Tiny Cipher is an encryption program. In other words, it takes files that can be easily read by you (or a third party), and turns them into a new file (of approximately the same size) that is apparently random garbage. Needless to say, it can do the reverse operation to restore the file to its original state.
Short Cryptography Tutorial.
I. Why do we need cryptography?
Increasingly, we are seeing a need for encryption. Sensitive information of all kinds is now stored on computers, and there is often little defense against its being read by unauthorised persons. There are several ways to guard against this. The first, and most obvious, is to deny unauthorised persons physical access to the sensitive data. In other words, the computer and hard disk is in a locked room to which you have the only key. This is called physical security. It has a number of serious drawbacks, especially in an environment like an office where several people might require access to the same machine, but are not allowed access to all the files. The second method is common in multi–user operating systems like UNIX: everybody has a password, and is only allowed access to their own files and a restricted set of other files. This is fine for most purposes, but it is vulnerable to attack if the security of the system is not absolutely first–rate. UNIX is a notoriously insecure system, and with the growth of internetworking, systems are susceptible to attack from geographically distant quarters. The third method is to hide the file in such a way as to make it look like it is something else, or to make it impossible to find. This approach is called steganography, from the Greek for concealed writing, and if used carefully can be extremely effective. Unfortunately, most situations do not lend themselves well to this method. So we are left with the fourth method, cryptography, which is Greek for secret writing. A system which implements a cryptograhic algorithm (or cipher) is known as a cryptosystem. Tiny Cipher is one such system. The science (and art) of breaking (or attacking) cryptographic algorithms and systems is called cryptanalysis. Both cryptography and cryptanalysis come under the banner of cryptology.
Governments are making increasingly unfriendly noises towards computer users. If you don’t want the government to read your email, then you’d better encrypt it. You don’t have to be doing something illegal to benefit from encryption. The more nefarious of the Western intelligence agencies (for example the DGSE in France) do not think twice about reading their citizens’ private communications (hell, the DGSE blew up an entire ship – why would they worry about the legality of things like reading your email?). Even governments in countries where intercepts on commnications channels such as phonetaps have to be authorised at a high level, like the US and the UK, are not above snooping on people for no good reason. The only way to get them to stop it is to make it not worth their while. If every email that anyone sent was routinely encrypted, then there would be no point in trying to snoop. The effort required would simply be impossible to justify.
II. What a good cryptographic algorithm should do.
A good cryptosystem should be able to take a file, assumed man-readable (this is called the plaintext), and convert it into a form that cannot be read by anyone else (this is called the ciphertext), under the control of a piece of secret information, called the key. Moreover, it should be nearly impossible to recreate the plaintext from the ciphertext without knowledge of the key. The crucial point about a good cryptographic algorithm is that this should hold true even if full details of the algorithm are known to a potential attacker. This is important. An algorithm that relies solely on knowledge of its workings for its resistance to attack represents a trivial challenge to a competent attacker. A cryptographically secure algorithm may also be restricted, but it is always assumed when designing an algorithm that eventually an attacker will learn (or deduce) the inner workings of the system. All the security of the algorithm lies in the key. You can assume that a cryptanalyst can perform at least a chosen–plaintext attack, where the cryptanalyst can run plaintexts of his choice through the algorithm, in addition to having several known plaintext/ciphertext pairs.
The difficulty an attacker has in breaking a particular algorithm must be as high as possible. The ideal situation is for the cipher to be completely unbreakable. Sadly, there is only one truly unbreakable (or unconditionally secure) cipher, the one–time pad. This is nothing more than a list of completely random data, each of which is combined exactly once with the corresponding datum in the plaintext. If the pad is generated using a truly random process, then it is uncrackable. Since all pads are equally likely, the decryption of a given ciphertext can be any message. There is no way of telling the true message from all the others. However, the need for the pad to be the same length as the plaintext, and for it to be discarded after being used just one time, makes this type of system impractical for all but a few specialised uses (Soviet agents in the West used one–time pads). If, however, a system can be devised that generates lists of data in a systematic way, such that the list is indistinguishable from truly random data, then that sequence will make a cryptographically secure sequence. This is what cryptographic algorithms do. To be cryptographically secure, the output of the algorithm must not only be statistically random (i.e. every symbol is equally likely) but it must be infeasible to ascertain a priori what the next symbol will be given complete knowledge of the algorithm and all previous output symbols.
‘Infeasible’, in the cryptanalytic sense, means that with the resources at the attacker’s disposal, it is impossible for him to break the cipher in a realistic time. The goal of any designer of a cryptographic algorithm is to make the most efficient search a ‘brute force’ attack. In other words, the fastest way to break the cipher is to try every possible key. Until cryptologists come up with a better method for a new algorithm , the attacker is left with brute force. Clearly, then, the length of the key is all–important. The number of different keys is 2^n, where n is the length in bits. A 40-bit key has only about 1 trillion combinations. It has been estimated that a hardware device capable of breaking this key within a week would cost under £10,000 at 1995 prices. To break a 64–bit key in a week in 1995 would require a machine costing over £500 million. However in ten years’ time, this will have dropped to less than £20 million, well within the intelligence budget of an advanced industrial nation. For even less than this, a machine to break a 56–bit key (such as DES uses) in an hour could be built in 2005. A 128–bit key, on the other hand, which has ~3.4 10^38 combinations, requires more computational power than is ever likely to be available. A machine costing £1 trillion (which is around the same size as the UK’s entire annual GDP) would take nearly 6 trillion years to guarantee it would find the key.
III. The Tiny Encryption Algorithm.
There are literally hundreds of encryption algorithms. Cryptography dates back to antiquity. Most ancient ciphers are easy to break by today’s standards. Modern cryptography dates from about the middle of the 19th Century, but it was not until after the First World War that cryptology was first seriously studied in a scientific manner. Almost all this research was done by the military; civilians had little or no access to communications security. This situation persisted until about 1970. Suddenly there was an explosion of interest in cryptography among the open academic community. The field is now extraordinarily rich, with dozens of new papers appearing each month in the literature.
To be an adequate cryptologist, you need to be pretty good at mathematics. To be a good cryptologist, you need to be a superb mathematician. All modern, open ciphers are released to the academic community with a detailed and erudite mathematical analysis of their properties. Many of these algorithms are extremely complex (although complexity alone is not enough to guarantee security). The problem with a complex algorithm is that it will have a slow execution speed on a small computer. What is needed is an efficient algorithm that is also secure.
David Wheeler and Roger Needham, at the Cambridge Computer Laboratory, devised one of the simplest and fastest algorithms to date, called the Tiny Encryption Algorithm (TEA). In its C–language form, the encryption and decryption routines are no more than six or seven lines long. The algorithm consists of a simple combination of shifts and exclusive–ORs, repeatedly applied to a 64-bit plaintext block under the influence of a 128-bit key. One iteration of the algorithm is called a round. The number of rounds can be variable, although eight suffices for most applications and 32 is overkill. Raw throughput on an obsolete machine (for example a Mac IIsi, with a 20MHz 68030, like the machine on which I am typing this) is more than 1.8 million bits per second for TEA with eight rounds. When all the adornments of a graphical user interface are grafted on, plus reading and writing to disk, then this figure drops to about 40% of this value. That still works out to about 83K a second, or about 12 seconds per Megabyte. That is much faster than most implementations of more complex algorithms, such as the Data Encryption Standard (DES). On a faster machine, performance will of course be better than this. On a very powerful machine, like a Power Macintosh, then the fundamental limit is how fast the machine can transfer data to and from the hard disk drive. Encryption speeds of more than one Megabyte per second should be possible.
So, is the TEA cryptographically secure? So far, it appears to be. The algorithm has been in the open literature for over two years now, and there have been no reports of any succesful cryptanalyses. One of the key criteria of a good algorithm is that it should have strong diffusion properties. Information in the plaintext should be rapidly spread out into the ciphertext. In other words, if one of the bits in a plaintext block changes, approximately half the bits in the corresponding ciphertext block should change, apparently at random. The TEA satisfies this criterion after only six rounds, and then maintains it indefinitely.
Another very powerful cryptanalytic technique is that of differential cryptanalysis . The precise details of this technique are extremely mathematical and require a good knowledge of linear algebra and number theory. In essence, the attack is a statistical one; pairs of plaintexts and ciphertexts are examined, and if they satisfy certain criteria then some knowledge of the key can be gleaned. TEA is very resistant to differential cryptanalysis. Even if it were not, gathering the statistics to launch an attack is a daunting proposition. The number of plaintext/ciphertext pairs needed to perform this attack is in the trillions.
Tiny Cipher should be capable of encrypting files to a level of security that is safe against even the resources of national governments. If you want to use it to send secure email, for example, then it should be proof against anything GCHQ, the NSA or the DGSE can throw at it.
Using Tiny Cipher
Tiny Cipher is very easy to use. The commands Encrypt… and Decrypt… in the File menu do exactly what they say. You will be presented with a directory dialog box allowing you to choose a file or folder for encryption or decryption. Then you will be presented with a dialog box asking you for a password. This is the sequence of characters that will be converted into the key for encrypting the plaintext. Obviously, all the security of the system hinges on how difficult it is for an attacker to regenerate the key, knowing the plaintext. If he can guess the key, or find it out in some way other than cryptanalytically attacking the cipher, then you might as well not bother with encryption at all. Although TEA uses a 128–bit key, and is therefore potentially very strong, by choosing weak passwords you reduce the number of keys that can be generated, and hence the number of different ciphertexts your plaintext can be encrypted to. The first point, and this is absolutely crucial, is to choose a password that is hard to guess. A so-called ‘dictionary attack’ uses a huge list of common names, words, nicknames, acronyms, mnemonics etc. as a password generator. It uses these as an attack on the cryptosystem. Up to 25% of the passwords on most multi-user systems can be cracked this way. Do not use your name, or your mother’s name, or your favourite football team’s name, or place names, cartoon characters, biblical quotes, Shakespearean quotes, or permutations of any of these. And don’t for God’s sake, whatever else you might do, ever, ever write your password down.
It’s important to make your password a reasonable length. If your password is six characters long, and you only use the 26 lowercase letters, then the number of possible keys is only 31 million, which is a minute fraction of the total number of possibilities that a 128–bit key has. If, on the other hand, you choose a 16 character password with each character allowed to come from the 95 printable ASCII characters then you can reach about one ten-millionth of the total 128–bit keys, which is pretty good. On the other hand, a password like £1µ5eÆB‡.WÇΔt=¬€ is quite hard to remember. The best choice is a compromise. Choose a password that is easy to remember, but hard to guess. A good technique is to choose two unrelated but memorable words (remembering to add some capitalisation) and separate them with a punctuation mark. For example, proPerty$snEEze , or angLe!kidnEy. Another technique is to choose a very long pass phrase, such as a quote from a poem or book, and use that. Tiny Cipher is quite happy with passwords up to 128 characters long. For example, “In the centre of the city a woman stood between two mirrors, watching herself reflected all the way to infinity.” While this has the advantage that it is easy to remember, and long, it can be a bit tiresome to type in. And since by default Tiny Cipher will not echo your typing to the screen, a spelling mistake is possible (and disastrous). The choice is yours. To put it in perspective, an exhaustive search for an eight-character password using all 95 printable ASCII characters would take 210 years if the search engine could make one million attempts per second. For an eight-character password using only lowercase letters it would take 2.4 days. A ten character password using the 62 characters a–z, A–Z and 0–9 would require 26 600 years. Tiny Cipher by default imposes a minimum of 9 characters in the password (less in v1.2), but after that what you type is up to you.
One other word of warning. If you forget your pasword, or mistype it when you are encrypting, then to recover your file you will essentially have to go through the same procedures a cryptanalyst would if he wanted to decrypt that file. A simple typing error is comparatively easy to rectify, since the number of combinations of different passwords is small, assuming you are not completely ham-handed. Forgetting your password is another matter. You might wish to try deep hypnosis before starting a degree in algebraic number theory. At the request of users, the ability to echo the password in plain text to the screen has been added in version 1.2. This reduces the risk of mistyping the password, but obviously gives less security against people viewing the password. ’Ware kibitzers!
Tiny Cipher can also securely delete files. One of the most powerful resources an attacker has in breaking an encrypted message is to have a plaintext/ciphertext pair for a different message encrypted with the same key as the one he is trying to break. Simply throwing the file in the Wastebasket is insecure, since this does not immediately erase the data from the hard disk but simply changes some information in the disk catalogue to indicate the space the file occupied is now ready for re-use. The file can exist (maybe in fragmentary form) for months. To be securely erased, the file must be overwritten before being deleted. Tiny Cipher does this by overwriting the file several times. The number of times is set by you in the ‘Preferences…’ dialogue box. You can choose between three, five and seven times. The first two overwrites store a stream of alternating ones and zeroes to disk (the second one has zeroes where the first has ones). Then one, three or five random number sequences are written to disk. Finally the file is deleted in the normal way.
This function can be performed by using the ‘Delete…’ command in the ‘File’ menu. You will be presented with a dialogue box asking you to choose the file to erase. You will always then be asked to confirm this choice. Alternatively, you can allow Tiny Cipher to automatically delete files after encryption and decryption. Choose the ‘Auto-delete source files option in the preferences dialogue box. You can choose here whether Tiny Cipher should warn you that it is about to auto-delete a file.
Note that in version 1.2, I have not included the ability to delete entire folders full of files. The potential for mayhem that allowing folder deletion would permit is enormous. Norton Recover will not help–the information in your files has effectively been used to slightly heat up the room, and is gone forever. If you are the CIA, then you may be able to get some fragmentary data by tuning the head to scan the edge of the track instead of the middle, turning up the maximum likelihood detector to full wick and crossing your fingers. Otherwise, the data is GONE.
I cannot stress this too highly: inadvertently delete a file using the secure erase and it ceases to exist. You will do this at most once, and then you will learn the secret of regular backups: “it's not whether you’re paranoid, it’s whether you’re paranoid enough.” If you feel that your life would be incomplete without folder erasure, then email me. If enough people want it then I'll stick it in version 1.3. But don’t say I didn’t warn you.
If Tiny Cipher is doing a long encryption or decryption, a progress box will appear, like the one you see when you perform a copy operation in the Finder. Tiny Cipher can then be put in the background to work on the file while you do something else. You can then choose the method that Tiny Cipher should use to inform you that the operation has completed. You can choose between no notification, flashing an icon in the application, and posting a note on the screen.
When you enter your password, it will normally be echoed to the screen as a row of bullets (•). If you do not want someone looking over your shoulder to know how long your password is, then you can alter this behaviour. Uncheck the ‘Echo password as bullets’ option in the preferences dialogue. As from version 1.2, the password can be echoed as plain text. Use this option with care if you are working in an environment where someone could be looking over your shoulder.
Distribution Details.
Tiny Cipher is freeware. That means you can give it to your friends, install it on your machine at work, put it on a disk of free software, whatever. Tiny Cipher is NOT public domain. That means you cannot charge for it, and the copyright remains vested in me. You cannot pass it off as your own, or modify it and pass it off as your own.
I wrote Tiny Cipher to give highly secure, fast cryptography to Macintosh users. That’s why it’s free. Quite a lot of work has gone into this task to make Tiny Cipher a fully-functional Macintosh application. I would appreciate your comments (and any bug reports) by email to david@vader.brad.ac.uk
If you’re reading this file and can’t find a copy of Tiny Cipher then you can obtain it by anonymous ftp from my ftp server at vader.brad.ac.uk . The path is /pub/crypto/tinyciph.hqx
Other stunning bits of software I have written
You might want to check out QuickLaunch, a replacement for that clunky Launcher thing Apple gave us with System 7.5. QuickLaunch allows you to define sets of documents and applications which can then be launched as if they were a single application with a double-click. You also might want to try Alias Dæmon, which allows to you to choose where on your system a newly created alias is to go. You just hold down the option key when making an alias to get a pretty dialogue box allowing you to select the target folder. Both of these can be found on vader.brad.ac.uk under /pub/utils as qucklnch.hqx and alisasst.hqx (dontcha just love those DOS 8.3 filenames). Both of these are shareware (but incredibly cheap, at only £3/US$5 each). Continuing in the alias vein, there’s also Alias Module, which does much the same thing as Alias Dæmon but uses Ammon Skidmore’s Extensions Strip to work its magic, and Alias Exterminator, which hunts down and ruthlessly slaughters dangling aliases. They're on my ftp site as alismodl.hqx and alisxtrm.hqx respectively.
All of the above should be available from the Mac archive site at sumex-aim.stanford.edu.
There’s also a small selection of joke programs to annoy your colleagues under /pub/macshens. These arose out of a discussion on the Usenet group alt.shenanigans about the dearth of good computer practical jokes. Share and enjoy!
DISCLAIMER
This software item (Tiny Cipher) is provided AS IS, without any warranty, even the implied warranty of MERCHANTABILITY or FITNESS FOR A PURPOSE. Any and all use is entirely at your own risk; the author accepts no responsibility with respect to this software item for any direct, indirect, consequential or incidental damage or loss of data (including damages for loss of business profits, business interruption, loss of business information, and the like) that may arise through the use or misuse of this software item. No representation, either express or implied, is made by the author as to the fitness of this item for a particular purpose, and no responsibility shall be accepted for any loss or damage arising from any defect in this product or its description, even if the author has been made aware of the possibility of such loss or damage.
The author (David A. G. Gillies) asserts the moral right to be identified as the author of this software item.
Version History
1.2 Fixed a few stupid and embarassing bugs (whoops): fixed intermittent crash in or after password dialog box, fixed folder processing to handle name collisions, removed lingering debugging code (double whoops), updated About… box. Added the facility to have passwords shorter than nine characters. Added the plain text password echo. Altered directory dialog box to allow choice of a folder for encryption or decryption.
1.1 Fixed the folder encryption routines to allow drag and drop of an entire folder full of files onto Tiny Cipher’s icon. Fixed the disk space checking routines to check that there is adequate free space on the target volume before starting.
1.0 Baseline version.
Still To Come in version 1.3
I hope to include Apple Guide help files in the standard distribution. If it’s requested enough, then I’ll allow the Delete… command to apply to folders as well as files.
In My Dreams
If enough people send me in their shareware fees for the other stuff I have written, then I can get myself a PowerMac. Then I can port Tiny Cipher, and then you can see what fast encryption really means.
The Out of Interest Section
Here’s ANSI C source for the Tiny Encryption Algorithm, in case you were wondering:
void Encipher(const unsigned long * const v,unsigned long * const w,const unsigned long * const k)
{
register unsigned long a=k[0];b=k[1];c=k[2];d=k[3];y=v[0];z=v[1],
sum=0UL,delta=0x9E3779B9UL,n=16UL;
while(n--)
{
y+=((z<<4)+a)^(z+sum)^((z>>5)+b);
z+=((y<<4)+c)^(y+sum)^((y>>5)+d);
sum+=delta;
}
w[0]=y;
w[1]=z;
}
void Decipher(const unsigned long * const v,unsigned long *const w,const unsigned long * const k)
{
register unsigned long a=k[0];b=k[1];c=k[2];d=k[3];y=v[0];z=v[1],
sum=0xE3779B90UL,delta=0x9E3779B9UL,n=16UL;
while(n--)
{
z-=((y<<4)+c)^(y+sum)^((y>>5)+d);
y-=((z<<4)+a)^(z+sum)^((z>>5)+b);
sum-=delta;
}
w[0]=y;
w[1]=z;
}
This is why the algorithm gets its name. By comparison, DES is several hundred lines of C.
