# How aren’t all cryptography algorithms of the same strength

93 views

I have been researching cryptography and this question just came to mind, if someone intercepts a cyphertext and doesn’t know the algorithm used, then for all he knows it could be using the strongest or the weakest algorithms out there

In: 0

Example:

You receive my encrypted message and it looks random to you.

Now you want to brute force it. There are exactly 26 ways to encode it with a rotational alphabet cipher, and there are 100 trillion ways to encode it with some kind of PRNG based xor encryption.

Wich one do you try first? Exactly, you try the one with fewer possible keys. So if I use a bad encryption algorithm it’s easier to crack because you can try them all pretty quickly before you move on to the difficult ones.

And for very bad ones like the alphabet rotation the shape of the message might even give away information about the type of encryption used. (Frequency analyses reveals there are unusually many Qs in there? Well, guess we found our E)

Also it’s best practise to assume the attacker knows the encryption method you used. I mean, if you do communication with a web server he might get the hint that you use the https protocol.

You’ve just discovered One-Time Pad, a completely unbreakable encryption technique. There are an infinite number of possible answers, and therefore you can’t possibly figure out what the plaintext is without additional information.

This doesn’t matter in practice because we use specific protocols to communicate that are known (or can be easily discovered) by attackers. If you used a bad algorithm and relied on Security Through Obscurity to protect your information, a single leak means that all your messages are compromised.

First, one of the fundamental principles of cryptography is you assume that the attacker knows what algorithm is being used and how that algorithm works. Given that assumption, not all algorithms are as strong.

Second, cryptographic algorithms are standardized and popularized. Few people out there are going to be designing bespoke algorithms for personal use.

Lastly, depending on the scenario, it would be somewhat trivial to determine what algorithm is being used, especially across open channels. For example, secure web traffic involves the client and server negotiating, in public, what algorithm to use and what options to use it with. This is all in plain text so would be easy enough for an attacker to determine.

I asked this question 10 years ago and got probably the best insight about cryptography I’ve ever encountered, from the cryptographer who later created BearSSL. It’s worth just reading (top response):

https://security.stackexchange.com/q/24449

A more direct answer is that the attacker just starts trying the most likely attacks against the most likely candidates. And if you were using one of the weaker ones, that’ll get guessed first.

Often the “container” that the encrypted data is in will give clues about which algorithm is used, either because it supports different kinds and therefore has to indicate which is being used (like TLS does) or because the attacker knows where the encrypted data came from and can reason from there.

But as the answer from the linked post said, doing encryption properly is about gaining security through *secrecy* rather than *obscurity*. You want to only depend on secrets you can actually keep, not secrets that you’ll inadvertently give away. Proper encryption only uses actual secrets, never just obscured details.