Kyle Banks

Simple XOR Encryption/Decryption in C++ (And Several Other Languages)

Written by @kylewbanks on Oct 10, 2013.

For details on how to implement XOR encryption using Go, see this post.

If you are looking for XOR encryption for other languages, including C, C#, Dart, Go, Groovy, Java (Android Compatible), JavaScript, Objective-C, and Python, I have made them available at this GitHub repo.

XOR encryption (or Exclusive-OR encryption) is a common method of encrypting text into a format that cannot be trivially cracked by the average person. XOR encryption is great for storing things like game save data, and other data types that are stored locally on a users computer, that while not a big deal if they are tampered with, you would like to deter people from doing so. XOR encryption is also used often as a part of more complex encryption algorithms.

The idea behind it is that if you don't know the original character or the XOR encryption key, it is impossible to determine what either one is. However, the reason that it is not entirely secure is that data almost always contains patterns (JSON uses '{' and '}' characters, XML contains plenty of '<' and '>' characters, etc.) so if someone is able to determine the pattern and unlock even one character, they will have the key to unlocking everything else.

However secure or insecure XOR encryption really is, it has plenty of valid use cases. Any kind of deterrent added to data that you don't want users to tamper with but that they will have easy access to is a prime candidate, so long as security isn't paramount.

The concept is simple, you define a key character, and for every character in the string you want to encrypt, you apply the key. Once you want to unencrypt the encrypted data, you simply go through the string and apply the key again.

Here's a very simple implementation in C++, which uses the ^ character for XOR:

#include <iostream>

using namespace std;

string encryptDecrypt(string toEncrypt) {
    char key = 'K'; //Any char will work
    string output = toEncrypt;
    
    for (int i = 0; i < toEncrypt.size(); i++)
        output[i] = toEncrypt[i] ^ key;
    
    return output;
}

int main(int argc, const char * argv[])
{
    string encrypted = encryptDecrypt("kylewbanks.com");
    cout << "Encrypted:" << encrypted << "\n";
    
    string decrypted = encryptDecrypt(encrypted);
    cout << "Decrypted:" << decrypted << "\n";
    
    return 0;
}

And here’s the output:

Encrypted: 2'.<)*% 8e($&
Decrypted:kylewbanks.com

As you can see, the encrypted string looks like gibberish, and would deter non-technical people from bothering to tamper with the file. However, if you run something through that algorithm with repetitive characters (JSON, XML, etc.), more tech-savvy individuals may be able to pick up on what you are doing. While you can't quite make it unbreakable, you can make it ridiculously hard to brute-force by using multiple keys in a pattern like so:

string encryptDecrypt(string toEncrypt) {
    char key[3] = {'K', 'C', 'Q'}; //Any chars will work
    string output = toEncrypt;
    
    for (int i = 0; i < toEncrypt.size(); i++)
        output[i] = toEncrypt[i] ^ key[i % (sizeof(key) / sizeof(char))];
    
    return output;
}

There are two differences here:

  1. key is now defined as a char array.
  2. We now use the char at index modulos the size of the key array to XOR, rather than the same key for each character to encrypt.

Now running the same string through there, we get the following output:

Encrypted: :=.43*-:8m2$.
Decrypted:kylewbanks.com

It doesn't look that much more secure, but the reason for using multiple keys rather than just one, is that for each additional key you use, you effectively double the amount of time it takes to brute force the encrypted string.

Full source in a variety of languages available on GitHub.

Let me know if this post was helpful on Twitter @kylewbanks or down below, and follow me to keep up with future posts!