Security of a sha-256 based stream xor cipher?

Question

Provided that I have some data I want to cipher and a password to do it:

1. I generate a random IV
2. I define c = sha256(password)
3. I generate an infinite stream where x0 = sha256(IV xor c) and xi = sha256(xi-1 xor c). This produces blocks of 32 bytes and I yield them byte by byte
4. output = data xor stream

Would this be secure? In case it's not, how insecure is it?

Note: The NSA isn't going to crack it, I just need it to be secure for a user with average-high cryptographic knowledge.

I know it may look similar to Is it feasible to build a stream cipher from a cryptographic hash function? but it has some differences:

• I use a random IV instead of starting with hash(data)
• Im xoring c in each phase of the stream generator, so even knowing xi you can't guess xi+1

Answer 1

The stream cipher part is cryptographically fine given a uniform random key and a unique nonce per message, since SHA-256 shows no evidence of failing preimage resistance, but it's stupidly slow because SHA-256 is designed for the much more expensive collision resistance. There's no reason to prefer it over, for example, XSalsa20.

The password-based key derivation function is problematic if you ever use passwords chosen by a process with entropy much below 128 bits, like most people do, because the cost to the adversary of testing a guess for the password is negligible. You should use a modern password-based key derivation function like scrypt or argon2 to derive the key.

Overall, when you're composing things like this, you should be concerned more with what you're actually trying to protect here. Don't mess with inventing your own stream cipher—that's a solved problem. To do this you need to articulate what you're trying to do in your application with what resources, how the adversary can manipulate those resources, and what you want to make sure the adversary can't do in spite of that. Then you can decide how to use crypto to prevent the adversary's shenanigans—and you'll almost certainly need some authentication in there beyond encryption.