-2

I am using standard encryption AES/CBC.

I wonder if I can invest some time adding my own custom encoding/decoding after the encryption just as an extra security layer.

Does it really add any value in case the public algorithm is broken and the key still not compromised?

Is unknown custom algorithm (encoding/decoding) secure because no one knows about it except me?

Can you please support with samples of attacks that may break my assumption?

Update.

I am aware how weak is Ceaser Ciphering. I am on this argument with a colleague. He is in favor of using AES then applying custom shuffling as extra protection.

My stand is that it does not add anything rather than performance toll. I can't seem to prove that argument, while he bases his on the fact that we are already using AES and that encoding would put extra effort on the attacker.

Thanks for the downvotes, it's a stupid question needs answers with solid proofs.

Amr Eladawy
  • 105
  • 2
  • 1
    Encoding is not encryption: https://en.wikipedia.org/wiki/Kerckhoffs's_principle . If an adversary can break your public key, how long do you think a custom encoding algorithm will slow them down? – bmm6o Oct 19 '17 at 15:45
  • Thank you, I know the difference between encoding and encryption. The point is that I am applying some sort of shuffling after the encryption. Does it really worth the effort? – Amr Eladawy Oct 19 '17 at 16:04
  • Somewhat related: Combining multiple symmetric encryption algorithms - implications? – e-sushi Oct 19 '17 at 19:37
  • 3
    This sort of thing bring to mind this analogy: "I'm not sure if this tank armor is quite strong enough; I know, I'll paste on some cardboard; that'll help..." – poncho Oct 20 '17 at 00:29
  • my encoding scheme is several times faster than Base64, and that is the only reason I use a custom scheme, performance – Richie Frame Oct 20 '17 at 02:48
  • 1
    @poncho That's an interesting analogy. Have you seen secondary /after market armour? Sometimes it's just a simple wire mesh yet it adds hugely significant additional protection. – Paul Uszak Oct 20 '17 at 10:32
  • it probably makes it worse because once they find you doing that, they will assume you made other noob mistakes and look extra hard as a result. – dandavis Oct 26 '17 at 02:53
  • 1
    I am trying to account for why a simple question like this would garner negative votes. As far as the analogy about vehicular armor goes, Paul in absolutely right. Wire mesh can make the incoming projectile explode early, which is a strong counter-measure to a shaped charge (which is what an RPG round basically is). How this principle could apply to cryptography is an interesting question. – Patriot Oct 02 '19 at 11:41
  • I was expecting solid answers with proofs why using multiple encryption is useless – Amr Eladawy Oct 02 '19 at 18:35

1 Answers1

2

Absolutely not as it's a violation of Kerckhoffs' principle and relies on security through obscurity which is rather hard to justify. Both have been widely discussed on this site. You have to assume that they know everything except the key.

As a stupid example, imagine that you're 13 years old and have developed a totally fab encryption algorithm that you think is unbreakable. You take every character and replace it with a character 13 places along the alphabet. And you keep it secret. You might feel pleased with yourself. Such a substitution cipher is easy broken at college level. Now say you're older and develop something much more sophisticated. Will it still be unbreakable by GCHQ and NSA? Just because you can't, doesn't mean that they can't.

And numbers work against you. If Amr encoding was indeed good and became popular, more people would want to attack it. This is what's happened with OpenSSL and wireless WEP. There only needs to be one chink in the armour and if many very clever people are looking...

Paul Uszak
  • 15,390
  • 2
  • 28
  • 77