[WEB SECURITY] a new 'Secret Key' Cryptographic Algorithm ~ any analysis/suggestions/weakness will be helpful ~ Variation of One-Time Pad

Michal Zalewski lcamtuf at coredump.cx
Mon Apr 25 17:35:39 EDT 2011


> In this variation, entire one-time pad can be generated in a pure random way just using Key and Data... no (pseudo) random number generators, salt and IVs required.

As I understand it, your algorithm can be paraphrased as:

1) Start with a random string as a key. For clarity, let's call it
original_secret. It's hardcoded as "ABK\0" in your example (I'm not
sure you understand ASCIZ here).

2) Copy the original_secret to new_secret using strncpy.

3) For every input character (let's call it in_chr), you calculate
new_key = secret[pos] ^ new_secret[pos]. The outcome of this XOR will
be always zero during the first pass, leaving strlen(original_secret)
bytes "unencrypted".

4) Compute out_chr = in_chr ^ new_key and output it.

5) Substitute new_key[pos] with the previously calculated output, out_chr.

6) When you hit the end of new_secret, reset pos to zero and go to 3.

I am half-hoping that this is a joke, but if not: the first bytes of
your output will be identical to input, and all the subsequent ones
will trivially depend on the previously seen data.

/mz




More information about the websecurity mailing list