- - - - - - - -
- - - - - - - -
C r y p t M s g
- - - - - - - -
- - - - - - - -
 
HowTo :: Win32

HowTo :: Linux and most *nix

CryptMsg Demo

Download CryptMsg 1.0.0

Contact JWSmythe (author) about this software


CryptMsg is a tool to encrypt a text message with arbitrary encryption algorithms and keys.

The order of the alogrithms and keys are significant to the message. If they are provided out of order, the message will be decrypted, which ads to the security of the encrypted message.

Methodology
When encrypting, we take the user supplied data and process it as follows: 1) Base64 encode it, to ensure the data won't be damaged through the conversions. 2) Encrypt it with the first user selected encryption, using the provided key. This process is repeated for every encryption and key provided by the user. During the encryption steps, we never adjust the data again. 3) After the encryptions are done, we Base64 encode the data again. Some clients have problems with special characters being sent, such as nul and cr/lf. Most browsers now abort the page display when encountering a nul characters

We believe wrapping a message in several different encryptions helps the security of the message.

When attempting to forcibly decrypt a message, to see that the message has been successfully decrypted, a plain text result, or other known data is expected.

When examined, some encryption types can be guessed by looking at the data and knowing the data is encrypted. By wrapping an encrypted message inside an encrypted message, anyone attempting to forcibly decrypt the message would need to look at each attempted key, and guess if the data returned is another encrypted message, or just garbage data.

A single layer of encryption can be broken by a supercomputer (or group of computers such as distributed.net) in a matter of hours to months, looking for plaintext data after each key attempt. With layers upon layers of encryption, each of an unknown encryption method, it pushes the time required to forcibly decrypt a message into many years at best. It would be a rough guess to even think the first layer was guessed, so every combination of keys with every encryption for every layer would need to be tried before the message was decrypted.

Important Information
Put your keys in the same order when encrypting or decrypting. The program will automatically reverse the key order to decrypt. Keys are padded or trimmed for use by the alogrithm selected. The output string is base64 encoded, so you may use it in emails or web pages.

When transmitting the keys you encrypted with, always use a different method for transmission. For example, if you are sending the message by email, don't send the keys by email, even in a different message or to a different mailbox. Always send the encryption key in a secure fashion. Always assume email, instant messaging client, and telephone are never secure.

Keep your keys private. Anyone with the correct keys will be able to decipher the message. Make sure your browser does NOT save form fields. Failure to do so will compromise your keys!

Never use dictionary words in your encryption string. Using dictionary words makes breaking your key simple.

Selecting multiple encryption alogrithms will slow any brute force attack on your message, and ensure a weakness in one alogrithm will not compromise your message. Don't use the same key for each alogrithm. This defeats the purpose of using multiple encryptions.

You should read up on the available encryptions, and make an educated opinion on which to use.

Related Links:
Unix and Linux book store
This project's home page
MCrypt information page
XAMPP project (All software required for your desktop) Wikipedia :: Block Cipher
Wikipedia :: RC4 (ARCFOUR)
Wikipedia :: RC6
Wikipedia :: Blowfish
Wikipedia :: Cast-128
Wikipedia :: Cast-256
Wikipedia :: DES
Wikipedia :: Enigma cipher (based on the machine)
Wikipedia :: GOST Block Cipher
Wikipedia :: LOKI97
Wikipedia :: MARS
Wikipedia :: Rijndael (AES)
Wikipedia :: SAFER plus
Wikipedia :: Serpent
Wikipedia :: SkipJack (NSA)
Wikipedia :: TripleDES (3DES)
Wikipedia :: ThreeWay (3-Way)
Wikipedia :: Twofish
Wikipedia :: WAKE
Wikipedia :: XTEA


Note: Not all encryptions are always available. Some require additional modules, notibly : MARS, SkipJack, and RC6

No message data is ever recorded by this program. For your own security, you should only using this script on your own computer.

The full source is available HERE

Always read the source of any script you plan to install.


User Questions:
  • Q1) How does the user know that you don't just write a clear text copy to the disk before the crypto routines run? There's no way to know what script you're actually running on the server. Sure, you provide the code that you say is running, but how does the user know that that code is being used?
  • A1) I wouldn't trust anyone else with a message intended to be private. Sure, there's a huge risk that I added a couple lines to record the user input, as well as your keys. Honestly, I made a symlink from cryptmsg.php to cryptmsg.php.txt, but I don't expect anyone to trust me on that. They shouldn't.

  • Q2) You assume SSL is secure. If PGP is broken, SSL is surely broken.
  • A2) I'm sure SSL is broken. I've seen a decrypter for it.

    I recommend ONLY using this on a computer with no Internet access. Then you could make your encrypted messages on the offline computer, copy the encrypted message over to an online computer, say on a USB keychain drive, and send it.

    Using an offline computer to generate your encrypted messages should help reduce the threat of spyware or a key logger intercepting your plaintext message.




Necronomicon
SciFi Convention
Necronomicon 2014
Necro2014


JWSmythe