An End-to-End email encryption program - Protects email at rest and in motion
Try for free now
The free trial period is 60 days after which no sending or receiving is possible unless a license is obtained. The stored emails can be viewed also after the trial period.
Superior protection for the real world
EndCryptor protects old encrypted emails - that were copied by an adversary when they traversed the internet - also then when the adversary gets current encryption keys by hacking into user's computer.
Easy to use
No knowledge of cryptography is required. The user interface is similar to a typical email client. User's current email account is used to deliver the encrypted emails.
End-to-End Encryption
The email is encrypted at sender's computer and it can be decrypted only at true receiver's computer.
Quantum attack resistant
It may be possible that before the year 2030 there will be computers that can break current classical public keys. EndCryptor uses classical public keys and new quantum attack resistant public keys. Note that otherwise current encrypted traffic can be copied and decrypted by quantum computers when (if) they become reality. When two persons communicate in turns the quantum protection starts from the second email (included).
Patented technology, state of the art cipher and public keys
The protocol that provides the features has been patented in USA. The implementation of symmetric encryption and public keys uses publicly available source code developed by the scientists who designed the systems.
Main features
EndCryptor offers features that are essential for real world protection: backward security and recovery from an attack. It is important that there is protection when a hacker gets access to current secret encryption/decryption keys.
EndCryptor is more secure than competitors
| Comparison between EndCryptor and S/MIME and the PGP-family of email encryption products (PGP, OpenPGP, GnuPG, ...) in case of a successful spying attack which reveals victim's current secret keys - like private keys of public keys - to the attacker. | ||
| EndCryptor | S/MIME and PGP-family | |
| Backward security (= are encrypted messages sent to the victim before the attack protected?) | YES | NO |
| Recovery from the attack will happen | When the next message from the victim is decrypted. In quantum attack when next quantum attack resistant Diffie-Hellman key exchange is done. | When the new public key of the victim is received. This usually happens at predetermined intervals - after several months or years. No protection against quantum attacks. |
| Identity theft will be revealed | YES | NO |
| Recently private key stealing attack has been done e.g. by a hacker attacking Hacking Team spyware company and malwares Sauron, APT30,Red October, Team Spy and Mask - which operated undetected about 5, 10, 5, 10 and 7 years, respectively - and stole among other things encryption keys. The main targets of e.g. Mask fall into following categories: government institutions, diplomatic / embassies, energy, oil and gas companies, research, private equity firms, activists. | ||
|
Comparison between EndCryptor and browser based solutions |
||
| EndCryptor | Browser based | |
| Protection against MITM attack at startup due to hostile root certificate on user's computer | YES | NO
See: Kazakhstan decrypts internet traffic targeting e.g. Gmail, Facebook |
If
an attacker generated root
certificate is somehow (e.g. by malware, by forced user, by
evel maid, by evel customs officer or by company policy)
installed on user's
computer then
due to the nature of browser based encryption (SSL/TLS/https) this
enables the decryption of the traffic. This decryption happens ouside
of user’s computer between the user and the web server. Therefore the
attack is classified as a Man-In-The-Middle (MITM) attack. Companies
use this technique to decrypt their SSL traffic (includes browser
traffic) - motivation is to find viruses. An additional encryption done in the browser (like doing PGP by javascript) does not give protection against this kind of attack - the javascript code that does the PGP encryption can be modified when intercepted and PGP's private key can be delivered to the attacker. |
Features:
- Both the sender and the receiver must have EndCryptor installed. An email account on email server is needed - same account (i.e. user's current email account) can be used for unencrypted emails and encrypted emails. Encrypted emails are typed using EndCryptor and they are sent and received using EndCryptor. An encrypted email is a file that is an attachment in an ordinary email. The sending and receiving is enabled by defining user's email account's SMTP and IMAP settings into EndCryptor.
- The solution is a true decentralized end-to-end encryption solution. Users can change their email addresses and email service providers and the encryption still works - of course contacts must be informed of the change of an email address. Thus there is no central server of Enternet Oy for all users which is needed for email delivery (which could be attacked by hostile parties, nor is there any javascript code that is delivered to users by a central server when using the product, nor is there any server that stores the private keys of users' public keys). This approach also means that Enternet Oy cannot be fooled/forced to deliver hostile code to specific users and that Enternet Oy is not able to decrypt or monitor the email traffic of users.
- The cipher used is 256-bit keysize ChaCha20.
- Encryption keys are determined using elliptic curve public
key technology (classical: Edwards curve Ed25519 and corresponding
Curve25519, quantum attack resistant: SIDH supersingular
isogeny Diffie-Hellman keys designed by Microsoft). The protection
against quantum computers starts from the second exchanged email if the
parties communicate in turns.
- At the beginning of the email exchange the user published long term public keys are responsible for the protection of the email. EndCryptor puts inside the first encrypted emails newly created short term public keys that initialize the patented protocol that continuously exchanges internal short term public keys when emails are being exchanged.
- Each message ends with an authentication mac and signature. This ensures to the receiver that the message was created by the claimed sender and that the message was not altered during traversal, read more.
- After the decryption the correctness of the plaintext is verified using Poly1305 authentication code.
- The sent and received messages are stored in encrypted form on a user’s computer – the user can view their decrypted contents when correct entry password to EndCryptor has been given. The stored messages can be searched, moved between different user creatable mailboxes.
- Messages can be exported in eml format. They can be imported into email archiving solutions. The exported files are digitally signed to detect tampering. They can also be viewed by many email client programs or dragged and dropped into an existing local email folder (e.g. into Mozilla Thunderbird). The export feature allows the user to have a complete cleartext archive of the communication.
- The stored messages can be backed up by copying and the backups can be decrypted using a personal or a companywide (optional) export key. EndCryptor can take a backup of the security database and restore it. That backup can be encrypted. The stored emails can also be backed up by EndCryptor immediately after they have been written to disk.
- Old and future messages sent from Alice are protected.
- Backward security: encrypted messages that have been decrypted by Alice are protected.
- Recovery from an attack: when the next new message from Alice to Bob has been decrypted then the messages from Bob to Alice cannot anymore be decrypted by adversary.
- Certain kind of protection against identity theft: either the theft attempt fails or it succeeds but then all future messages exchanged between Alice and Bob will be rejected. Protection against identity theft is important since a user may have blind reliance on the protection given by a digital signature. If the security data is exposed to a hacker then identity theft can be tried.
- Reports messages that have not been decrypted. The sender of a message can be sure that the receiver has decrypted the message. Important e.g. when the message contains some latest technical document that must be used by the receiver.
- Possibility to delete the keys of a missing message - if a message is encrypted but not received then the intended receiver can delete its decryption keys. This requires that the receiver has received a newer message from the sender.
- Protection against replay attack where an adversary copies an encrypted message during its traversal in the net and later resends it: 1) a message can be decrypted only once 2) the decryption keys of missing messages can be deleted.
- EndCryptor stores the received SSL/TLS certificates from the email server and counts the number of times a certificate is used and shows the properties of the certificates. It is possible to require that the Certificate Transparency SCT List extension in the certificate must be validated - this e.g. prevents the usage of certificates that are issued by a non-public Certificate Authority. These kind of certificates can be used to decrypt SSL/TLS traffic. It can be specified which certificates are allowed to be received. Certificates can be imported and exported to/from the collection of certificates. The allowing/denying of specific certificates is a highly advanced option and is motivated by the attacks using the infrastructural problems of SSL/TLS which must be used when connecting to an email server. If an attack using hostile certificate succeeds the already encrypted EndCryptor message that is an attachment in the email stays protected but the attacker gains user’s user’s username and password to the email server. To read about the risks involved when using only SSL based (or web-based HTTPS) solution see the risks of SSL and Kazakhstan intercepting browser traffic.
- Compression of plaintext. Required amount of random bytes are added to hide the length of this compressed plaintext - encrypted messages have different sizes even if their decrypted content is the same.
- A message may have more than one receiver. Contacts can be grouped.
- File wiping, calculation of a cryptographic hash value (checksum) of a file.
- If an Internet connection is considered to be too risky then EndCryptor can be run entirely disconnected from the network. When a message is encrypted a list of its receivers can be stored in a text format, the message and the list of its recipients can be stored in user given folder. The encrypted message and this list are moved to the actual sending machine using removable media. When decryption is needed the encrypted message is delivered to the receiving EndCryptor again using removable media. EndCryptor can be set to monitor some user given folder for new encrypted messages. A custom made program can be defined so that it is used whenever a message is being sent.
- The security database and the stored sent and received messages can be moved to removable media and accessed from it. Thus it is possible to use EndCryptor both from office and laptop computers. The size of an empty security database is about 1 MB.
Properties under classical attack when the security database on Alice's computer is exposed together with its access password (suppose that Alice is communicating with Bob):
