Scrambled Eggs is a simple but secure encryption program. It has relatively few features, but is streamlined for simple, fool-proof operation. Scrambled Eggs uses a secure algorithm to encrypt any file on your Macintosh. It employs a randomly generated key file and an optional password. A user must have both the key and the password (if used), to decrypt a file encrypted with Scrambled Eggs.
The Ideas
Primitive Software:
Primitive Software is committed to producing high-quality software which is simple and intuitive to use. The theory is that if Primitive Pete can use it, anyone can. Primitive Software believes that users should not have to trade power for ease-of-use. Our motto is, "Walk softly and carry a big club."
Scrambled Eggs:
Experience has shown that most compromises of sensitive data could have been prevented by the simple elimination of human error or negligence. The principle behind Scrambled Eggs is that when handling sensitive data, the fewer opportunities for error, the better. Scrambled Eggs puts the power of a strong encryption algorithm behind a simple user interface. You don't have to be a rocket scientist to securely encrypt files using Scrambled Eggs. The program handles all of the dirty work for you.
The Execution
Quickstart:
To quickly get started using Scrambled Eggs, follow these steps. For greater security, however, please read the entire manual.
To Encrypt:
1. Run Scrambled Eggs by double-clicking its icon.
2. Ensure that the "Encrypt" radio button is selected. If you wish to incorporate the additional security of a password, type it into the box provided. Remember: Passwords are case-sensitive and may include any character you can type, including spaces.
3. If you have already generated a key, you may make it the current key by clicking the "Set Key" button and selecting the key file from the file requestor. If you do not have a key, or wish to generate another, you must click the "New Key" button and follow the directions for generating a key file. When typing random characters for a key file, it is slightly less secure to type the characters rapidly.
4. When the name of the key file you wish to use appears beside "Current Key:", simply click "Do It". Select the file you wish to encrypt from the requestor presented, then give your new encrypted file a name, or press <return> to accept the default name. It is slightly less secure to use the default name.
5. The user that decrypts the file must have a copy of the same key file that was used to encrypt the file. Also, if a password was used, he/she must also know that exact password.
To Decrypt:
1. Run Scrambled Eggs by double-clicking its icon, a document encrypted by Scrambled Eggs, or a Scrambled Eggs encryption key file.
2. Ensure that the "Decrypt" radio button is selected. If the file was encrypted with a password, you must type the same password into the box provided. If you do not know the password, you cannot decrypt the file. Remember: Passwords are case-sensitive and may include any character you can type, including spaces.
3. You must select the same key that was used to encrypt the file by clicking the "Set Key" button and selecting the key file from the file requestor. If you do not have a copy of the encryption key, there is no way to decrypt the file.
4. When the name of the encryption key file appears beside "Current Key:", simply click "Do It". Select the file you wish to decrypt from the requestor presented.
5. Please note that Scrambled Eggs will let you decrypt the file using any key you wish and any password (or no password). It is the decryptor's responsibility to ensure that the appropriate key and password are used. An incorrect password and/or key file may or may not actually produce a file, but only the correct ones will produce a copy of the original file or anything recognizable as such. This is a feature, not a bug.
The Process
Earlier releases of this program were accompanied by a detailed explanation of Scrambled Eggs' encryption algorithm. Modern thought on computer encryption is to mistrust an encryption program that does not have its algorithm published and subjected to lengthy public scrutiny. It is also common to publish the program's source code for the same scrutiny.
The encryption algorithm used by Scrambled Eggs was originally employed by the author in 1992 while working with international and domestic intelligence with the United States government. It was designed to encrypt/decrypt messages containing sensitive data between secure sites over unsecure phone lines. The original implementation was in an MS-DOS program titled "BC-Crypt", which was never released publicly, but is still in use with some law-enforcement agencies.
Scrambled Eggs is a modified implementation of the BC-Crypt algorithm with a simplified Macintosh interface. It is designed for the average user that doesn't care what kind of algorithm the program uses, but just wants to be sure that unauthorized users can't look at his/her secret stuff.
Beta testers of "Scrambled Eggs" almost unanimously reported that the explanation of the encryption algorithm looked impressive but meant nothing to them. In the spirit of keeping with simplicity, the technical notes have been editted to read as follow:
Technical Note #1:
If you encrypt something with Scrambled Eggs on your work computer, keep the key on a floppy in your purse, nobody gets into your purse but you, and nobody can guess your password, then your boss will not be reading your secret stuff. There are exceptions to this. If someone should speculate that it is worth millions of dollars or vital to national security that he/she decrypts your stuff, and that person has the resources available only to major governments and huge corporations, and that person can justify the time and expense of applying several powerful computers and cryptologists to the sole task of decrypting your stuff, then such a person could probably do it given sufficient time.
Technical Note #2:
If you don't follow most of the security tips in the next section and elsewhere, it would take a person such as described in Technical Note #1, less time to decrypt your stuff.
Technical Note #3:
If you actually need more protection than Scrambled Eggs offers, you would not have wasted your time reading past Technical Note #1.
Important Considerations and Security Tips
A user only needs to carefully consider these tips if he/she truly needs serious protection (see Technical Notes above). When properly employed - with a physically secure key file, and a secret password - Scrambled Eggs is more than sufficient to protect most users. If you don't know whether or not you need more protection, you don't.
What follows are a few suggestions for increasing the security of Scrambled Eggs for the truly paranoid, or for those with nothing better to do with their time and energy. Most of the suggestions are quite unnecessary.
The Key:
- Physical security of the key is necessary to ensure the security of the data it protects. This is the most important security concern. Even if a very long password is employed, a compromised key greatly weakens the encryption scheme. You should transmit the key by the most secure means possible.
- You should change the key as often as practical. Ideally, you would never use the same key twice.
- A good way to implement key changes is to generate several keys for a given period, say 4 weeks. For a 4 week period you might generate 20 keys (one for each work day). You could then transmit all 20 keys at once (on a floppy perhaps) to the person you will be sending sensitive files to. You can then use a different key each day and only have to transmit keys once a month. Select a method which works for you.
- The more often you change keys, the more secure the encryption scheme will be. If you never reuse a key, it would be extremely difficult for an unauthorized user to decrypt a file you encrypted.
- Remember that complicated schemes of key use and changes could compromise the data if you had to retransmit a key because of a misunderstanding of the security plan.
- Did I mention that you should change keys often?
The Password:
- Long passwords are better than short passwords.
- Random passwords are more secure than your mother's maiden name, but harder to remember, and harder to relay to an intended recipient.
- A good idea is to publish a monthly password list to intended recipients so that you can change passwords every day. It is a good idea to change passwords frequently.
- You should change passwords frequently. Ideally you would never reuse a password.
- For greatest security, change your password with each use, just like your key.
- Every character you use that is not a letter (?, 3, *, +, /, etc.) greatly increases the security of your password.
- A good password which is easy enough to remember is: *browncodfish@10:40a.m._From-Pete//To-Skip_hamburger_82592*
This password was generated using a preestablished password plan as follows: The password starts and ends with an *. Each month has a secret color - this month is brown. Each day of the month has a secret fish - today is the codfish. The file was encrypted at 10:40a.m.. It is from Pete, to Skip. Both Pete and Skip have identical lists of passwords with corresponding numbers. "hamburger" just happens to be number 15, let's say. Just after e-mailing the file to Skip, Pete called Skip and told him to use password 15, and number 82592. "15" is the number of "hamburger" off of the list, and Pete just made up "82592". Pete only had to transmit two numbers to Skip, yet someone would have to possess all of the lists and the numbers that Pete gave in order to deduce the password. It sounds more complicated than it really is.
- You can enhance security by ensuring that the length of your key is not evenly divisible by the length of your password.
- Above all, remember to change your password and key as frequently as possible.
The Encrypted File:
- Try to break large files up into multiple pieces. The larger the file is, the less secure it is. Future versions of Scrambled Eggs will divide large files automatically.
- Rename the encrypted file to something unrelated to the file's actual contents. The original filename is safely stored away inside the encrypted file. Renaming the encrypted file will make it more difficult to predict the contents of the file.
- You may encrypt a file as many times as you wish using any combination of keys and passwords. This is useful if you don't want a single user to access a file without the presence or consent of certain other users.
The Program and This Manual
- Distribution of the program or even this manual does not compromise the security of files properly encrypted by Scrambled Eggs. The only things that can compromise the security of an encrypted file is the compromise of the password and/or key, or the reuse of passwords or keys.
Other Security Thoughts
- The more you reuse a key or password, the more you are possibly providing an unauthorized user with sample files to aid him/her in breaking your encryption scheme.
Known Bugs
Although there are no known bugs, Scrambled Eggs will probably not run under System 6 or on a 68k Mac. Also, many features intended for future versions have not yet been implemented. This does not compromise the security of the program's encryption.
Note: The fact that Pete has no pedals on his unicycle is a feature, not a bug.
Version History
1.1b1 - This is the first non-development version.
1.1 - Fixed a few bugs, such as:
- The "Quit" menu item actually works. Embarassing bug.
- When the user chooses to replace an existing filename when encrypting,
Pete no longer returns an error message.
- The version appears correctly when the user selects "Get Info" in the
finder.
- When attempting to decrypt to a filename that already exists, Pete now
now creates a unique numerical suffix to the new filename to avoid
returning an error message due to a duplicate filename.
Copyright, License, and Disclaimer
Disclaimer:
The author of "Scrambled Eggs", Brent A. Carey, makes no warranties, either express or implied, regarding the fitness of "Scrambled Eggs" for any particular purpose. Use "Scrambled Eggs" at your own risk. The author claims no liability for data loss or any other problems caused directly or indirectly by "Scrambled Eggs".
License:
You may use "Scrambled Eggs" version 1.1 once free of charge. If you continue to use "Scrambled Eggs" you are required to register by sending the author $10 U.S.. In return you will receive a free copy of version 1.2 which boasts significant improvements including drag-and-drop and Applescript support. Version 1.2 is not available by any other means. Also, registered users will receive future upgrades automatically.
If you try it and don't like it, don't use it. If you try it and like it, use it. If you use it, register. If you can't afford the registration fee you may contact the author to arrange alternate arrangements.
You may not export Scrambled Eggs to a destination outside of the United States.
If you give "Scrambled Eggs" to a friend, enemy, acquaintance, or stranger, you must include all documentation and the "Scrambled Eggs", unmodified. If you sell it or include it with any product which is sold, I will sue you, as you do not have my permission to do so.
Registration automatically entitles your ideas to consideration for immediate implementation. That is, if you make a good suggestion, the author may implement it immediately and send you an updated copy of the application. Also, if you want a custom feature added, and it is easy enough to implement, the author may add it for you in a special version.
Contacting the Author
You can contact the author, Brent A. Carey, by e-mail: <btcarey@primenet.com>
