Simple but effective encryption program

[MNwr786]

Last year sometime I had written a simple text encryption program for windows using C#. It has a box to type in a message, another box to type in a key, and an output box that combines the two using essentially a viginere table. The neat thing is that if one uses a one-time pad as a key, in other words, the key is illogical and never repeating or reused, the code is 100% unbreakable. For the less "security minded", I did add a checkbox that allows the use of a passphrase which will internally repeat as necessary, although that would make for a weak encryption and its use is not recommended for any serious messages. Also build in is the ability to salt the key with a password (in the event your one-time codebook was compromised) ~ call it an added bit of security. With that function is a checkbox that will hide the salted key from the key window so onlookers will not see the true key. There is a help button detailing the use of each function which essentially calls open the help.txt file in the unzipped folder ~ deleting this file will make the help button not work. There is an option to import and export text files into the windows for those confident (and crazy) enough to keep keys stored on their computer, but I wouldn't recommend that unless the PC never sees internet.

I had originally thought I had lost the program, but luckily found the final stable version of the exe sitting in my google drive account. I no longer have the code used to make it, but a free program called JustDecompile is able to let someone see the code it runs on. I originally wanted to edit it because my ham callsign is in the main window of the program, but I decided it wasn't worth removing and, IMO, supports the fact there is nothing shady about the program (for those not interested in using a decompiler to look into it for themselves). I will try to attach it here, not sure if that will work. Any questions about it, id be happy to answer. Heres a screenshot. Some day soon I will be rebuilding this and adding a com port option for sending the output box to a USB to UART serial converter and interface that with my radio, just need to find the time.

 

[The Parahunter]

I work in Information Security as a profession. Nothing is 100% unbreakable. All encryption uses an algorithm that, while many are difficult to break, none, so far, have proven to be "unbreakable". It's an ongoing challenge (usually friendly) within the Information Security world to develop a new algorithm then break it, develop another encryption method, break it, etc... . Currently algorithms based on quantum mechanics and even atomic manipulation are the path. Yes, it's gotten that complex.

That said, most encryption techniques, including this one, are at least "difficult" to break and thus, effective against most hacking attempts. The "breakable" comments I make are based on attacks from persistent nation states (i.e. China) against the encryption methods. We're talking government and military application. Most basement-dwelling black-hats don't have such capabilities.

 

[MNwr786]

Well, wikipedia agrees with me. Allow me to explain why I think what I do rather than simply argue about what I think, like most people do.

Take the standard viginere table.

Using the plain text HELLO and using something totally random to encode it, say FTOWB, the coded message is MXZHP.
The coded message now carries with it the same amount of random as the key. Because the key is not based on any logical text which might suggest it is the correct key, one could simply say that I had encoded DEATH using something just as random like JTZOI to obtain the same coded message of MXZHP. You see, there would need to be evidence, either in the form of a logical key phrase or a pattern established among many characters to support the idea my key was JTZOI rather than FTOWB. Being no evidence exists, you can say I used whatever code you wanted and Ill let you think what you want.

The unbreakable nature of this one-time pad method comes from the fact there is no repeating pattern or logic to support the idea the decryption was accurate. Which is why having access to how my program works means nothing to the cryptanalyst...

 

[MNwr786]

Tell ya what, decode this: SJEYFNSYEHFAKSNCNEBWRIAKSMWE

Lol, I can make that code say anything I want just by making the RANDOM key different! Your job is to tell me what RANDOM I used and to prove it without identifying logical segments or patterns to support your claim. I may not be a security expert, but I might surprise you with the broad spectrum of what little I know!

https://en.wikipedia.org/wiki/One-time_pad
EDIT: when you come to the same conclusion, please feel free to distribute that program to anyone you like ~ heck, feel free to take credit for it. Individual privacy is something I would never jeopardize or profit from.

 

[MNwr786]

Update: I found my old hard drive that had essentially failed and gave her one last try and managed to locate the source code so here is the entire visual studio project folder for that program in case anyone wanted to look at the code.

 

[DrHenley]

That's cool MNwr786. About twenty years ago I was working at a company that needed to transmit sensitive information over the Internet, including Social Security Numbers and credit card numbers. Public key encryption was garbage then. So I came up with an encryption scheme of my own. As part of it, I used a hash of a password to seed a random number generator. The password was never transmitted over the Internet, not even encrypted. Every location used a different password. I don't believe there is any possible way to break that encryption scheme without knowing the algorithm, which was not in any way like any other encryption algorithm.

Then I compressed the encrypted file with encryption, which would really frustrate someone trying to crack it because the first step is to decrypt gibberish, LOL.

I would love to give a file to somebody to try to crack.

 

[MNwr786]

That's cool MNwr786. About twenty years ago I was working at a company that needed to transmit sensitive information over the Internet, including Social Security Numbers and credit card numbers. Public key encryption was garbage then. So I came up with an encryption scheme of my own. As part of it, I used a hash of a password to seed a random number generator. The password was never transmitted over the Internet, not even encrypted. Every location used a different password. I don't believe there is any possible way to break that encryption scheme without knowing the algorithm, which was not in any way like any other encryption algorithm.

Then I compressed the encrypted file with encryption, which would really frustrate someone trying to crack it because the first step is to decrypt gibberish, LOL.

I would love to give a file to somebody to try to crack.

Unfortunately, nobody takes on cryptography challenges any more because too many people waste their time with completely random stuff that has no true meaning. I remember when the NSA had an MD5 hash circling their emblem which decoded to, essentially, an application for employment, saying "if you can read this, do such and such and we will contact you", but by todays standards, MD5 hashes are laughable (even though I don't understand any of it without the aid of another website to decode it, lol). My favorite quote is "if a wise man knows anything, it's that he knows nothing at all" and I take that to heart every day. I do not fear being told I am wrong, it merely informs me that I need to further my research. And I will, rest assured!

That said, I stand behind everything I say, right or wrong,, and when I am PROVEN wrong, I will certainly admit so and educate myself accordingly!

The library of congress has one REALLY BIG FUNCTION. It serves as a collection of text that most people would use as "encrytion key" text. History has shown that many lazy people would rather choose specific page from a specific book to use as a key in a cypher than to try sharing/transporting a random one secretly. Well, the library of congress has that text and it is ran through a table like above faster than you can imagine.

My friend and I concocted a basic encryption scheme using morse code (which we learned in a day and a half with neon strips of paper between prison cell windows across the day room). It ended up with 3 staff members posted full time for a week and the inevitable relocation of one of us (me). Thats a whole different story, which leads to an entirely different story of internal network hacking between prisons lol... Needless to say, DOC regulations were re-written in Minnesota because of me, a friend, and their poor choice in IT techs. I'm a completely different person now, although, i have the same sense of privacy today.

Feel free to contact me any time about one-time pad encryption and keeping prying eyes out, it is a subject I am passionate about. "This many kilobits of this or that" "RSA or whatever" interests me NONE. Pre-shared, one-time pads are where its at if you value privacy!

 

[user 6789]

Pretty obvious parahunter has never heard of one timepads.

 

[Schattentarn]

I kinda think most viewers of these threads work for the government after it was learned Bill Clinton was monitoring all white men with guns and who stored food. The government can probably defeat any measures anyone here would dream up.

 

[MNwr786]

My friend made huge improvements to my program and made it into an android APK (which I never could have done alone) intended for use with tablets and other android devices that will never see the internet. Now, the program generates and captures QR codes using the camera that represent the encrypted data so that a networked phone can send it without the program or keys ever seeing the internet. We put our one-time random pad keys on an SD card, partitioned them to remove the majority of free space, then filled in all remaining free space with useless text data so the cards are completely full ~ then shared them in person. Now, when it rewrites used key data, it forcefully overwrites the same spot with zero's. As for the wear leveling algorithm and potential for memory available to the hardware only, after rewriting the used portion of the keys, it shuffles the rest around several times to limit the possibility of residual key data remaining on intact portions of the hardware-only accessible memory used for wear leveling (assuming it exists like it does with SSD drives). It was my intention to physically damage the hardware in the tablets or corrupt the modem/radio firmware to prevent any communication to and from the device wirelessly, but so far, with no service plan and in airplane mode, my spectrum analyzer has detected not a peep from it (to the surprise of my paranoid side). Now, when we want to talk, we just text a picture of what the offline device generated as a qr code or use the offline devices' camera to grab the QR from the online device that received it and nothing with encryption keys ever sees a networked device, and is destroyed instantly upon use! Not to mention, we do not keep the SD cards in the tablets, good luck finding that just to see what we will say next lol. Funniest part, we really have nothing to hide, just a means to defend privacy and ruffle the feathers of those who don't value it I hope they get paranoid like they want us to be! F*** 'em!

 

[campandtravel]

The government can probably defeat any measures anyone here would dream up.

Well then I guess no one should ever try anything.

 

[Schattentarn]

Well then I guess no one should ever try anything.

Well, if you want encryption, there is a very easy way to do it. Secure email: ProtonMail is free encrypted email. It is all encrypted, free.

 

[GaRp58]

Well, if you want encryption, there is a very easy way to do it. Secure email: ProtonMail is free encrypted email. It is all encrypted, free.

My GMX emails are all also encrypted free, from servers in Germany, not the US, not available to the NSA and I have a Norton VPN with which I can daily choose where I am located in the internet, any nation I choose from before I go online...
The only thing most people never know or hear about...if you have an encryption software in America and want to sell it online and use it online...you must first give a copy of it to the ABC companies there so that they can "TRY IT" first:
""just to make sure it does not compromise theirs"".
Which means any software you have not written yourself and privately shared with your receiving partners...THEY already have a copy of it, sorry folks. Gary

 

[MNwr786]

I have a paid protonmail account too, I use their VPN also most of the time I'm online. The original concept behind my program was to allow for the input of a truly random key rather than depending on algorithms and logic. The reasoning, as explained in an above post, was to eliminate any possibility of cracking the code without having the key, as unlike codes produced with algorithms, there is no way to validate the key because it is not tied to logic or pattern. The result is that the coded message can be decoded to anything you want simply by using a different random key, and without a copy of the original, there is no way to tie it to a message. XYZ could mean "cat", but with an equally random key, it could also mean "dog". As long as both parties burn that key soon as its used, the truth is gone forever. I now have a cheap tablet that is completely dedicated to the use of the program.

 

[Proud Prepper]

Windscribe VPN does not have logs. But it's Canadian.

 

[user 6789]

I kinda think most viewers of these threads work for the government after it was learned Bill Clinton was monitoring all white men with guns and who stored food. The government can probably defeat any measures anyone here would dream up.

Except for one time pads

 

[campandtravel]

Deleted

 

[MNwr786]

I got a VPN question, Lets say I fire up my vpn connection and open a private browser and start looking at websites that I dont want others knowing I was on. At the ssame time, my phone or computer continues to do background stuff like talk to google to see if I have an email or whatever it may be in the background. My device, regardless of VPN, is still reporting my CURRENT IP to several places, not just the site I am on. What stops those two companies from getting together and saying "today, brandon was here as this IP address during this time, do you have the same IP logged in over at XXXXXXXXX.com?" And whats stopping ISP's from accessing that same data pool? I assume a VPN is like a combination lock on the shed, it just keeps honest people out...

 

[DrHenley]

Over a VPN, the sites you visit see the IP address of the endpoint of the VPN, not your IP address, and it's not coming from your ISP.
Look at it like this. You mail a package using the U.S. Postal Service (which is like your ISP connecting to the VPN) to a courier (who is like the VPN) who then flies to Paris and mails your package for you to the destination address using La Posta in France. La Posta just sees what mailbox the courier mailed the package from, they don't know how he got it.

 

[EastenerWesterner]

Over a VPN, the sites you visit see the IP address of the endpoint of the VPN, not your IP address, and it's not coming from your ISP.
Look at it like this. You mail a package using the U.S. Postal Service (which is like your ISP connecting to the VPN) to a courier (who is like the VPN) who then flies to Paris and mails your package for you to the destination address using La Posta in France. La Posta just sees what mailbox the courier mailed the package from, they don't know how he got it.

Very good explanation.

 

[MNwr786]

Over a VPN, the sites you visit see the IP address of the endpoint of the VPN, not your IP address, and it's not coming from your ISP.
Look at it like this. You mail a package using the U.S. Postal Service (which is like your ISP connecting to the VPN) to a courier (who is like the VPN) who then flies to Paris and mails your package for you to the destination address using La Posta in France. La Posta just sees what mailbox the courier mailed the package from, they don't know how he got it.

Right, but other services like gmail, who run in the background at the same time, are simultaneiously seeing the same endpoint of the VPN. Whats stopping them from comparing logs for profit? Google knows its me, I'm signed in. Same thing with any other app I have that uses a paid subscription. If someone that sees my credentials also sees my VPN endpoint, they can then share the knowledge of "who is using that endpoint" with those who want to know elsewhere on the web (those sites who I have not shared credentials wit).

 

[EastenerWesterner]

Right, but other services like gmail, who run in the background at the same time, are simultaneiously seeing the same endpoint of the VPN. Whats stopping them from comparing logs for profit? Google knows its me, I'm signed in. Same thing with any other app I have that uses a paid subscription. If someone that sees my credentials also sees my VPN endpoint, they can then share the knowledge of "who is using that endpoint" with those who want to know elsewhere on the web (those sites who I have not shared credentials wit).

Once you are on VPN all internet communications are on VPN.

Cisco CCNA. 20 years out of date, but i believe it still holds true.

 

[MNwr786]

Once you are on VPN all internet communications are on VPN.

Cisco CCNA. 20 years out of date, but i believe it still holds true.

EXACTLY MY POINT! You connect to both the website you want anonymity with and the site you share your credentials with using the same darn VPN endpoint. One knows who you are, the other does not. Profit opportunity.

 

[MNwr786]

I just turned on my VPN. I think I am safe going wherever I want on the web because nobody knows it's me. However, at the same time, my radar app (which I have a paid subscription for) does an automatic update. It does so on the same VPN tunnel, but with my identifying information. My weather app now knows I an using such and such IP suring this timeframe. Same thing with emails or push notifications, websites you identify to voluntarily in the background are seeing your VPN endpoint (but still know its you because your device said so). The bank, whom I just logged into with my VPN, now knows that today I was using whatever VPN endpoint. If there is a database run by the feds that wants to match activity from various unknown VPN endpoints, all they gotta do is bribe/threaten the people that already know its you thanks to background apps or unintentional activity. Its almost like you need to reconnect to a new endpoint every time you do something different online and, at the same time, prevent all other apps from running in the background. If you run windows, open task manager, go to resource monitor, then watch how many times it phones home! It happens when you switch to a vpn too, but your computer ID doesn't change. You are screwed no matter what now.

There will always eb a connection happening in the background with your credentials to someone other than the site you are expecting anonymity. All they gotta do is swap some favors and your ******. And who passes up an opportunity to profit from automatically collected data?? Nobody these days.

 

[MNwr786]

I bet, in todays war on privacy, the most valuable hack in the world would be a simple script on your phone that sent your device's unique id to an online server every 30 seconds. Thats all it would take to 100% monitor what everyones VPN endpoint is and when. And as everyone who has ever set their phone next to an AM receiver already knows, that bitch is constantly talking to someone!

 

[DrHenley]

EXACTLY MY POINT! You connect to both the website you want anonymity with and the site you share your credentials with using the same darn VPN endpoint. One knows who you are, the other does not. Profit opportunity.

So if your question is, "Is a VPN bulletproof security?"
I have 45 years of IT experience in just about every aspect of IT and am a retired IT director. I wrote a password sniffer in the 1970s just to see if I could...and I did and it worked. My answer based on my experience is NO! There is no such thing as bulletproof security. But the volume of traffic on the Internet is so large that they would have to have a good reason to go to that trouble to trace your VPN.

Going back to the courier explanation, they could watch the mailbox, see who the courier was, tail him back to the U.S. and eventually trace things back to you. But they would have to have a damn good reason to go that trouble.

 

[AmmoCan88]

Well, if you want encryption, there is a very easy way to do it. Secure email: ProtonMail is free encrypted email. It is all encrypted, free.

I use Protonmail myself, but it's important to remember that even if you use Protonmail, that doesn't mean that a standard email sent from Protonmail is protected/encrypted. Only Protonmail-to-Protonmail is protected, or if you send an email with encryption, which most don't understand how to use.

Windscribe VPN does not have logs. But it's Canadian.

Use Proton VPN. They offer "double protection" (they call it "secure core"). The NSA and probably others can figure out typical VPN's if they set out to do so.

Funniest part, we really have nothing to hide, just a means to defend privacy and ruffle the feathers of those who don't value it I hope they get paranoid like they want us to be! F*** 'em!

You might think you have nothing to hide, but your government might disagree. What you think is unproblematic and innocent, your government might disagree, and act accordingly against you. Said/wrote only women can be pregnant? You might be in trouble already.

 

[AmmoCan88]

I got a VPN question, Lets say I fire up my vpn connection and open a private browser and start looking at websites that I dont want others knowing I was on. At the ssame time, my phone or computer continues to do background stuff like talk to google to see if I have an email or whatever it may be in the background. My device, regardless of VPN, is still reporting my CURRENT IP to several places, not just the site I am on. What stops those two companies from getting together and saying "today, brandon was here as this IP address during this time, do you have the same IP logged in over at XXXXXXXXX.com?" And whats stopping ISP's from accessing that same data pool? I assume a VPN is like a combination lock on the shed, it just keeps honest people out...

It sounds like you only use VPN in your browser only (built-in VPN). If you use e.g. Proton VPN, all traffic will be under VPN protection.

But they would have to have a damn good reason to go that trouble.

The more trouble for them, the better.

My friend made huge improvements to my program and made it into an android APK (which I never could have done alone) intended for use with tablets and other android devices that will never see the internet. Now, the program generates and captu .......... at received it and nothing with encryption keys ever sees a networked device, and is destroyed instantly upon use! Not to mention, we do not keep the SD cards in the tablets, good luck finding that just to see what we will say next lol. Funniest part, we really have nothing to hide, just a means to defend privacy and ruffle the feathers of those who don't value it I hope they get paranoid like they want us to be! F*** 'em!

Do you have the source code? It's a little difficult to follow...

 

[MNwr786]

Do you have the source code? It's a little difficult to follow...

I will have to ask my friend (who wrote it for android) for the source code, if he still has it. There are decompilers online that would probably do it.

I only know a little c# in visual studio. He uses that game building engine (unity) to make apps because, with the same code, it can exported to any format for any OS. So, I am sure, because it contains unity engine stuff, the program is a litle bigger size wise than what would be if coded for android without unity. Neither of us know how to do that in VS, so thats why he built it in unity.

I could make a short video on how it works, but I will try to explain it better here. Here are the key steps:

• The devices with the encryption app are on tablets with no data/cellular/wifi or bluetooth connectivity. These tablets are isolated from the internet and other devices 100% of the time.
• The tablet allows you to type in some text, then it encodes it with a random one-time pad it has on a sd card and creates a QR code and displays it on the screen
• you then take your regular cell phone and take a picture of the QR code on the tablet screen and send it to your friend
• he grabs his offline tablet, opens the app, and the camera on the offline tablet grabs the QR code (the secret message) from the networked device you sent it to and decodes it

This may sound like nothing special, but here are the things that make it secure

• a one-time pad is an encryption key that has no logic and never repeats. It is true randomness.
• Both offline tablets have matching folders of this random one-time pad data on an SD card. A massive amount of it. Once either of the devices uses a section of the one-time code data, it remembers what folder, file and line that key segment came from, adds that location info to the QR code message, then deletes the key section it just used by writing zeros over that location.
• At this point, the creator of the encoded qr code has no ability to decode it. You now have a QR of the secret message, but no way to decode it because the app already deleted the key.
• As long as both people keep their sd cards with the matching one-time pad data secure (they are easy enough to hide), and never insert them into a networked device, nobody else can decode the QR.
• After the recipient decodes it, his folder also has that key chunk written over destroying it on his end (now both copies of that key are gone forever). So, even if the QR was intercepted via stingray or whatever gov tech is out there, it cannot be decoded because the only keys to it are not only gone forever, but were never online to begin with.
• The one-time pad data is thus kept off the internet completely and the only thing that sees the "network" is encrypted. A photo of a QR full of random text.
• If you use true randomness to encode something, the code generated carries with it the same randomness as the one-time pad and cannot be cracked.
• If that is hard to understand, think of it like this. If I encode "HELP" with GWTI and get "EUVT" out, you wouldn't know if I used GWTI (decoding to "help") or TEFO decoding to "bomb". Because GWTI and TEFO have no logic or pattern associated with them indicating that one was correct and the other was not. For that reason, there is absolutely no way to know what key wasused because any carefully selected random-looking key could make it output any message you want, and the key looks just as randomly applicable. If I repeated a chunk of key, like GWTIGWTIGWTIGWTI, obviously a pattern would emerge and the key could be figured out. But if no part of it is reused and not based on something logical, it cannot be cracked due to the infinite, literally infinite, possibilities.