CryptMsg is a tool to encrypt a text message with arbitrary encryption algorithms and keys.
The order of the alogrithms and keys are significant to the message. If they are provided out of order, the message will
be decrypted, which ads to the security of the encrypted message.
When encrypting, we take the user supplied data and process it as follows:
1) Base64 encode it, to ensure the data won't be damaged through the conversions.
2) Encrypt it with the first user selected encryption, using the provided key. This process is
repeated for every encryption and key provided by the user. During the encryption steps, we never
adjust the data again.
3) After the encryptions are done, we Base64 encode the data again. Some clients have problems with special
characters being sent, such as nul and cr/lf. Most browsers now abort the page display when encountering a
We believe wrapping a message in several different encryptions helps the security of the message.
When attempting to forcibly decrypt a message, to see that the message has been successfully decrypted,
a plain text result, or other known data is expected.
When examined, some encryption types can be guessed by looking at the data and knowing the data is encrypted.
By wrapping an encrypted message inside an encrypted message, anyone attempting to forcibly decrypt the message
would need to look at each attempted key, and guess if the data returned is another encrypted message, or
just garbage data.
A single layer of encryption can be broken by a supercomputer (or group of computers
such as distributed.net) in a matter of hours to months, looking
for plaintext data after each key attempt. With layers upon layers of encryption, each of an unknown
encryption method, it pushes the time required to forcibly decrypt a message into many years at best.
It would be a rough guess to even think the first layer was guessed, so every combination of keys with
every encryption for every layer would need to be tried before the message was decrypted.
Put your keys in the same order when encrypting or decrypting. The program
will automatically reverse the key order to decrypt. Keys are padded or
trimmed for use by the alogrithm selected. The output string is base64 encoded,
so you may use it in emails or web pages.
When transmitting the keys you encrypted with, always use a different method for
transmission. For example, if you are sending the message by email, don't send
the keys by email, even in a different message or to a different mailbox.
Always send the encryption key in a secure fashion. Always assume email,
instant messaging client, and telephone are never secure.
Keep your keys private. Anyone with the correct keys will be able to decipher
the message. Make sure your browser does NOT save form fields. Failure to do
so will compromise your keys!
Never use dictionary words in your encryption string. Using dictionary words
makes breaking your key simple.
Selecting multiple encryption alogrithms will slow any brute force attack on
your message, and ensure a weakness in one alogrithm will not compromise your
message. Don't use the same key for each alogrithm. This defeats the purpose
of using multiple encryptions.
You should read up on the available encryptions, and make an educated opinion on which to use.
This project's home page
MCrypt information page
XAMPP project (All software required for your desktop)
Wikipedia :: Block Cipher
Wikipedia :: RC4 (ARCFOUR)
Wikipedia :: RC6
Wikipedia :: Blowfish
Wikipedia :: Cast-128
Wikipedia :: Cast-256
Wikipedia :: DES
Wikipedia :: Enigma cipher (based on the machine)
Wikipedia :: GOST Block Cipher
Wikipedia :: LOKI97
Wikipedia :: MARS
Wikipedia :: Rijndael (AES)
Wikipedia :: SAFER plus
Wikipedia :: Serpent
Wikipedia :: SkipJack (NSA)
Wikipedia :: TripleDES (3DES)
Wikipedia :: ThreeWay (3-Way)
Wikipedia :: Twofish
Wikipedia :: WAKE
Wikipedia :: XTEA
Note: Not all encryptions are always available. Some require additional modules, notibly : MARS, SkipJack, and RC6
No message data is ever recorded by this program. For your own security, you
should only using this script on your own computer.
The full source is available HERE
Always read the source of any script you plan to install.
- Q1) How does the user know that you don't just write a clear text
copy to the disk before the crypto routines run? There's no way to know what
script you're actually running on the server. Sure, you provide the code that
you say is running, but how does the user know that that code is being used?
- A1) I wouldn't trust anyone else with a message intended to be
private. Sure, there's a huge risk that I added a couple lines to record the
user input, as well as your keys. Honestly, I made a symlink from cryptmsg.php
to cryptmsg.php.txt, but I don't expect anyone to trust me on that.
- Q2) You assume SSL is secure. If PGP is broken, SSL is surely broken.
- A2) We know SSL is broken. That's why we've retired many ciphers.
I recommend ONLY using this on a computer with no Internet access. Then you could
make your encrypted messages on the offline computer, copy the encrypted message
over to an online computer, say on a USB keychain drive, and send it.
Using an offline computer to generate your encrypted messages should help reduce the
threat of spyware or a key logger intercepting your plaintext message.