Ringlord Technologies Products

CryptCreature — A Tool for Exploring Cryptography

CryptCreature demonstrates the basics of cryptography. You can choose a cryptographic algorithm, parameters, and key size; load, save, and generate secret keys, and then encrypt and decipher messages. Tool tips provide some education on cryptographic concepts.

This is a significant upgrade on a previous release.

Description:CryptCreature demonstrates the basics of cryptography, and through its source code may serve as an example of using Java's cryptographic capabilities. It is hoped that this software is useful for the curious to start on the road to cryptography and keeping their data and lives out of prying hands. NOTE: Source code is inside the .jar file (treat it as a .zip file)
Version:1.4
License:GPLv3+
Requirements:Java 1.7+
Download:cryptcreature.jar (141.8KiB)
screen shot (135.8KiB)

Older versions:
cryptcreature.jar (old: v1.1) (116.5KiB)
cryptcreature.jar (old: v1.0) (56.1KiB)
screen shot (old: v1.0) (137.4KiB)

The CryptCreature is hosted at GitHub.

Intended Audience

Anyone with an interest in cryptography, but please note that this tool is not intended for serious cryptographic uses. The reasons include the following:

  1. I have made no attempt to maintain good internal key discipline: The memory to store the secret keys is not explicitly cleared, and so it could become visible to other processes at some point.
  2. Only the most rudimentary (perhaps laughable) attempt is made to keep someone from stealing your secret key while it is displayed by CryptCreature. Someone with a camera can probably steal it in the blink of an eye.
  3. I have some experience with cryptography, but am no expert, not by a long shot.
  4. The code has not been audited by knowledgeable and trustworthy third parties. As a general lesson: Be extremely careful of trusting anything important to something or someone you cannot truly trust. For example, one of the biggest security companies in the world, RSA, was (in late 2013) revealed to have weakened its algorithms in order to give the NSA access to whatever was encrypted with RSA’s algorithms; and Intel’s hardware “secure” random number generator seems to have been compromised in a similar manner; and NIST was in on a lot of this, too. In other words, you can’t trust anyone whom the government can pressure into cooperating against your interests.

Bottom line: Feel free to play with CryptCreature and learn about cryptography, but please do not put your life in its hands, especially not until smarter people than I have had a go at the code and CryptCreature has evolved (if it ever will) to be smarter about key management!

Cryptography Concepts

The introduction I give here should help you get a leg up on the concepts, but I cannot hope to teach you all you should and need to know to make no mistakes. The most important lesson I have to teach is that cryptography is not an easy thing, and even the tiniest mistake can dramatically weaken or even make worthless the secrecy that you were hoping to achieve.

Cryptography seeks to limit access to information by scrambling the information according to some reversible cipher combined with a so-called key. A cipher is a complex algorithm designed by experts in the field, and because other experts apply their skills to analyze it at great length, and have found no problems with it (but, not having found a problem is no proof that a problem isn’t still hiding!) the cipher is considered acceptable. After that, the security comes from the secret key, and how well this key is protected.

The most secure key is a so-called One Time Pad (OTP), a random private key as long as the message itself, which is discarded after use. Such keys are rather unwieldy, of course.

Private Key cryptography is similar to use of an OTP, except that the key is of limited size, and it is reused (at least for a time). Private Key cryptography (including OTP) is somewhat difficult to implement because the secret key must be exchanged between the parties wishing to exchange information. If you are merely keeping your own stuff safe, you need not exchange this key with anyone, you only need to ensure that it is not lost or found by someone else.

Public Key Cryptography was revolutionary when the concept was discovered, because it allows two parties to exchange only the public portions of their keys, and do so in any manner desired, including in full public view. Only the private portion of each party’s key needs to be kept secret. Each party then exchanges messages using their own private key in combination with the other party’s public key. This eliminates all the risk of two parties having to exchange keys!

CryptCreature uses only private (secret) key cryptography, no public keys, and no OTP. The secret key must truly remain secret, and for anyone to read an encrypted message, they must have the secret key that you used during encryption.

Terminology

Plain Text
Plain text is the original, unencrypted data. This doesn’t have to be human readable information. The term simply refers to the plainly accessible information. See ‘Cipher Text’
Cipher Text
Cipher text is the encrypted information, obtained after applying a cipher algorithm to it.
Initialization Vector (IV)
An initialization vector is a relatively short, random sequence of data that “seeds” the cipher algorithm so that each time you encrypt the same data, the actual cipher text is different. This is important if, for example, you encrypt an XML document whose introductory ~40 characters are always the same. If an attacker knew that you had encrypted XML, they’d only need two or three versions of the document (encrypted with the same key) to derive the key through cryptanalysis, and then decrypt it all. The initialization vector makes this effort zillions of times more difficult. The same initialization vector must be used for both encryption and decryption. It is passed along with the cipher text.
Salt
Salt does not actually come into the picture in our case, but it serves a comparable purpose as an initialization vector, namely it produces an additional scrambling factor when a secret key is made from a human readable password. If the algorithm for creating the password were known (and it generally is!) then an attacker could pre-compute the keys for a few hundred million passwords and just look them up. This is called a dictionary attack. By salting the password, those hundred million passwords would need to be computed each zillions of times, thus making that attack vector more or less infeasible. Salt is stored along with the password so that the correct password, when entered, can be salted and turned into an encrypted password. If that one matches what is stored in the database, the correct password was supplied.
Cipher / Mode / Padding
The Cipher is the core algorithm. There are many: DES is one of the oldest, Triple DES (DESede) is an update but both have been superseded by AES. Blowfish is another. AES and Blowfish have no known attacks against them at this time (early 2016). Note that AES is endorsed by the U.S. Government, but it is not known whether the NSA has managed to inject a backdoor in it. Blowfish is a cipher by well-known cryptography expert Bruce Schneier.

Bugs in CryptCreature

I’m sure there are many bugs lurking. The source code is included in the JAR (treat the JAR like a zip file to get at it), so you can always poke around. I’d love to hear from you if you find CryptCreature useful, or you find fixes or have suggestions for improvements.

All content is copyright © Ringlord Technologies unless otherwise stated. We do encourage deep linking to our site's pages but forbid direct reference to images, software or other non-page resources stored here; likewise, do not embed our content in frames or other constructs that may mislead the reader about the content ownership. Play nice, yes?

Find something useful here? Maybe donate some Bitcoin!