-2

I am wondering if AES-128 and the likes were once broken and if they were broken because people knew they were trying to break AES then why don't we create our own personal algorithm to encrypt the data and let the intruders wonder which algorithm was used?

  • 1
    This question already has a good set of answers here http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology/2210#2210 but basically the answer is that designing encryption algorithms is hard and you are very likely to do it badly. Even experienced well funded people make mistakes with crypto – Rory McCune Aug 22 '15 at 09:38
  • Let's suppose if I create something as simple as which swaps the bytes in a data file. How can anyone else read it without knowing if a swapping algorithm was used? – user158421 Aug 22 '15 at 09:42
  • 3
    there's a whole field of study dedicated to analysing and defeating unknown encryption algorithms, it's called cryptanalysis https://en.wikipedia.org/wiki/Cryptanalysis – Rory McCune Aug 22 '15 at 09:44
  • 1
    @user158421 just because you can't break it yourself doesn't mean someone else smarter than you can't either. – tangrs Aug 22 '15 at 11:57

1 Answers1

1

You could create a proprietary encryption algorithm, but to ensure that it is secure you would need to make it public, so it can be properly tested. (bar the secret key obviously).

Security through obfuscation is not recommended. This is the basis of Kerckhoffs's principle.

"The principle goes as follows: A cryptographic system should be secure even if everything about the system, except the key, is public knowledge."

Read more detail here; Kerckhoffs's principle

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • What I don't understand is why go through such complex process if you can simply hide the data through techniques such as swapping, altering, or mixing original data with custom data etc. ? – user158421 Aug 22 '15 at 10:12
  • There are two factors at play here, the cryptographic algorithm, which will encrypt the information and obfuscation which is a blurring of the mechanisms used to implement the cryptography. You have to assume that the enemy will discover the mechanisms used to encrypt while still keep the information in the data secure. To do this the cryptography must be tested, to properly test it and for it to be trustworthy you should make it public. If it is for your own personal use then fine, go ahead, but how could you be sure that someone hadn't broken your encryption? – TheJulyPlot Aug 22 '15 at 10:16
  • Even more basic than to ensure it is secure, in order to use it for communication (unless you are only using it to store your own private data) you are going to have to share the algorithm with your communicants. Either you create one algorithm for each communicant or you basically make it public. Good luck getting all your communicants to install your custom crypto software. – emory Aug 22 '15 at 17:19