EndCryptor protects old encrypted emails - that were copied by an adversary when they traversed the internet - also then when the adversary gets current encryption keys by hacking into user's computer.

Easy to use

No knowledge of cryptography is required. The user interface is similar to a typical email client. User's current email account is used to deliver the encrypted emails.

End-to-End Encryption

The email is encrypted at sender’s computer and decrypted at receiver’s computer. Only the true receiver can decrypt the email.

Quantum attack resistant

It may be possible that within 10-15 years there will be computers that can break current classical public keys. EndCryptor uses classical public keys and new quantum attack resistant public keys.

Patented technology, state of the art cipher and public keys

The protocol that provides the features has been patented in USA. The implementation of symmetric encryption and public keys uses publicly available source code developed by the scientists who designed the systems.

Main features

EndCryptor offers features that are essential for real world protection: backward security and recovery from an attack. It is important that there is protection when a hacker gets access to current secret encryption/decryption keys.

EndCryptor is more secure than competitors

Comparison between EndCryptor and S/MIME and the PGP-family of email encryption products (PGP, OpenPGP, GnuPG, ...) in case of a successful spying attack which reveals current secret keys - like private keys of public keys - to the attacker.
	EndCryptor	S/MIME and PGP-family
Backward security (= are encrypted messages sent to the victim before the attack protected?)	YES	NO
Recovery from the attack will happen	When the next message from the victim is decrypted. In quantum attack when next quantum attack resistant DiffieHellman key exchange is done.	When the new public key of the victim is received. This usually happens at predetermined intervals - after several months or years. No protection against quantum attacks.
Identity theft will be revealed	YES	NO

Recently this kind of attack has been done e.g. by a hacker attacking Hacking Team spyware company and malwares Sauron, APT30, Red October, TeamSpy and Mask ¹ - which operated undetected about 5, 10, 5, 10 and 7 years, respectively - and stole among other things encryption keys. The main targets of e.g. Mask fall into the following categories: government institutions, diplomatic / embassies, energy, oil and gas companies, research, private equity firms, activists.

Without backward security and recovery from attack a single successful spying attack into your computer leads to the exposure of all previous and future encrypted communication sent to you! In some solutions also all communication sent from you is exposed – this happens if the solution is such that the sender of a message can decrypt it after its encryption! After a successful attack the adversary does not need to access your computer anymore. What the adversary then needs is encrypted messages created before and after the attack. Using the information provided via the attack they can be decrypted. In the light of recent leaks about state level data interception and collection it is known that encrypted messages (emails, chats …) are routinely collected and stored - in the hope that the keys are later obtained.

The spying attack can e.g. be the utilization of dedicated spyware, worm, virus or the usage of a newly published security hole through which the computer can be accessed from the network and then the usage of a keylogger to capture the entry password to the encryption software's database (S/MIME certificate, keyring or whatever it is called) and the password's and the data's transmittal to the attacker. This exposure of the security data can happen other ways also: the user turns from friend to foe and reveals his own security data to the adversary; or is forced (e.g. by a court order) or lured to reveal current security data; etc.

After the exposure old and new encrypted messages sent to the victim can be decrypted unless the software is prepared to face the exposure of its security database.

If recovery from attack is provided then after the recovery the attacker must be able to obtain the security data again in order to be able to continue decrypting new messages - this may, however, now be impossible e.g. if the program containing the security hole has been updated and the bug fixed.

EndCryptor is a solution that considers the unwanted but realistic possibility that at some point in time the security data - private keys, etc. - are revealed to an adversary. Our results in case of a classical attack: old sent and received communication of the victim is protected and also future sent communication from the victim is protected. The restoration of total security happens when the next message from the victim has been decrypted.

The features offered - backward security and restoration of security - are new on the offline communication market i.e. in email communication².

Both the sender and the receiver must have EndCryptor installed. An email account on email server is needed - same account (i.e. user's current email account) can be used for unencrypted emails and encrypted emails. Encrypted emails are typed using EndCryptor and they are sent and received using EndCryptor. A encrypted email is a file that is an attachment in an ordinary email. The sending and receiving is enabled by defining user's email account's SMTP and IMAP settings into EndCryptor, e.g. Gmail can be used.
The cipher used is 256-bit keysize ChaCha20.
Encryption keys of messages are determined using elliptic curve public key technology (classical: Edwards curve Ed25519 and corresponding Curve25519, quantum attack resistant: SIDH 2.0 and 3.0 supersingular isogeny Diffie-Hellman keys designed by Microsoft).
At the beginning of the email exchange the user published long term public keys are responsible for the protection of the email. EndCryptor puts inside the first encrypted emails newly created short term public keys that initialize the patented protocol that continuously exchanges internal short term public keys when emails are being exchanged.
Each message ends with an authentication mac and signature. This ensures to the receiver that the message was created by the claimed sender and that the message was not altered during traversal, read more.
After the decryption the correctness of the plaintext is verified using Poly1305 authentication code.
The sent and received messages are stored in encrypted form on a user’s computer – the user can view their decrypted contents when correct entry password to EndCryptor has been given. The stored messages can be searched, moved between different user creatable mailboxes.
Messages can be exported in .eml format for importing into an email archiving solution and in html format for easy reading. The .eml format exported files are digitally signed to detect tampering. They can also be viewed by many email client programs or dragged and dropped into an existing local email folder (e.g. into Mozilla Thunderbird). The export feature allows the user to have a complete cleartext archive of the communication.
The stored messages can be backed up by copying and the backups can be decrypted using a personal or a companywide (optional) export key. EndCryptor can take a backup of the security database and restore it. That backup can be encrypted. The stored emails can also be backed up by EndCryptor immediately after they have been written to disk.

Properties under classical attack when the security database of e.g. Alice is exposed

Old and future messages sent from Alice are protected!
Backward security: encrypted messages that have been decrypted by Alice are protected.
Recovery from an attack: when the next new message from Alice to Bob has been decrypted then the messages from Bob to Alice cannot anymore be decrypted by adversary.
Certain kind of protection against identity theft: either the theft attempt fails or it succeeds but then all future messages exchanged between Alice and Bob will be rejected. Protection against identity theft is important since a user may have blind reliance on the protection given by a digital signature. If the security data is exposed to a hacker then identity theft can be tried.

Reports messages that have not been decrypted. The sender of a message can be sure that the receiver has decrypted the message. Important e.g. when the message contains some latest technical document that must be used by the receiver³.
Possibility to delete the keys of a missing message - if a message is encrypted but not received then the intended receiver can delete its decryption keys. This requires that the receiver has received a newer message from the sender.
Protection against replay attack where an adversary copies an encrypted message during its traversal in the net and later resends it: 1) a message can be decrypted only once 2) the decryption keys of missing messages can be deleted.
If EndCryptor is used for sending or receiving it stores the received certificates from the email server. EndCryptor counts the number of times a certificate is used and shows the properties of the certificates. Certificates can be imported and exported to/from the collection of certificates. It can be specified which certificates are allowed to be received – if a new certificate is received the user is prompted for acceptance. This is a highly advanced option and is motivated by the so-called “compelled certificate creation attack” or a hacking attack against a Certificate Authority. In those attacks some Certificate Authority has written a certificate of the email server to a wrong party or a hacker has gained the ability to write certificates in the name of the Certificate Authority. Note that some Certificate Authorities have stopped their business because of a successful hacking attack. The possible forgery of certificates is very annoying because the whole idea of certificates is that they can be trusted. If the above mentioned attacks succeed the already encrypted EndCryptor message that is an attachment in the email stays protected but the attacker gains user’s username and password to the email server. To read about the risks involved when using SSL based (or web-based HTTPS solution) see the risks of SSL.
Compression of plaintext. Required amount of random bytes are added to hide the length of this compressed plaintext - encrypted messages have different sizes even if their decrypted content is the same. File compression results for selected files from the Canterbury Corpus:

File	Size	EndCryptor	bpc
e.coli	4,638,690	1,223,810	2.11
bible.txt	4,047,392	853,556	1.69
world192.txt	2,473,400	474,528	1.53
kennedy.xls	1,029,744	130,285	1.01

bpc = bits per character (byte). EndCryptor was used with the default settings.

A message may have more than one receiver. Contacts can be grouped.
File wiping, calculation of a cryptographic hash value (checksum) of a file.
If an Internet connection is considered to be too risky then EndCryptor can be run entirely disconnected from the network. When a message is encrypted a list of its receivers can be stored in a text format, the message and the list of its recipients can be stored in user given folder. The encrypted message and this list are moved to the actual sending machine using removable media. When decryption is needed the encrypted message is delivered to the receiving EndCryptor again using removable media. EndCryptor can be set to monitor some user given folder for new encrypted messages. A custom made program can be defined so that it is used whenever a message is being sent.
The security database and the stored sent and received messages can be moved to removable media and accessed from it. Thus it is possible to use EndCryptor both from office and laptop computers. The size of an empty security database is about 1 MB.
The licensing and email account configuration can be done automatically during program startup without user action if a proper file is placed into a specific folder on user’s computer.

Tutorial on public keys	The risks of SSL
Compare to competitors	Avoid security through obscurity
Cryptographic technical details	Hash function used
Download EndCryptor	Pricing
Features pdf (592KB 2018-03-23)	Documentation pdf (952 KB MB 2018-03-23)
Quickstart	Useful Tips - Screenshots
Cryptographic strength	Passphrase Generator

Notes:

1 ^. On August 2016 security companies Kaspersky and Symantec revealed a spying operation named as Project Sauron or Remsec which had run undetected about 5 years. The operation was a spying
operation, which according to Kaspersky was: "designed to enable long-term cyber-espionage campaigns" and "has high interest in communication encryption software widely used by targeted governmental organisations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the software." Symantec says about the malware that there is a "module that contains a string named “Sauron” in its code. Given its capabilities, it is possible the attackers have nicknamed the module after the all-seeing villain in Lord of the Rings." On July 2015 it was reported that a hacker stole massive amounts of data from Hacking Team's servers and uploaded it to internet for everybody to read. The company is a spyware developer for governments and law enforcements. The stolen data included a GPG private key of an engineer thus exposing all GPG encrypted traffic to this person. Did the victim use a server that automatically uses GPG and therefore stores the private keys? On April 2015 network security company FireEye reported that malware named APT30 had been found to have been spying 10 years mainly in South East Asia. Among data it collected were files ending with .pgp. The malware is 'particularly interested in regional political, military, and economic issues, disputed territories, and media organizations and journalists who report on topics pertaining to China and the government’s legitimacy'. On July 2014 F-Secure reported about CosmicDuke malware which had attacked against NATO and European government agencies. This malware stole among other things certificates and their private keys. On February 2014 Kaspersky Lab announced that they had found and analyzed Mask - "an advanced threat actor that has been involved in cyber-espionage operations since at least 2007 ... one of the most complex APT we observed ... more than 380 unique victims in 31 countries ... could be a nation-state sponsored campaign ... can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations ... 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone". Interestingly the keylogger module was named 'PGPsdkDriver'. The Red October malware which was also found and analyzed by Kaspersky Lab (results published in January 2013) collected *.crt, *.cer (these are certificate related), *.pgp, *.gpg, pubring.*, secring.* (PGP, and GPG related) files and recorded key presses and values in password fields. The Red October was operating about 5 years and targeted diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia. A report published on March 2013 from CrySys Lab in Hungary says about TeamSpy malware: “Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets”. The malware collected .pgp and .p12 (certificate related) files, victims include Embassy of NATO/EU state in Russia and multiple research/educational organizations in France and Belgium. TeamSpy was operating for almost a decade. The Winnti malware found in April 2013 collects certificates and their private keys. The Nimkey virus (detected 2010) steals keystrokes and certificates (e.g. to get the private key of a S/MIME certificate). First example of a virus that stole PGP’s security database 'keyring' was Caligula virus (1999), this attack did not use a keylogger, but was a proof of concept attack.

2 ^. In online communication (e.g. chatting, SSL or https) the corresponding term for backward security is Perfect Forward Secrecy (PFS) – which means that if a message is decrypted securely now it cannot be decrypted again in the future by opponent even if the opponent obtains the encryption keys of that future time. To read more of the risks of web based solutions read The risks of SSL page.

3 ^. Encrypted messages are numbered and they contain an encrypted list of earlier messages that are not decrypted. When you receive a message and decrypt it you know which messages sent by you were not decrypted when the received message was encrypted. The report of each contact's not decrypted messages is shown at request.

Main Window:

Main Window

Email Composing Window:

Compose New Email

Add New Contact:

Add New Contact