Security Through Obscurity, Encryption

Post Reply New Topic

I have created a script to encrypt data. I am aware that the massively prevalent advice is to not write your own encryption (and rely on it) unless you are a certified genius, but I was curious, so I did.

This thread is not necessarily solely about my encryption, but about encryption in general. My code takes alphanumeric string (including standard punctuation) and produces an alphanumeric string with no apparent relation to the original string. Each iteration of the encoding produces very different outputs for the same input, even of varying lengths. I have yet to produce a duplicate output. The issue I am aware of is that if the process used to encrypt the string is known, it would be a simple case of brute-forcing the decrypt function to get back to the original string. Having coded it myself, I know that there are some obvious holes in the encryption methods.

This encryption relies on security through obscurity (STO), as no one knows my code, and using a (hopefully) complex series of obfuscation methods to prevent decryption by unauthorised parties. I don't mean to be egotistical, as this was merely a brain exercise, and I am entirely aware that the existing encryption "on the market" is far superior. I am not claiming this is some great new uncrackable code.

So, questions...
What do you think are the pros and cons of STO?
Are there any times in the real world where failing STO had major impacts?
If the encryption method remains unknown, what amount of effort is required to break the code? Are we talking Bletchley Park, or Sudoku For Kids?
Do you think you could break my encryption?

Congrats on your encryption.
I'm am not an expert so cannot comment.
There are those here who can, I hope they respond.
Good luck.

STO is like hiding money under a tree such that only you know where it is and no one else. It is a better idea to first put it in a box that is locked and only you have the key because even if someone finds it, they can't access your money. Can they?

Bump. I think this thread is very interesting and people should take a look at it at the very least.

Been plenty over the years, just follow the security business and you get laugh after laugh. Most pathetic i've seen is hard coded passwords into SCADA systems.



Let me tell you a story: During WW2, codebreakers from UK and one separately from Sweden analysed and broke German codes encrypted with the Geheimschreiber - that was called "Tunney". No-one of the code breakers had ever seen the hardware that had 10 rotors and was much more complex than the Enigma (including the Shark), yet it was still broken.

This was in 1940's and they broke it with pen and paper - does that say anything to you?


Given time, yes.

Security through obscurity is not a dead concept when it comes to security, it still works in short periods of time, Example: hiding your mobilephone temporarily on a bookshelf where no one can see if when you visit the bathroom.

Obscurity is not enough, you want the numbers in your favour as well.

Private key encryption assumes obscurity. It is based on only trusted parties knowing.

There are all sort of tactic such as being a moving target, however these are secondary to putting he number in you favour.

This is an old article but a lot of the points still remain valid. https://www.schneier.com/essays/archive ... _real.html Obscurity really only stops those who are not specifically trying to target you. Once someone with the appropriate knowledge and resources decides to try to break your security, it probably won't hold up long. Don't let that extinguish your interest however, just don't rely on non-peer reviewed and non-open source encryption algorithms for absolute security.

If they can't open the safe they may break the wall down.


If there is an easier option than cracking that will be exploited.

Even relatively self contained messaging has infrastructure and person that could be exploited.

Bletchely Park knew this well.

Exactly this. Even if the encryption is strong the implementation may be flawed.