Bruteforce XOR cipher

Question

Is it possible to bruteforce the standard XOR cipher?

Knowing that this:

*#(I@KI

is encoded with a XOR function

//
std::string CStringCoding::Xor( const std::string& strIn )
{
    std::string sOut = "";

    for(std::size_t loop = 0; loop < strIn.size(); loop++)
    {
        unsigned int iCharacter = static_cast<unsigned int>(strIn[loop] ^ sKey[loop % sKey.size()]);
        sOut += iCharacter;
    }

    return sOut;
}

Can i bruteforce that with a classic wordlist approach?

I was thinking of:

Generate a Wordlist KEY

XOR the *#(I@KI with a KEY to DECIPHER it and obtain a STRING

XOR the STRING with a KEY to CIPHER it

Compare newly CIPHERED STRING with the INPUT CIPHERED STRING

If they match, the KEY has been found

I didn't test it, just asking before i take action and spend too much time doing something that won't work.

Thanks.

Answer 1

Assuming you are encrypting meaningful human-readable text, it is possible to break this XOR cipher if the attacker will have:

1. ciphertext encoded with key reuse (e.g. loop % sKey.size() )
2. 2 ciphertexts encoded with the same key

Frequency analysis can break both cases.

But it is fine to xor plaintext with truly random key of the same length as message. It will be unbreakable cipher: One-Time Pad

OTP is immune even to brute-force attacks.Trying all keys simply yields all plaintexts, all equally likely to be the actual plaintext

Answer 2

What do you mean by an "XOR cipher"? As @varren has said, the One Time Pad is unbreakable. However, most XOR cyphers in actual use are not OTPs, but Stream Ciphers, such as RC4. Those cyphers are breakable because the key is (generally) shorter than the message and the keystream is not true random but pseudo-random. Stream ciphers can be attacked by brute force, since they do not meet the requirements for the One Time Pad.