Custom Encryption Method

Question

Could I make a PHP script to encrypt things with a custom encryption key, and have it be secure?

Say I had a password password and I had an array that contained values to replace each letter and number with a series of letters and numbers, and I used preg_replace. If the values for each letter and number were unique, would it be secure, and maybe even more secure than a standard encryption method?

Keep in mind I haven't really done anything with encryption before, and was just wondering if this would work. The main question is would it be secure.

EDIT: So, I made a simple function to use what I had thought of originally, and it changes "The quick brown fox jumped over the lazy dog" to

Tv596 l34j 0v9 b75 75 v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 ll34j l34j 0v9 09 ghf9 l34j l34j 0v9 09 57 7 cn0n l34j f3ghf9 l34j l34j 0v9 09 5v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 56bv d543 a608v 4v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 ghf9 l34j l34j 0v9 09 57 dg53 608v n56bv h6 608v 45f l34j 0v9 b75 ;9 dg53 v596 l34j 0v9 b75 cn0n ghf9 df5 5fg6 v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 56bv cn0n 7ghf9 l34j l34j 0v9 09 57 dg53 l34j 0v9 v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 ghf9 l34j l34j 0v9 09 57 l34j l34j 0v9 09 v596 l34j 0v9 b75 75 v596 l34j 0v9 b75 75 l34j 0v9 b75 v596 l34j 0v9 b75 75 9 l608v 45f l34j 0v9 b75 ;9 6ghf9 v596 l34j 0v9 b75 75 l34j 56bv 56bv cn0n 7ghf9 l34j l34j 0v9 09 57 dg53 608v 45f

Basically, a long string of numbers, so if someone could explain to me in detail how this would be not secure if the key was private.

Answer 1

This is known as a Substitution Cipher.

As far as if it's secure or not, in general, it's not.

There is one construction that is secure, which is known as a one-time-pad.

Basically, you construct a unique substitution for each character of the plain text. This is normally seen as an addition operation. So the key would be a series of "offsets". You then add the key to the plain text.

key = 01 02 01 05 01
plaintext = "apple"
ciphertext = "brqqf"

That's a simple key (real keys would be full bytes).

And that is secure, provided you NEVER re-use the key (hence one-time). If you ever re-use the key, even just once, then the security crumbles.

That also means that your key needs to be at least as long as the plaintext.

Real world symmetric ciphers (with a single key) today use this principle either as a block or as a stream of bits. Both can be used in a similar manner, where the cipher generates a keystream, which is then added to the plaintext to generate the ciphertext.

Here's a video I did on the matter

As to the edit, I'll quote the words of Bruce Schneier:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.

The fact that you don't know how to break it, and that nobody has broken it does not mean it can't be broken.

Right now, your security is tied in the fact that the algorithm is secret. We call this Security Through Obscurity. The only way to know if the algorithm is secure is to publish the algorithm itself. Then people can analyze it and determine if the security does indeed depend on the key or not.

This is known as Kerchoffs's Principle:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Answer 2

From the words you use and the conceptual level at which your question is posed, I feel confident concluding that no, you could not devise an encryption algorithm that would be secure in any meaningful sense, not even within ten years' time, because you lack a great deal of knowledge and education in the relevant sciences. Don't take this too hard; there are only some thousands of people on earth who have any realistic chance at creating a secure cipher, and most of the time, they screw up too.

As for the specific scheme you propose: This is a substitution cipher, and it may have already been insecure back when Caesar was using the first of its kind. Its "key" is the replacement table. Statistical analysis (roughly, automatically checking how often various substrings occur and comparing that to the frequencies of letters in the plaintext) can easily reduce the number of options to try out to . If your attack model includes known-plaintext-attacks (and frankly, most applications do need to worry about that), security goes right out of the window: The attacker instantly learns learns the replacements for all letters used in the known message. There might also various greater weaknesses, depending on how exactly you choose the replacements.

Finally, even if you were the god of cryptography descended from the heavens, encryption is not our problem. We have several ciphers that are, by any realistic estimate, secure enough for decades to come, and dozens of candidate functions lined up as stopgap in case some genius makes an unexpected advance in cryptanalysis. There is literally no reason to devise your own cipher. Use a standard, vetted solution.