Encrypting using XOR and a password

A popular way to encrypt files is to ask the user to supply a password and to use the characters of this password to encrypt the file. Usually the XOR operation is used to encrypt the data. This is an extremely insecure algorithm but despite this it is relatively widely used.

Vigenere cryptographic algorithm

This cryptographic algorithm is known as the Vigenere cipher. It is often used for low-security applications. The first byte of the file is encrypted with the first character of the password, the second byte with the second character, and so on. If all the characters of the password have been used, the next byte of the file is encrypted with the first character again.

To encrypt the byte with the character typically the XOR operation is used. This operation has the property that if you apply it twice with the same character, you get the original byte back. This makes it extremely easy to implement encryption and decryption.

The security of Vigenere

The Vigenere algorithm is very insecure. If Eve (the attacker) knows just one byte of the file, she can easily compute what the corresponding character of the password is. This allows her to also decrypt other bytes of the file for which that same character of the password was used, assuming she also knows how long the password is. But since many systems using this algorithm limit the password to six to eight characters, Eve can simply try out all possible lengths simultaneously. She can then try to guess other bytes of the file and so recover other characters of the password.

Eve can simply count which letter occurs the most often in the encrypted message and replace that one with the letter "e". She can do the same with other frequently occurring letters, or look for letter groups. For example, the letter "q" is almost always followed by the letter "u". If Eve knows which letter in the encrypted message corresponds to the letter "q", she immediately also knows which one corresponds to the letter "u". This allows her to discover at least parts of the key.

With many types of files, the first few bytes are always the same so that the operating system can tell what type of file it is. GIF images for example start with "GIF87" and Word documents start with "MSW". This is very convenient for Eve, because she can now immediately see which what the first five characters of the password are.

Additionally, passwords often consist of letters in all lower case and so do many files that are encrypted this way (because they are text documents). This results in patterns that are easily recognizable in the encrypted file. If Eve knows which characters of the file are lower case letters, she can simply try out all 26 possible letters to see which ones produce all-lowercase words and so easily guess the key.

One-time pads

There is one cryptographic algorithm that cannot be broken. This algorithm is called the one-time pad (OTP). In this algorithm, every character of the message is encrypted with a different character of the key. The key thus is just as long as the message, and if it is chosen completely randomly, it is impossible for Eve to crack the encrypted message.

Basically, a one-time pad is a Vigenere system with a key that is chosen randomly and with length equal to the message. However, it is extremely difficult to generate such a long, totally random key. Because it sounds good to have an "unbreakable" encryption system, some security programs advertise that they are using a one-time pad when they actually just have a Vigenere system with a long key.