Custom encryption (and decryption)

I just made a custom encryption/decryption script, but I don’t know whether it is a bad practice to do so (I read it is a bad practice on google) because of it being “too weak” but how someone would know how to decrypt if it is too “custom”??
here is a little preview of encrypting this message “aaaaa” 10 times

🝅🝕╒ℕ🜨⏥╒🜙⏥
🜌🜓⏨◙🝔◭◙🜗◙
🜘🜳┏₽🜨₻₵🝏₻
🜂🝔∭╫🜅┻⎞🜯∭
🝓🜯◖◑🜏◖⏎🜑◖
🜡◯◄🝕◯◯🜕⏖
🜉🜁‰┿🜗┿‰🜬ℛ
🜆▵┚🜶▰℟🜕▵
🝋🜄▊ↂ🜙ↂ▊🜡⏤
🜣🜝╂┲🜾◘┋🜉◘

(also decrypting any of these give back “aaaaa”)

now “this is a message” which becomes

🝖🝃╠▻🜿₭╂🜇⏤▜🜎╔⏤🜷▇⏞🜼┵◶🜝┲┲🜑▇‿🝉⁑

do you think these are decryptable if you didnt know how they are encrypted?

(each letter has a possibility to become 400 special different sybmols)

If there are 400 combinations for each letter, I would say you’re good. Just make sure that only you have the key to decreipt the text.

The key for this encryption would simply be the decoder system since it is private but im also thinking on making a key system for it, but thanks for letting me know!

If you cannot prove that your own encryption approach is stronger than, for example, sha256 then it’s 100% bad practice because you’re making your system less secure than it could easily be.

Don’t underestimate the expertise of talented mathematicians, hackers, reverse engineers and so on. They have a lot of strategies at their disposal to break encryption.

Let’s use an example to show how a seemingly strong encryption approach can easily be defeated if you have some experience in the field.

A naive encryption algorithm would be to XOR your input message with a random binary string. How could you possibly decrypt such a message? Let’s say your message to encrypt is hey which is 01101000 01100101 01111001 in binary and the random binary string you use to XOR it is 10001101 00011110 10110101. Your encrypted message would become:

  01101000 01100101 01111001       (hey)
  10001101 00011110 10110101   ⊕   (yourKey)
  -------------------------------
= 11100101 01111011 11001100       (hey ⊕ yourKey)

Pretty strong right? Well… only until you encrypt a second message using this approach, because with some simple math you can cancel out two XOR operators. Let’s encrypt you using the same method.

  01111001 01101111 01110101       (you)
  10001101 00011110 10110101   ⊕   (yourKey)
  -------------------------------
= 11110100 01110001 11000000       (you ⊕ yourKey)

If we XOR these two encrypted messages, we get hey ⊕ yourKey ⊕ you ⊕ yourKey where ‘yourKey’ is the binary string we use during encryption. Applying XOR on two identical variables cancels those out, so this simplifies the formula to hey ⊕ you. Now if you XOR that with you you get hey back (uh-oh!):

  11100101 01111011 11001100       (hey ⊕ yourKey)
  11110100 01110001 11000000   ⊕   (you ⊕ yourKey)
  -------------------------------
= 00010001 00001010 00001100       (hey ⊕ you)

  00010001 00001010 00001100       (hey ⊕ you)
  01111001 01101111 01110101   ⊕   (you)
  -------------------------------
= 01101000 01100101 01111001       (hey)

There are a lot of other common pitfalls, like using a Caesar cipher to encrypt your data which can be decrypted by a computer within seconds. There’s 0 reason to not just use open source encryption methods which have been mathematically proven to be strong.

If you’re just doing this for fun however, it’s all fine. But if you’re going to store sensitive information please just look up industry standard encryption algorithms to use.

hello! thanks for your feedback

you stated sha256 as a “encryption” function but it is a hash function meaning it cant really hide sensitive information or any information based on the CIA Triad it is used for the Integrity of the data, in my case the one I have made is an “Asymmetric” Encryption which hides the message in a unreadable format.

example of a long sentence encrypted with my encryption(just showing that the size is not fixed like sha256)

🝙🝁◮▴🝋╅┻🜓▟₭🝖┻℘🝓╫┽🜥€▓🜀‱╷🝐⁊◫🜱║◝🜿⎹◦🜇◙┻🝗▐║🜘┇‱🜻◤₰🝋∂◈🝁∂┃🜫∈⎞🜕┹╌🝓▩╛🜖€╆🜪◆℘🜕┥⁐🜄▘◉🜂◝⁕🜐┻╣🜨⁆◶🜳┇┥🜛⁐⎛🝂┹▟🜂┟◝🜇┻▩🜈╅┄🜒◝▞🝂℘◝🜒╞⎞🝆ℑ⎺🝘▜▟🝍▓┄🜂⎺◢🜪∭▸🜎₼€🜑┹⏧🜣⁆₷🜬┽┾🜾┗†🝇⁑┥🜀╫∂🝂⁕₯🜰╞◁🜉◁╞🜗ℑ∭🜑╋▜🝍℠⎞🝒₷┄🝏┻℘🝃∁∁🝙▩₷🜼┉℘🜵┊€🜗⁑┟🜆—▛🜋╫◩🜗▞⏧🜞⎞₷🜍╉┻🜯◜◷🜃⁑₡🝖₭┰🜷◆┽🜳⏧╷🝑⁇⏝🝗┥⎛🝉◭┻🜯╉€🜫◕☂🜣◫┻🜓◦‱🜀⎺⎞🜈₷◕🜻╷╞🜒▻◆🜾⁆∂🜝╛◫🜟┥┻🜑⏝⁇🜻┗╀🝅┎┹🜴▸€🜎▨⎺🜷◢⎞🜹▧╼🜹‒∂🜾╀▽🜂▘◫🜿┻║🜤₭⎞🜽┛┥🝃▟╷🜰‒╞🝈┨┗🜝€┄🜤∭╡🜈₦┒🝘┋⎞🝀┺◙🜂┻℘🝛∎◁🜎╫╃🜀▞␢🜘┻⎹🜁⏧╉🜁┗℘🝁⎞⁆🜭◫┽🝄⏧┊🜔◉‽🜭◫▨🝗₳∭🜙╉║🝊⎷╣🜐▨╞🜸╫▼🜬╫╡🝚╁┲🜲┻◦🜥◶┻🜟∂┹🜾┑╞🜉▆┻🜗◉╷🝛⎞₷🝊┄╛🜠▽∭🜙␢╣🜓∁₰🜒▟☂🜺℘┊🜥║⁑🝑┨₡🜢◎╫🜟◥◉🜗▇◉🜌▸∂🝅▆║🜉╅

Im not sure on what basis encryptions are considered strong , but one thing Im confident about with mine is that it contains a total of 492 special symbols, to the best of my knowledge, this should make it more challenging for decoding or cracking programs, as they typically aren’t programmed to handle such a wide variety of characters.

Live example of trying to decrypt/crack the encrypted message I sent above using a famous decryption tool called azd(decrypt)

Regarding the strongest encryption tool for encrypting messages is AES 256-bit encryption, but even for that the size is fixed for example AES 256-bit encrypts only 16 bytes, this means that for larger messages, you need to apply a mode of operation, such as CBC (Cipher Block Chaining).
I tried using AES 256-bit in Roblox I had difficulties at first and then it turned out that it would take time each time encrypting which was not efficient for what I had in mind.

about the whole process you did (which I appreciate), I would be happy to see a similar process be done with a real strong encryption tool, and would it help with the strength of the encryption if the whole encryption tool with the decoding for it were private together.

While the output certainly looks obscure and complex which gives an impression of strong encryption, the actual strength of a encryption algorithm isn’t solely based on its complexity or custom nature.

Security generally relies on several factors such as algorithm’s strength, key management and implementation. Custom encryption algorithms that haven’t been properly tested by experts can have vulns that make them weak.

While it may appear secure because of the custom symbols, without a good idea of the algorithm and key management its hard to say whether or not its secure. It all depends on the use cases, if this is going to be used to encrypt private data I’d stick with the standards like aes, but if its for something like a anti cheat, this should be fine as simply just sending the byte code of data is enough to throw off most exploiters.

Overall your relying on something called security through obscurity as long as the actual encryption algorithm isn’t exposed it would be difficult to decrypt, but aes is open source and is constantly being tested which is what makes it so secure, as long as you don’t have the key it is impossible (for now anyway) to decrypt.

hello! thanks for your feedback

have u tried using AES 256-bit in Roblox? or maybe AES-128 and if yes, did it take time?
I only managed to get the AES 32-bit working with the right speed that suited what I had in mind, I would personally choose AES if it wasn’t for the speed of it.

what would be called vulnerability for a custom encryption tool that doesn’t work with keys because Ive heard vulnerbilities mostly come with the keys?

I personally have used this

While not getting too deep into it, one example would be poor implementation this could include overflows, input validation issues, or other programming errors that could be exploited.

Another would be lack of authentication, encryption alone does not guarantee the integrity or authenticity of the data, especially if there isn’t a tool that provides some way for data authentication which means it could be vulnerable to tampering or spoofing attacks.

While I can see your logic of not wanting to use keys, you have to understand how crucial keys are for encryption. Keys are used to scramble the plaintext into ciphertext during encryption. Without the correct key, it should be computationally infeasible to decrypt the ciphertext even if they have the encryption algorithm.

Keyless encryption is like securing a treasure chest with some sort of complex puzzle lock; the valuables inside are safe as long as the puzzle remains unsolved.