what are the security flaw of a simple Encryption algorithm made with SHA hash fonction?

Question

I'm wondering what would be any major flaw of a simple Encryption algorithme based on Hash fonction like SHA:

The algorithm is: Use SHA on a password and then keep hashing the output to concatenate a long hashed string as long as the input text to be chiphered and then just xor the plain text with that long string.

What are the major security flaw of such a simple algorithm?

What method someneone could try to break this kind of chipher?

PS: This is for educational purpose, i'm not going to use this kind of DIY chipher for sensitive information

Answer 1

this construction isn't obviously completely broken (to me), but does have some notable downsides:

1. not especially fast. this algorithm doesn't provide any ability to encode or decode in parallel
2. very forgable. given encrypted message E(b) for attacker known b, an attacker can produce E(c) as E(c)=E(b) xor b xor c.
3. not random, identical plain text encrypts to identical cypher text (in separate communications)

Answer 2

Edit: No, apparently it is not secure at all.

It sounds similar to CTR mode with SHA-2 as the PRF, apart from two main differences. First difference is that you're hashing the previous output to get the next output, making encryption and decryption non-parallelisable, unlike CTR that gets each output by hashing the inputs along with a counter, making it easily parallelisable. And the other difference is that you don't have an IV, meaning you can only confidently use each key for one message. CTR mode is considered secure (as far as confidentiality goes) and as such I'm quite confident that your scheme is secure as well, if you change your key/password for each message you want to encrypt.

If you were to reuse the same key for two different messages then the encryption no longer acts as a One-Time Pad but rather like a Two-Time Pad. The most obvious vulnerability is that our ciphertexts $c$ is the xor of the plaintext message $m$ and the key $k$, so with access to two messages we get $c_1\oplus c_2=m_1\oplus k\oplus m_2\oplus k=m_1\oplus m_2$, and it is oftentimes possible to figure out what $m_1$ and $m_2$ is from there. Once we know an $m$ we also know the key stream $k$ and can decrypt all future messages that are encrypted with that key stream.

As pointed out in the comments, your construction also leaks the entire internal state each block of the key stream since each hash is used as input for the next hash. This means that it will be much easier for the attacker to know if they have managed to guess a plaintext block correctly, since the rest of the ciphertext will also conform to the guess, and if any block of any message is correctly guessed then that and all subsequent blocks of the key stream is now known, also revealing the plaintext of those blocks, making the first block of plaintext easier to guess and at that point the whole key stream is known to the attacker. You would need to keep enough of the internal state secret between each block for it to be a secure construction. One fix that changes as little in the construction as possible could be to add the key as input for each hash, e.g. $h_{n+1}=sha(h_n+key)$.