An End-to-End email encryption program - Protects email at rest and in motion
Superior protection for the real world
EndCryptor protects old encrypted emails - that were copied by an adversary when they traversed the internet - also then when the adversary gets current encryption keys by hacking into user's computer.
Easy to use
No knowledge of cryptography is required. The user interface is similar to a typical email client. User's current email account is used to deliver the encrypted emails.
The email is encrypted at sender's computer and it can be decrypted only at true receiver's computer.
Quantum attack resistant
It may be possible that before the year 2030 there will be computers that can break current classical public keys. EndCryptor uses classical public keys and new quantum attack resistant public keys. Note that otherwise current encrypted traffic can be copied and decrypted by quantum computers when (if) they become reality. When two persons communicate in turns the quantum protection starts from the second email (included).
Patented technology, state of the art cipher and public keys
The protocol that provides the features has been patented in USA. The implementation of symmetric encryption and public keys uses publicly available source code developed by the scientists who designed the systems.
EndCryptor offers features that are essential for real world protection: backward security and recovery from an attack. It is important that there is protection when a hacker gets access to current secret encryption/decryption keys.
EndCryptor is more secure than competitors
|Comparison between EndCryptor and S/MIME and the PGP-family of email encryption products (PGP, OpenPGP, GnuPG, ...) in case of a successful spying attack which reveals victim's current secret keys - like private keys of public keys - to the attacker.|
|EndCryptor||S/MIME and PGP-family|
|Backward security (= are encrypted messages sent to the victim before the attack protected?)||YES||NO|
|Recovery from the attack will happen||When the next message from the victim is decrypted. In quantum attack when next quantum attack resistant Diffie-Hellman key exchange is done.||When the new public key of the victim is received. This usually happens at predetermined intervals - after several months or years. No protection against quantum attacks.|
|Identity theft will be revealed||YES||NO|
|Recently private key stealing attack has been done e.g. by a hacker attacking Hacking Team spyware company and malwares Sauron, APT30,Red October, Team Spy and Mask1 - which operated undetected about 5, 10, 5, 10 and 7 years, respectively - and stole among other things encryption keys. The main targets of e.g. Mask fall into following categories: government institutions, diplomatic / embassies, energy, oil and gas companies, research, private equity firms, activists.|
Comparison between EndCryptor and browser based solutions
|Protection against MITM attack at startup due to hostile root certificate on user's computer||YES||NO||If
an attacker generated root
certificate is somehow (e.g. by malware, by forced user, by
evel maid, by evel customs officer or by company policy)
installed on user's
due to the nature of browser based encryption (SSL/TLS/https) this
enables the decryption of the traffic. This decryption happens ouside
of user’s computer between the user and the web server. Therefore the
attack is classified as a Man-In-The-Middle (MITM) attack. Companies
use this technique to decrypt their SSL traffic (includes browser
traffic) - motivation is to find viruses.
- Both the sender and the receiver must have EndCryptor installed. An email account on email server is needed - same account (i.e. user's current email account) can be used for unencrypted emails and encrypted emails. Encrypted emails are typed using EndCryptor and they are sent and received using EndCryptor. An encrypted email is a file that is an attachment in an ordinary email. The sending and receiving is enabled by defining user's email account's SMTP and IMAP settings into EndCryptor.
- The cipher used is 256-bit keysize ChaCha20.
- Encryption keys are determined using elliptic curve public
key technology (classical: Edwards curve Ed25519 and corresponding
Curve25519, quantum attack resistant: SIDH 3.3 supersingular
isogeny Diffie-Hellman keys designed by Microsoft). The protection
against quantum computers starts from the second exchanged email if the
parties communicate in turns.
- At the beginning of the email exchange the user published long term public keys are responsible for the protection of the email. EndCryptor puts inside the first encrypted emails newly created short term public keys that initialize the patented protocol that continuously exchanges internal short term public keys when emails are being exchanged.
- Each message ends with an authentication mac and signature. This ensures to the receiver that the message was created by the claimed sender and that the message was not altered during traversal, read more.
- After the decryption the correctness of the plaintext is verified using Poly1305 authentication code.
- The sent and received messages are stored in encrypted form on a user’s computer – the user can view their decrypted contents when correct entry password to EndCryptor has been given. The stored messages can be searched, moved between different user creatable mailboxes.
- Messages can be exported in eml format. They can be imported into email archiving solutions. The exported files are digitally signed to detect tampering. They can also be viewed by many email client programs or dragged and dropped into an existing local email folder (e.g. into Mozilla Thunderbird). The export feature allows the user to have a complete cleartext archive of the communication.
- The stored messages can be backed up by copying and the backups can be decrypted using a personal or a companywide (optional) export key. EndCryptor can take a backup of the security database and restore it. That backup can be encrypted. The stored emails can also be backed up by EndCryptor immediately after they have been written to disk.
- Old and future messages sent from Alice are protected.
- Backward security: encrypted messages that have been decrypted by Alice are protected.
- Recovery from an attack: when the next new message from Alice to Bob has been decrypted then the messages from Bob to Alice cannot anymore be decrypted by adversary.
- Certain kind of protection against identity theft: either the theft attempt fails or it succeeds but then all future messages exchanged between Alice and Bob will be rejected. Protection against identity theft is important since a user may have blind reliance on the protection given by a digital signature. If the security data is exposed to a hacker then identity theft can be tried.
- Reports messages that have not been decrypted. The sender of a message can be sure that the receiver has decrypted the message. Important e.g. when the message contains some latest technical document that must be used by the receiver 2.
- Possibility to delete the keys of a missing message - if a message is encrypted but not received then the intended receiver can delete its decryption keys. This requires that the receiver has received a newer message from the sender.
- Protection against replay attack where an adversary copies an encrypted message during its traversal in the net and later resends it: 1) a message can be decrypted only once 2) the decryption keys of missing messages can be deleted.
- EndCryptor stores the received SSL/TLS certificates from the email server and counts the number of times a certificate is used and shows the properties of the certificates. It is possible to require that the Certificate Transparency SCT List extension in the certificate must be validated - this e.g. prevents the usage of certificates that are issued by a non-public Certificate Authority. These kind of certificates can be used to decrypt SSL/TLS traffic. It can be specified which certificates are allowed to be received. Certificates can be imported and exported to/from the collection of certificates. The allowing/denying of specific certificates is a highly advanced option and is motivated by the attacks using the infrastructural problems of SSL/TLS which must be used when connecting to an email server. If an attack using hostile certificate succeeds the already encrypted EndCryptor message that is an attachment in the email stays protected but the attacker gains user’s user’s username and password to the email server. To read about the risks involved when using only SSL based (or web-based HTTPS) solution see the risks of SSL and Kazakhstan intercepting browser traffic.
- Compression of plaintext. Required amount of random bytes
are added to hide the length of this compressed plaintext -
encrypted messages have different sizes even if their decrypted content
is the same. File compression results for selected files from the Canterbury
File Size EndCryptor bpc e.coli 4,638,690 1,223,810 2.11 bible.txt 4,047,392 853,556 1.69 world192.txt 2,473,400 474,528 1.53 kennedy.xls 1,029,744 130,285 1.01
- A message may have more than one receiver. Contacts can be grouped.
- File wiping, calculation of a cryptographic hash value (checksum) of a file.
- If an Internet connection is considered to be too risky then EndCryptor can be run entirely disconnected from the network. When a message is encrypted a list of its receivers can be stored in a text format, the message and the list of its recipients can be stored in user given folder. The encrypted message and this list are moved to the actual sending machine using removable media. When decryption is needed the encrypted message is delivered to the receiving EndCryptor again using removable media. EndCryptor can be set to monitor some user given folder for new encrypted messages. A custom made program can be defined so that it is used whenever a message is being sent.
- The security database and the stored sent and received messages can be moved to removable media and accessed from it. Thus it is possible to use EndCryptor both from office and laptop computers. The size of an empty security database is about 1 MB.
Properties under classical attack when the security
database of e.g. Alice is exposed
(suppose that Alice is communicating with Bob):
bpc = bits per character (byte). EndCryptor was used with the default settings.
On August 2016 security companies Kaspersky and Symantec revealed a
spying operation named as Project Sauron or Remsec
which had run undetected about 5 years.
The operation was a spying operation, which according to Kaspersky was: "designed to
enable long-term cyber-espionage campaigns" and "has high interest in
communication encryption software widely used by targeted governmental
organisations. It steals encryption keys, configuration files, and IP
addresses of the key infrastructure servers related to the software."
Symantec says about the malware that there is a "module that
contains a string named “Sauron” in its code. Given its capabilities,
it is possible the attackers have nicknamed the module after the
all-seeing villain in Lord of the Rings." On July 2015 it was reported
that a hacker stole
massive amounts of data from Hacking Team's servers and
uploaded it to internet for everybody to read. The company is a spyware
developer for governments and law enforcements. The stolen data
included a GPG private
key of an engineer thus exposing all GPG encrypted
traffic to this person. Did the victim use a server that automatically
uses GPG and therefore stores the private keys? On April 2015
network security company FireEye reported that malware named APT30
had been found
to have been spying 10 years mainly in South East Asia. Among
data it collected were files ending with .pgp. The malware "is
particularly interested in regional political, military, and economic
issues, disputed territories, and media organizations and journalists
who report on topics pertaining to China and the government's
legitimacy". On July 2014 F-Secure reported about CosmicDuke
which had attacked against NATO and European government agencies. This
malware stole among other things certificates and their private keys.
On February 2014 Kaspersky Lab announced that they had found and
- "an advanced threat actor that has been involved in cyber-espionage
operations since at least 2007 ... one of the most
complex APT we observed ... more than 380 unique victims in 31
countries ... could be a nation-state sponsored campaign ... can
intercept network traffic, keystrokes, Skype conversations, PGP keys,
analyse WiFi traffic, fetch all information from Nokia devices, screen
captures and monitor all file operations ... 32-and 64-bit Windows
versions, Mac OS X and Linux versions and possibly versions for Android
and iPad/iPhone". Interestingly the keylogger module was named
"PGPsdkDriver". The Red October malware
which was also found and analyzed by Kaspersky Lab (results published
in January 2013) collected *.crt, *.cer (these are certificate
related), *.pgp, *.gpg, pubring.*, secring.* (PGP, and GPG related)
files and recorded key presses and values in password fields. The Red
October was operating about 5 years and targeted diplomatic,
governmental and scientific research organizations in different
countries, mostly related to the region of Eastern Europe, former USSR
members and countries in Central Asia. A report published on March 2013
from CrySys Lab in Hungary says about TeamSpy
malware: “Many of the victims appear to be ordinary users, but some of
the victims are high profile industrial, research, or diplomatic
targets”.The malware collected .pgp and .p12 (certificate related)
files, victims include Embassy of NATO/EU state in Russia and multiple
research/educational organizations in France and Belgium. TeamSpy was
operating for almost a decade. The Winnti malware
found in April 2013 collects certificates and their private keys. The Nimkey
virus (detected 2010) steals keystrokes and certificates (e.g. to get
the private key of a S/MIME certificate). First example of a
virus that stole PGP’s security database "keyring" was Caligula
this attack did not use a keylogger, but was a proof of concept attack.
2^. Encrypted messages are numbered and they contain an encrypted list of earlier messages that are not decrypted. When you receive a message and decrypt it you know which messages sent by you were not decrypted when the received message was encrypted. The report of each contact's not decrypted messages is shown at request.