Security Forums :: View topic

Crypt04

Security Forums -> Cryptographic Software and Hardware

Author: NarrowPathPilgrim, Location: Washington

Posted: Fri Oct 08, 2004 8:15 am Post subject: Crypt04
----
Hello, Does anyone know where I can get a copy of Crypt04?

The programs home page is http://www.gol.biz.ly/ and they no longer have it available for download.

Author: viktalk,

Posted: Fri Oct 08, 2004 9:17 am Post subject:
----
They are still there, but no idea why would you like to use something like that after reading this:

Quote:

Crypto V5 is a next-generation, multi-purpose encryption system, designed from the ground up for customisation. It features a 1024-bit encryption segment, variable-length encryption keys, a modified Message-Digest 5 password-checking system, and uses our own proprietary Binary Expansion Encryption Method (so advanced, we won't tell you what it does).

... Please note that Crypt V5 is not a continuation of the Crypt04 product line, and thus, Crypt04 Hiders cannot be decrypted through Crypt V5.

... Crypto V5 Is Currently available for Alpha Testing, and can be obtained if you e-mail us, via the contact page.

Author: NarrowPathPilgrim, Location: Washington

Posted: Fri Oct 08, 2004 10:23 am Post subject:
----
Only Version 5 Is Still There,
I am looking for version 4.
I think from what I have read that they are very different

Here is a description of version 4 that I found on the Internet
"Crypt04 is an encryptor/compressor, designed to hide files inside other files, behind a strong encryption language. Files can be hidden inside pictures, music, word documents, etc. but they can not be retrieved without the software. The system we use to create more secure encryptions uses both a PIN number and a Password, with both required on decryption to successfully decrypt your file - If a hacker found your encryption, there are still more than (4.6127444315715161368304679615147 X10120) different encryption patterns and there is absolutely no record of your password or PIN inside your file. That's more than enough to dissuade even the most determined thief!!"

Author: JustinT, Location: Asheville, NC, US / Uberlândia, MG, Brazil

Posted: Fri Oct 08, 2004 11:21 am Post subject: Be wary.
----
I would still be incredibly wary; their presentation, as a whole, is cryptographically-backwards and full of incompetence, to say the least. I would seriously reconsider, as there are other solutions with far more appeal and peace-of-mind. In particular, a "modified MD5" and "proprietary Binary Expansion Encryption Method (so advanced, we won't tell you what it does)" worry me the most - two prime pillars of snake-oil. If they sound clueless and keep their cluelessness proprietary, then it's a waste of your time and a complete risk of your security, because I am almost willing to guarantee you no assurance of it, if you so choose to utilize their software. In fact, there isn't a single appealing facet of their approach to be found. I, among others, could spend hours discussing the dangers associated with this type of jargon. Any particular reason you're after this? Have you considered other, more conventional options?

Author: NarrowPathPilgrim, Location: Washington

Posted: Fri Oct 08, 2004 9:56 pm Post subject:
----
OK, I will use a different encryptor.
What freeware symmetric encryptor would you recommend?

Author: 0x54,

Posted: Sat Oct 09, 2004 6:48 am Post subject:
----
well, a openpgp client would be nice.

try pgp8 or gnupg i guess, pgp8 is quite nice imho Mad

.

gnupg is more suited to unix like environments imho.
www.gnupg.org

pgp is nice and easy, Smile

. worth buying me thinks, though the freeware version will encrypt files just fine.
http://www.pgp.com/downloads/freeware/index.html

Author: NarrowPathPilgrim, Location: Washington

Posted: Sat Oct 09, 2004 8:49 pm Post subject:
----

NarrowPathPilgrim wrote:

What freeware symmetric encryptor would you recommend?

Yes, I use PGP some, but I don't think that it is a symmetric encryptor

Author: JustinT, Location: Asheville, NC, US / Uberlândia, MG, Brazil

Posted: Sat Oct 09, 2004 11:54 pm Post subject: It is, actually.
----

NarrowPathPilgrim wrote:

Yes, I use PGP some, but I don't think that it is a symmetric encryptor

It's a hybrid system, involving both symmetric and asymmetric algorithms; refer to RFC 2440 for complete specifications of the general structure. Also, for various comments, peruse the forum for keywords such as: PGP, GPG, GnuPG, OpenPGP, et cetera. It is, perhaps, one of the better public implementations, and extensively scrutinized, at that, even if not perfect [Jallad, Katz, and Schneier]. Unfortunately, I'm not willing to responsibly recommend other pre-fabricated solutions, aside from it, at this time. There may be other relatively decent systems floating around, to select from, but they aren't a dime-a-dozen, so it's best to be cautious of similar public, out-of-the-box solutions. My personal preference is the more OpenPGP-aware GnuPG, which is rather friendly in Win32, Unix, and various other platforms. If you're working in Windows, GPGshell makes the experience quite seamless, and in my opinion, a bit more functional than PGP's current freeware interface.

Author: securitynmind,

Posted: Sun Oct 10, 2004 1:59 am Post subject:
----
Hello Justin.....

What about AxCrypt? It's open-source software and I have been wondering what qualified crypto people think. Any thoughts?
http://axcrypt.sourceforge.net/

I especially liked (after reading all about the product) seeing this:

"There may well be bugs in my implementation though - that is why it is open source, so you and our peers may review it and keep it safe. This should not be taken as a low level of confidence in my code - anyone who tells you their code is flawless is either inexperienced or lying."

Author: 0x54,

Posted: Sun Oct 10, 2004 2:20 am Post subject:
----

NarrowPathPilgrim wrote:

Yes, I use PGP some, but I don't think that it is a symmetric encryptor

it can be

. gpg -c

Author: JustinT, Location: Asheville, NC, US / Uberlândia, MG, Brazil

Posted: Sun Oct 10, 2004 5:17 am Post subject: Good presentation, overall.
----

securitynmind wrote:

What about AxCrypt? It's open-source software and I have been wondering what qualified crypto people think. Any thoughts?

The author certainly has a good attitude about the open-source philosophy, and for the most part, makes reasonable statements. They use authentication, which is exceptionally appealing, since most public attempts at pre-fabricated cryptography do not, unfortunately. They don't exactly use conservative parameters (128-bit symmetric keys, 160-bit hash function, et cetera), but in practice, this isn't a current concern. Most notably, 128-bit security via 128-bit keys - this is possible, but often difficult to achieve. However, the author makes note of the concept of entropy:security ratios, which at least assures me that he comprehends the issue surrounding it.

I can't honestly hold this [lacking the sense of conservatism I prefer] against them though, as most modern, conventional systems still use such parameters, and the OpenPGP specification isn't exactly as conservative as my general philosophy demands, either, but, practical applications in the real-world usually allow us a considerable amount of leniency to cope with. So, we can accept certain definitions of minimalism; sometimes we have little choice. From what I can tell, the parameters specified for this solution are acceptable, from that perspective.

I'm rather critical against presentation, so I may differ in opinion, word-for-word, but so far - so good - as far as the author's presentation is concerned. This is fresh air, compared to the repugnant odor emitted by much of cryptography in this realm. Give or take a few things I might do or say differently, the presentation is much more satisfactory than many I've seen from that arena of products.

I haven't used the product, analyzed the implementation, or even verified that the cryptography works as securely as intended, so don't quote me as saying, "It's a good cryptographic product." Rather, quote me as saying, "The author's presentation of this cryptographic product is good, overall." As I stated in my previous thread, there are probably other decent solutions floating around; this may very well be one of them. The OpenPGP specification has just seen more widespread use, as a solution, and as a model for derivative solutions, so the abundance of implementation scrutiny and cryptanalysis is larger, more so than most other public offerings.

It [OpenPGP] isn't the most robust of measures, but it's within the league of about the best assurance of security that we'll see from such systems. The most assured solution is a custom-tailored solution by a cryptographer, which is the only way, at the current state of cryptographic parameters, that you'll achieve the kind of conservatism that I, among countless others, so strongly advocate. But, now we're talking great expense, and expense that not everyone can afford; it doesn't leave us much to choose from, but along the way, we find some products worth consideration and deserving of a second look. AxCrypt appears to be a candidate for that. They did a good job proposing it, but that's about all I can say at the moment. Perhaps someone else can comment or verify the implementation itself.

Author: securitynmind,

Posted: Sun Oct 10, 2004 5:37 am Post subject:
----
Thank you Justin for that summation. I realize you can only look at the presentation on the sourceforge site, but presentation does say a lot judging by my reading of previous postings you have made. Hyped and incompetent presentation is apparently rampant in this field.

I have used it for a couple of weeks, just to get the "feel" of it and have been very impressed. But, I know of no way to find out if it's really doing what it says it is doing.

Thanks for your time and all you add to this forum!

Author: JustinT, Location: Asheville, NC, US / Uberlândia, MG, Brazil

Posted: Sun Oct 10, 2004 5:57 pm Post subject: Presentation.
----
Not a problem. Always glad to contribute a perspective that may be useful. It's good to hear that the product is working to your satisfaction; that's always a plus. As for incompetent presentation - it does stagnate the field quite uncongenially, which is why a developer's first impression must be marked by responsible etiquette, because rest assured - it will be the lasting impression. In fact, the presentation speaks loudly about the consistency and craftsmanship of a particular implementation, whether it be a new algorithm proposal or just a system incorporating existing algorithms.

If they sound competent, there's a good chance they are and what they render has an equal chance of containing merit; if they sound clueless, there's even a better chance that they are and in no way should trust be placed in anything resulting from their incompetence. But then again, being critical, and somewhat merciless, when it comes to presentation is reasonable. Cryptographic security is volatile and does not tolerate ignorance, nor should we. We only come close to assurance of this security by requiring a certain etiquette for it to be constructed by, yet so many fail to realize this.

Presentation is the initiation of an alliance of trust, so it's vital that we feel some sense of assurance that our privacy fares well in their hands, if we so choose to entrust it to their implementation(s). In fact, analysts generally only bother devoting time to scrutinizing implementations that might actually be trustworthy for the real-world demands of security, so a top-notch proposal kicks up the notch for potential, in regards to actually seeing the scrutiny it will need, if it plans to be taken seriously. So, while it does take actually reviewing the implementation's source to produce a concrete judgment, the presentation is a window looking in to what we can expect. Most of this is just rant, so you could probably stop reading after the first sentence or three. Thanks for the compliment, by the way. ;)

Author: stevensfo, Location: Italy

Posted: Mon Oct 25, 2004 3:05 pm Post subject:
----
I've been using Axcrypt for a few months now and I find it very user-friendly. I know very little about how encryption works but I assume that because it's open source software (like truecrypt) there are no back doors.

I've only used two other programs before Axcrypt: truecrypt and Securit (free version from Cypherix).

A few points:

I believe that the icon used to show an encrypted file can be changed and the .axx suffix removed automatically - but I haven't tried it yet. Encrypted files should sit quietly in the background, preferably looking like innocuous word files. The Axcrypt icon screams 'Look, I'm encrypted!'

If you forget to click the "Clear passphrase from memory" every time, anyone can come along and open the files. It should really be set to clear automatically as default.

I like the ability of Axcrypt to generate 44 character random passwords but I found that if I repeated this, the new passwords actually changed only after halfway through. I'm not too sure of the implications, but I would prefer a password to be 100% random each time.

While we're on this subject, could someone tell me what the max length of the password can be? Is there a minimum length to use?

All in all, I like the versatility of Axcrypt, particularly the renaming facility that gives all files random names.

Steve (new to all this and still on a steep learning curve)

Author: splidet,

Posted: Tue Nov 09, 2004 11:02 pm Post subject:
----
Hello,

I am the author of AxCrypt. A few comments follows:

stevensfo wrote:

I believe that the icon used to show an encrypted file can be changed and the .axx suffix removed automatically - but I haven't tried it yet. Encrypted files should sit quietly in the background, preferably looking like innocuous word files. The Axcrypt icon screams 'Look, I'm encrypted!'

It's possible to change the Icon, but it requires hacking the registry and knowing what you do. I'm glad that you find that the icon screams 'I'm encrypted' - that's what it's for! In other words - this is a conscious design decision. AxCrypt is not intended to hide the fact that you have confidential information. It's just supposed to keep it confidential.

stevensfo wrote:

If you forget to click the "Clear passphrase from memory" every time, anyone can come along and open the files. It should really be set to clear automatically as default.

This is incorrect or a bug in your environment. All checkboxes in AxCrypt dialogs are 'sticky' - i.e. the last choice will be remembered persistently. If you'd like to not use the pass phrase caching feature, please deselect the appropriate check boxes when entering the pass phrase.

The 'Clear passphrase from memory' option is intended to be used when you change your mind in a specific situation, or are unsure if you have any pass phrases cached.

stevensfo wrote:

I like the ability of Axcrypt to generate 44 character random passwords but I found that if I repeated this, the new passwords actually changed only after halfway through. I'm not too sure of the implications, but I would prefer a password to be 100% random each time.

The implications if what you say is correct are that it's a serious bug. Try as I might I cannot reproduce this behavior. Could you please verify this result and send me some samples as well as details on version and your environent - or if you at a closer glance cannot reproduce it please comment so here, so that this is cleared up.

stevensfo wrote:

While we're on this subject, could someone tell me what the max length of the password can be? Is there a minimum length to use?

If I recall correctly the code limits pass phrases to 250 characters. Read the section labelled 'Security' in your documentation or on the official AxCrypt website, http://axcrypt.sf.net for info on appropriate pass phrase lengths.

Best regards,

Svante

Author: securitynmind,

Posted: Wed Nov 10, 2004 1:04 am Post subject:
----
Thanks for the post, Svante! I am a user of AxCrypt and have been telling many about the program. Keep up the great work and don't be a stranger to Security-Forums!

Security Forums -> Cryptographic Software and Hardware

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1