We
communicate in English and in Finnish (Vastaamme
tarvittaessa suomeksi)
Enternet, Inc. (Enternet Oy)
Finland
VAT nr.: FI08210504
Superior
protection for the real world
EndCryptor protects old encrypted emails even if a
hacker gets current encryption keys.
Easy to use
No knowledge of
cryptography is required. The user interface is similar to a
typical email client. User's current email account is used to deliver the encrypted emails.
End to End
Encryption
The
email is encrypted at sender’s computer and decrypted at receiver’s
computer. Only the true receiver can decrypt the email.
Quantum attack resistant
It
may be possible that within 10-15 years there will be computers that
can break current classical public keys. EndCryptor uses
classical public keys and new quantum attack resistant public keys.
Patented technology, state of the art cipher and public keys
The
protocol that provides the features has been patented in USA. The
implementation of symmetric encryption and public keys uses publicly
available source code developed by the scientists who designed the
systems.
Main features
EndCryptor offers features that are essential for real world
protection: backward security and recovery from an attack. It is
important that there is protection when a hacker gets access to current secret encryption/decryption keys.
EndCryptor
is more secure than competitors
Comparison
between EndCryptor and S/MIME and the PGP-family of email encryption
products (PGP, OpenPGP, GnuPG, ...) in case of a successful spying
attack which reveals current secret keys to the attacker.
EndCryptor
S/MIME and PGP-family
Backward
security (= are encrypted messages sent to the victim before
the attack protected?)
YES
NO
Recovery from the attack will happen
When the next message from the victim is decrypted. In quantum attack
when next quantum attack resistant DiffieHellman key exchange is done.
When the new public key of the victim is received. This usually happens
at
predetermined intervals - after several months or years. No protection against quantum attacks.
Recently
this
kind of attack has been done e.g. by a hacker attacking Hacking Team
spyware company and malwares Sauron, APT30,
Red October,
TeamSpy
and Mask 1
- which operated
undetected
about 5, 10, 5, 10 and 7 years, respectively - and stole
among
other things encryption keys. The main targets of e.g. Mask fall into
the following
categories: government institutions, diplomatic / embassies, energy,
oil and gas companies, research, private equity firms, activists.
Without
backward security and recovery from attack a single successful spying
attack into your computer leads to the exposure of all
previous and future encrypted communication sent to
you! In some solutions also all communication sent from
you is exposed – this happens if the solution is such that the sender
of a message can decrypt it after its encryption! After a
successful attack the adversary does not need to access your computer
anymore. What the adversary then needs is encrypted messages created
before and after the attack. Using the information provided via the
attack they can be decrypted. In the light of recent leaks about state
level data interception and collection it is known that encrypted
messages (emails, chats …) are routinely collected and stored - in the
hope that the keys are later obtained.
The
spying attack can e.g. be the utilization of dedicated spyware, worm,
virus or the usage of a newly published security hole through which the
computer can be accessed from the network and then the usage of a
keylogger to capture the entry password to the encryption software's
database (S/MIME certificate, keyring or whatever it is called) and the
password's and the data's transmittal to the attacker. This exposure of
the security data can happen other ways also: the user turns
from friend to foe and reveals his own security data to the
adversary; or is forced (e.g. by a court order) or
lured to reveal current security data; etc.
After
the exposure old and new encrypted messages sent
to the victim can be decrypted unless the software
is prepared to face the exposure of its security database.
If
recovery from attack is provided then after
the recovery the attacker must be able to obtain the security
data again in order to be able to continue decrypting new messages -
this may, however, now be impossible e.g. if the program containing the
security hole has been updated and the bug fixed.
EndCryptor is a
solution that considers the unwanted but realistic possibility that at
some point in time the security data - private keys, etc. - are
revealed to an adversary. Our results in case of a classical
attack: old sent and received communication of the victim is protected
and also future sent communication from the victim is protected. The
restoration of total security happens when the next message from the
victim has been decrypted.
The
features
offered - backward security and restoration of security - are new on
the offline communication market i.e. in email communication2.
Both
the sender and the receiver must have EndCryptor installed. An email
account on email server is needed - same account (i.e. user's current
email account) can be used for unencrypted emails and encrypted emails.
Encrypted emails
are typed using EndCryptor and they are sent and
received using EndCryptor. A encrypted email is a file
that is an attachment in an ordinary email. The sending
and receiving is enabled by defining user's email account's SMTP and IMAP settings into EndCryptor, e.g. Gmail can be used.
The cipher used is 256-bit keysize ChaCha20.
Encryption keys of messages are determined using elliptic curve
public key technology (classical: Edwards curve Ed25519 and
corresponding Curve25519, quantum attack resistant: SIDH 2.0 supersingular
isogeny DiffieHellman keys designed by Microsoft).
At
the beginning of the email exchange the user published long term public
keys are responsible for the protection of the email. EndCryptor
puts inside the first encrypted emails newly created short term public
keys that initialize the patented protocol that continuously changes
internal short term public keys when emails are being exchanged.
Each message ends with an authentication mac and signature. This ensures to
the receiver that the message was created by the claimed sender and
that the message was not altered during traversal, read more.
After
the decryption the correctness of the plaintext is verified using
Poly1305 authentication code.
The
sent and received messages are stored in encrypted form on a user’s
computer – the user can view their decrypted contents when correct
entry password to EndCryptor has been given. The stored messages can be
searched, moved between different user creatable mailboxes.
Messages
can be
exported
in .eml format
for importing into an email archiving solution and in html format for
easy reading. The .eml format exported files are digitally signed to
detect tampering. They can also be viewed by many email
client programs or dragged and dropped into an existing local email
folder (e.g. into Mozilla Thunderbird). The export feature allows the
user to have a complete cleartext archive of the communication.
The stored messages can be backed up by copying and the backups can be decrypted
using a personal or a companywide (optional) export key.
EndCryptor can take a backup of the security database and restore it.
That backup can be encrypted. The stored emails can also be backed up
by EndCryptor immediately after they have been written to disk.
Properties under classical attack when
the security database of e.g. Alice is exposed (suppose that
Alice is communicating with Bob):
Old
and future
messages sent from Alice are protected!
Backward
security: encrypted messages that have been decrypted by Alice are
protected.
Recovery
from
an attack: when the next new message from Alice to Bob has been
decrypted then the messages from Bob to Alice cannot anymore be
decrypted by adversary.
Certain kind of
protection against identity theft: either the theft
attempt fails or it succeeds but then all future messages exchanged
between Alice and Bob will be rejected. Protection against identity
theft is important since a user may have blind reliance on the
protection given by a digital signature. If the security data is
exposed to a hacker then identity theft can be tried.
Possibility
to
delete the keys of a missing message - if a message
is encrypted but not received then the intended receiver can
delete its decryption keys. This requires that the receiver has
received a newer message from the sender.
Protection
against replay attack where an
adversary copies an encrypted message during its traversal in the net
and later resends it: 1) a message can be decrypted only once
2) the decryption keys of missing messages can be deleted.
If EndCryptor
is used for sending or receiving it stores the received certificates
from the email server. EndCryptor counts the number of times a
certificate is used and shows the properties of the certificates.
Certificates can be imported and exported to/from the collection of
certificates. It can be specified which certificates are allowed to be
received – if a new certificate is received the user is prompted for
acceptance. This is a highly advanced option and is motivated by the
so-called “compelled certificate creation attack”
or a hacking attack against a Certificate Authority. In those
attacks some Certificate Authority has written a certificate of the
email server to a wrong party or a hacker has gained the ability to
write certificates in the name of the Certificate Authority. Note that
some Certificate Authorities have stopped their business because of a
successful hacking attack. The possible forgery of certificates is very
annoying because the whole idea of certificates is that they can be
trusted. If the above mentioned attacks succeed the already encrypted
EndCryptor message that is an attachment in the email stays protected
but the attacker gains user’s username and password to the email
server. To read about the risks involved when using SSL based
(or web-based HTTPS solution) see the
risks of SSL.
Compression
of plaintext. Required amount of random bytes are added to hide the
length of this compressed plaintext - encrypted messages have
different sizes even if their decrypted content is the same. File
compression results for selected files from the Canterbury
Corpus:
File
Size
EndCryptor
bpc
e.coli
4,638,690
1,223,810
2.11
bible.txt
4,047,392
853,556
1.69
world192.txt
2,473,400
474,528
1.53
kennedy.xls
1,029,744
130,285
1.01
bpc = bits per
character (byte). EndCryptor was used with the default settings.
A
message may have more than one receiver. Contacts can be grouped.
File
wiping, calculation of a cryptographic hash value (checksum) of a file.
If
an Internet connection is considered to be too risky then EndCryptor can
be run entirely disconnected from the network. When a message
is encrypted a list of its receivers can be stored in a text format,
the message and the list of its recipients can be stored in user given
folder. The encrypted message and this list are moved to the actual
sending machine using removable media. When decryption is needed the
encrypted message is delivered to the receiving EndCryptor again using
removable media. EndCryptor can be set to monitor some user given
folder for new encrypted messages. A custom made program can be defined
so that it is used whenever a message is being sent.
Both
parties that send and receive messages need that EndCryptor is
installed in order to encrypt and decrypt. No third parties are used
(e.g. to provide public keys, to provide online connection to a third
party machine, etc.) neither an online internet connection between the
sender and the receiver is needed. When encrypting/decrypting the
stored information on the EndCryptor's security database on the used
computer is used together with the information that the message in
question provides.
The
security
database and the stored sent and received messages can be moved to
removable media and accessed from it. Thus it is
possible to use EndCryptor both from office and laptop computers. The
size of an empty security database is about 1 MB.
The
licensing and email account configuration can be done automatically
during program startup without user action if a proper file is placed
into a specific folder on user’s computer.
1 ^.
On August 2016 security companies Kaspersky and Symantec revealed a
spying operation named as ProjectSAuron
or Remsec which had run
undetected about 5 years. The operation was a spying
operation,
which according to Kaspersky was: "designed to enable
long-term
cyber-espionage campaigns" and "has
high interest in communication encryption software widely used by
targeted governmental organisations. It steals encryption keys,
configuration files, and IP addresses of the key infrastructure servers
related to the software." Symantec says about the malware
that
there is a "module that contains a string named “Sauron” in its code.
Given its capabilities, it is possible the attackers have nicknamed the
module after the all-seeing villain in Lord of the Rings." On July 2015
it was reported that a hacker
stole massive amounts of
data from Hacking Team's servers
and uploaded it to internet for everybody to read. The company is a
spyware developer for governments and law enforcements. The stolen data
included a GPG private
key of
an engineer thus exposing all GPG encrypted traffic to this person. Did
the victim use a server that automatically uses GPG and therefore
stores the private keys? On
April 2015 network security company FireEye reported that malware
named APT30
had been found to have been spying 10 years mainly in South
East
Asia. Among data it collected were files ending with .pgp. The malware
is 'particularly interested in regional political, military, and
economic issues, disputed territories, and media organizations and
journalists who report on topics pertaining to China and the
government’s legitimacy'. On July 2014 F-Secure reported about CosmicDuke malware
which had
attacked against NATO and European government agencies. This malware
stole among other things certificates and their private keys.
On February
2014 Kaspersky Lab announced that they had found and analyzed Mask - "an advanced
threat actor that has been involved in cyber-espionage
operations since at least 2007 ... one of the most
complex APT we observed ... more than 380 unique victims in 31
countries ... could be a nation-state sponsored campaign ... can
intercept network traffic, keystrokes, Skype conversations, PGP keys,
analyse WiFi traffic, fetch all information from Nokia devices, screen
captures and monitor all file operations ... 32-and 64-bit Windows
versions, Mac OS X and Linux versions and possibly versions for Android
and iPad/iPhone". Interestingly the keylogger module was named
'PGPsdkDriver'. The Red
October malware which was also found and analyzed by
Kaspersky Lab (results published in January 2013) collected *.crt,
*.cer (these are certificate related), *.pgp, *.gpg, pubring.*,
secring.* (PGP, and GPG related) files and recorded key presses and
values in password fields. The Red October was operating about 5 years
and targeted diplomatic, governmental and scientific research
organizations in different countries, mostly related to the region of
Eastern Europe, former USSR members and countries in Central Asia. A
report published on March 2013 from CrySys Lab in Hungary
says about TeamSpy
malware: “Many of the victims appear to be ordinary users, but some of
the victims are high profile industrial, research, or diplomatic
targets”. The malware collected .pgp and .p12 (certificate related)
files, victims include Embassy of NATO/EU state in Russia and multiple
research/educational organizations in France and Belgium. TeamSpy was
operating for almost a decade. The Winnti malware
found in April 2013 collects certificates and their private keys. The Nimkey
virus (detected 2010) steals keystrokes and certificates (e.g. to get
the private key of a S/MIME certificate). First
example of a virus that stole PGP’s
security database 'keyring' was Caligula
virus (1999),
this attack did not use a keylogger, but was a proof of concept attack.
2
^.
In online
communication (e.g. chatting, SSL or https) the corresponding term for backward security is
Perfect Forward Secrecy (PFS) – which means that
if a message is decrypted securely now it cannot be decrypted again in
the future by opponent even if the opponent obtains the encryption keys
of that future time. To read more of the risks of web based solutions
read The risks of SSL
page.
3
^. Encrypted messages
are numbered and they contain an encrypted list of earlier messages
that are not decrypted. When you receive a message and decrypt it you
know which messages sent by you were not decrypted when the received
message was encrypted. The report of each contact's not decrypted
messages is shown at request.
Features pdf
Youtube
video on sending email (1:10)
