that people have to be able to view, by necessity, to actually write it)... – Sean Burton May 31 '18 at 13:28
  • @SeanBurton, sorry, I was assuming the software had to be written and used by a single person, for private use. It isn't really clear to me where and when exactly the OP wants to use custom crypto. If custom crypto to be used by a whole company then yeah, it's a *totally* bad idea for even more reasons (like the one you mentioned). – reed May 31 '18 at 15:19
5

OPSEC?...

Putting additional barriers between critical information and an adversary is a good idea in general, provided it is done effectively.

Obscurity as a meaningful security measure is addressed by the principle of OPSEC (operational security). In short, this entails depriving an adversary of any information which could help them compromise your organization via either social or technical methods.

With good crypto, however, keeping the keys secret is sufficient to protect your data. Any additional technical layers must be justified on their own technical merits.

...Or bust

Cryptography is a very complicated mathematical discipline, and small mistakes can have enormous consequences. When dealing with cryptography, assume the value of an algorithm is virtually zero unless a trustworthy expert indicates otherwise.

In the US, the NSA and NIST are the official assessors of cryptographic algorithms and implementations, respectively. If you don't know where to look for opinions or want a reasonable basis for internal policies, start there.

In practice, wrapping good crypto is pointless. Once an attacker encounters good crypto, they will generally pivot and attack endpoints where the unencrypted data is exposed.

This could be the web server where users supply information, the SCADA system that feeds into your database, or the workstations where employees analyze or monitor the information. If you have a data pump that pulls information from a database and converts it to another format for delivery to a vendor/customer, that's another big target. Alternatively, they could go searching for your keys.

On the balance

Adding features to an application has a non-zero chance of introducing bugs and complicating troubleshooting. This can lead to extended downtime when something goes wrong or slower responses to security vulnerabilities in the application. Due to these factors, a security feature of little-to-no value is a detriment rather than an improvement.

If you wish to protect yourself against a potential attack on AES, then you should simply use another crypto standard based on a vetted algorithm rather than developing your own. You will get better security with less effort.

DoubleD
  • 3,882
  • 1
  • 6
  • 14
  • It might be helpful to describe "justified on their own technical merits" as serving a useful purpose which has nothing to do with cryptographic strength. For example, compressing files prior to encrypting them should not affect the difficulty of an attacker decrypting them unless the encryption is really bad or the compression process enables side-channel attacks, but may have the benefit of reducing the amount of data that needs to be transmitted. – supercat May 31 '18 at 17:34
3

There are two main issues with the security and obscurity mode.

  1. Obscurity can interfere with security. If you roll your own crypto it is very likely to be flawed. Even the best systems have flaws, despite the leading experts having worked on them for decades. The chances of you being able to do better than the security community is low.

  2. Few things are really obscure. There aren't many new ideas in crypto and whatever you do is likely to be a variation on something that has been done before, so it's not actually that obscure. Minor changes are something attackers are used to handling.

user25221
  • 291
  • 1
  • 2
  • 7
  • 2
    There may not be many _good_ ideas in crypto, but it's easy to come up with a _bad_ encryption scheme that's completely different from existing ideas. Even if it's crackable by a human in five minutes, as long as it can't be cracked by any existing automated attacks it still adds a bit of security if no human ever _bothers_ looking at it manually. – leftaroundabout Jun 01 '18 at 16:14
2

It's easy to see that the first variant (custom algorithm last) can't compromise the security of a well-known encryption, since if it could, it would be a method for cracking the well-known encryption. After all, attackers could also run the custom algorithm on a cyphertext encrypted solely with the well-known encryption if it helped them cracking it.

The other direction (custom algorithm first) could indeed compromise the security of the well-known algorithm by introducing redundancy into the plaintext input of the well-known encryption, which could potentially weaken that algorithm.

For example, take the following utterly flawed custom “encryption” scheme: repeat the input plaintext twice to produce a “cyphertext”. This leads to an extreme amount of added redundancy in the input of the second algorithm, which could weaken some real encryptions. (Whether it weakens AES or not is a different question.) This has actually happened with the Enigma, where operators repeated a three-letter sequence in its plaintext that made its cyphertext vulnerable to certain kinds of attacks. Quoting from the Cryptanalysis of the Enigma Wikipedia page:

The second problem was the repetition of message key within the indicator, which was a serious security flaw. The message setting was encoded twice, resulting in a relation between first and fourth, second and fifth, and third and sixth character. This security problem enabled the Polish Cipher Bureau to break into the pre-war Enigma system as early as 1932. On 1 May 1940 the Germans changed the procedures to encipher the message key only once.

Zoltan
  • 274
  • 2
  • 8
  • I can explain why "custom algorithm first" is a terrible terrible approach using one word: side-channel. – Ben Voigt Nov 09 '22 at 23:22
1

Solution 1 could potentially decrease security if you use the same secret key for encrypting AES and CustomEncryptionAlgorithm.

CustomEncryptionAlgorithm might allow the deduction of the secret key and therefore compromise AES as well.

If you create a unique key for CustomEncryptionAlgorithm you should be fine again.

Something like KEY = SHA-2(AES-CipherText)

OliverS
  • 131
  • 3
  • Should *never* use the hash of data an attacker has - like the ciphertext - as key material. Even if the attacker is only given the CustomEncryptionAlgorithm output and not the ciphertext, the application of the SHA-2 to the data and its subsequent use as a key can be used to attack the cipher. Use a proper KDF. – davenpcj Jun 14 '18 at 19:36
1

The problem is that it is possible your custom encryption function has a bug and it somehow reduces the security. The only way for you to be sure that your CustomEncryptionAlgorithm isn't reducing your security is to have researchers who are smarter than you, me, and the rest of your team combined to pour over it and check your work. But then it isn't any way obscure at all.

To make an extreme example:

public string CustomEncryptionAlgorithm(string plaintext) {
    var ciphertext = plaintext.shuffle();
    return "password";
    return ciphertext; // ya ya. I know. You'd never make a bug that obvious.
                       // tell it to the guy who did the 'goto bug' at apple
}

You'd get something like this as a result if you used this scheme:

  • AES -> CipherText -> CustomEncryptionAlgorithm-> CipherText :

    'abcABC123!@#' -> 'password'
    'correct_horse_staple_battery' -> 'password'
    'password' -> 'password'
    

On the other hand, if you used the other scheme:

  • CustomEncryptionAlgorithm -> CipherText -> AES -> CipherText

    'abcABC123!@#' -> '8ZnO44trPK48kqr3rDxkdQ=='
    'correct_horse_staple_battery' -> '8ZnO44trPK48kqr3rDxkdQ=='
    'password' -> '8ZnO44trPK48kqr3rDxkdQ=='
    

Slightly better, maybe. But still not any good in the slightest.

Shane
  • 160
  • 1
  • 7
  • I disagree. The 2 concerns are: (1) OP implements a non-invertible encryption algorithm which leads to data loss; and (2) the encryption algorithm uses data other than its plain text input. For this purpose, ROT(k) is OK because it adds an extremely small positive amount of security. – emory May 31 '18 at 18:19
1

As has been said: Who is the attacker?

This is really what you must find out and define first!

Is it your technophobic grandma who has problems with the TV remote control? Your little (and very nosy) sister? Your dad, who actually programs and administrates computers --- and knows how to remove a hard drive? The local school bully who works you over? Organized crime? A company which can spend millions on renting cloud computers for a cracking attack? A third world dictator? FBI, NSA or equivalent agencies in your own country? Some world power that has an excellent spy service and will not mind body bags to get you?

Second: What extra, real security would your 'encryption'1 give you against your attackers? Unless you can make a very good point why encrypting the ciphertext again[2] is needed or very helpful, you should not do so. More complexity does not mean more security, it means more bugs and more chances of things not working properly?

And why won't attackers not break or sneak into your house and place some spy software or key logger on your computer? Are you sure your encryption will be any help against rubber hose cryptoanalysis[3], or if there is no chance of that, who is powerful enough to break AES but unable to reach you or your dearest and nearest?


  1. Let's just say your chance of getting the encryption strong and secure is about as high as my chance to walk on the moon; with encryption, not only must everything work with the right key, but nothing may work without it ...

    I do not know of any cryptosystem built by someone outside the field that did not crack when being checked by experts, and how many strong encryption systems invented by the best experts have been broken?

  2. One example would be the communication in WWII from Germany to the submarines. Some very secret communication was "officer only", which was encrypted, meta-information was prepended and both were then encrypted by the regular key and sent. On receiving the radio/Enigma operator would decrypt the message and pass the meta information and still encrypted block to the officer. (see here for example)

  3. "in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive.”

Wolfgang
  • 11
  • 1
0

Short answer: It can be, but not in your example.

Long answer: Other answers have adequately covered why your example is not all that helpful and can hurt. That being said, obscurity can be very helpful. Case in point: Don't put SSH on port 22. If you change from 22 to 2222, you will have a tiny fraction of the brute force attempts you would otherwise. If you change to port 10000+rand(1,55535) they'll likely disappear completely. Another example is port knocking. Basically, obscurity is mostly useful in the connection process, not in encryption or passwords.

Dessa Simpson
  • 295
  • 3
  • 14
  • Do **not** put SSH SSH on 2222 or any port above 1024. Doing so will bind it to an unprivileged high port. – forest May 31 '18 at 23:30
  • 2
    @forest So? I know of no ill effects of that. – Dessa Simpson Jun 01 '18 at 01:14
  • It means that an unprivileged user can bind to it, which allows a local DoS (crash, etc) against the SSH daemon to enable the attacker to bind their own daemon and exploit the client. See [this](https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/) for an example of why it's a bad idea. The same applies to other daemons like the Apache httpd. That's why all these privileged daemons bind to low ports. – forest Jun 01 '18 at 01:18
  • 2
    In principle this is right, but usually ssh does very strict key checking alerting you if something is wrong. And I never saw a crashed ssh daemon. And from experience I can tell that even port 2222 (which may be common for this purpose) decreases the number of attacks to absolutely zero (since many years). But you can use another privileged port which will not be used by anything you want to run. – allo Jun 04 '18 at 08:00
0

It's bad, bad, bad.

There is an anecdote from some Far East mobile protocol for SIM initialization or something similar, that used a combination of RSA (good, secure, and strong) and something homebrewed.

The decisive weakness was not only the homebrewed "additional" encryption. But the problem was that in fact there was a special case when the additional method was associative with RSA, which caused partial key bleeding. I don't remember details, as I was told them as a lecture anecdote many years ago.

But the point stands: with an improper homebrew addition to an otherwise secure protocol you might make the protocol weaker than its original version. So, that's a major no go.

Dessa Simpson
  • 295
  • 3
  • 14
0

You refer to the second algorithm as obscurity, so you seem to assume it does not add any security.

If it actually does not add security, why use it? Use the second password in addition to the first one for the aes encryption. A password twice as long is much more secure than two passwords (example: 2^2+2^2 = 4 vs. 2^4 = 16), especially when the second algorithm is insecure anyway.

allo
  • 3,315
  • 11
  • 24
0

If done properly: sure. The question is how do you know it's proper? You certainly can write something that leaks information through various layers. Most obvious one is length and repetitions. Also using the same key might be problematic.

It's just too hard to tell what's proper and whatnot. Sure, you could argue that using ROT13 before AES makes it a little bit secure and my intuition would say... well it at least can't hurt but I don't actually know.

My intuition would say that if you apply an algorithm that produces output indistinguishable from randomness while not changing the length and then apply AES it at least shouldn't reduce the security of AES.

mroman
  • 555
  • 3
  • 9
0

Obscurity is a part of a security (general), and is orthogonal to the security (AES encryption in your case). Obscurity defends against different threats than crypto. Take passwords for example - crypto hashes are required to prevent leaking plaintexts from server, TLS prevents from eavesdropping network traffic, while obscurity being a password form filling with [*******] prevents from peeking your plaintext by random spectator. So you cannot do security by obscurity (only), but security with obscurity is usually the way to go. In real world the obscurity means hiding the metadata, e.g. mailing with BCC instead of CC/To or blocking 3rd party cookies.

Tomasz Pala
  • 139
  • 5