Good Enough Cryptography

Good Enough Cryptography (gecrypt) is an attempt to create a simple, passphrase-based file encryption tool founded on sound theory and realistic assumptions. The program derives its keys using PBKDF2, it encrypts using AES256-CBC, and it authenticates using HMAC-SHA256. Unlike with some other encryption programs, authentication is part of the design, rather than an afterthought.

Good Enough Cryptography aims for strong notions of security: IND-CCA2, INT-CTXT and INT-PTXT. Criticism and cryptanalysis are welcome.

Note: The file format is in flux. Versions of gecrypt prior to 0.5 are incompatible with the current version.

Latest Version

gecrypt-0.5.zip (gpg)

• File format change: The "encrypted header" approach used in previous releases added unnecessary complexity to the file format, and it relied on the ability to generate good, unpredictable random numbers. Today, random number generator weaknesses are being discovered fairly often, so it might be wise to avoid relying too much on random numbers.

  We now derive the payload authentication and encryption keys directly from the passphrase and a 256-bit nonce; The approach of storing randomly-generated payload keys in an encrypted header is no longer used.

  In this version of the file format, the only randomness requirement (aside from the requirement that the passphrase must be unpredictable) is that the nonce must be unique (for a given passphrase). The nonce is not secret and it does not need to be "random-looking".

  We now also use CBC mode instead of CTR mode, since CBC mode leaks less information if an IV does happen to get reused. The downside is that the --fixed-size option now only works with multiples of 16 bytes.

  Additionally, the minimum PBKDF2 iteration count (kdf-cost) has been reduced from 10 to 1. The minimum of 10 iterations was arbitrary and unnecessary. If people use weak passphrases with gecrypt, 10 iterations is not enough to provide any significant level of security, and using a single iteration should help increase performance when the passphrase is generated by some other automatic process (e.g. authenticated Diffie-Hellman key exchange).

• Removed runtime AES-CTR tests, since we use AES-CBC mode now.
• Removed some dead code.
• Started moving some code out of main()

LICENSE.txt

Archived versions

Description

• Language: Python
• Requires: PyCrypto
• Cipher: AES-256 in CBC mode
• Authentication: HMAC-SHA256
• Composition: Encrypt-then-Authenticate (proven by Hugo Krawczyk to be generically secure)
• The file format is fairly simple.
• Everything is authenticated.
• The encrypted output file can be padded to a particular size (to a multiple of 16 bytes) using the --fixed-size option. This prevents an adversary from guessing even the size of the plaintext.
• Provides IND-CCA2 and INT-CTXT (and therefore INT-PTXT), hopefully (disclaimer: I'm not really qualified to say this), even with different-sized files, provided that you use the --fixed-size option.
• Derives keys using PKCS#5. (PBKDF2 using HMAC-SHA256 as the underlying PRF.)

gecrypt --help

usage: gecrypt [options] [FILE]

options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         verbose mode
  -d, --decrypt         decrypt
  -o FILE, --outfile=FILE
                        write output to FILE (default: stdout)
  -k FILE, --keyfile=FILE
                        read key from FILE
  --keyfd=FD            read key from file descriptor
  --fixed-size=SIZE     pad output to a fixed size.  this prevents an
                        adversary from determining the size of the plaintext.
                        must be a multiple of 16. [encrypt only]
  --kdf-cost=ITERATIONS
                        advanced: specify how slow the PKCS#5 key derivation
                        should be (min: 1, default: 1000, max: 65535)
                        [encrypt only]

Archived versions:

gecrypt-0.4.tar.gz (gpg)

• Add passphrase prompt. The master key can now be obtained via the terminal.
• Add code to detect SHA256 miscalculation bug at runtime. This is the bug in PyCrypto 2.0.1 that occurs when the data being hashed has length equal to 55 (mod 64). Since PyCrypto 2.0.1 is the latest version available, we work around this bug by using hashlib.sha256 (from Python >= 2.5) instead, if it is available.
• Add backward-compatibility support for Python 2.3 (or Python 2.2 with the 'optparse' and 'textwrap' modules borrowed from Python 2.3).
• Test AES encryption at runtime.
• This version still uses the gecrypt 0.3 file format

gecrypt-0.3.tar.gz (gpg)

• The previous version, 0.2, was not IND-CCA2 secure when the --onepass option was used.
• Again, the file format used by this version is incompatible with the previous version. The new format incrementally applies the MAC to the ciphertext, so that every chunk of ciphertext can be authenticated. Note that you still need to check the return code of gecrypt in order to detect truncated ciphertext.
• The new file format is documented in FILE-FORMAT-0.3.txt

gecrypt-0.2.tar.gz (gpg)

• This version is primarily designed to be more accessible to cryptanalysts.
• The file format used by this version is incompatible with the previous version. The biggest change is in how we derive the authentication key.
• The new file format is documented in FILE-FORMAT.txt
• Simplified implementations of the encryption and decryption functions are included for analysis purposes.

gecrypt-0.1.tar.gz (gpg)

Initial release.

OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7