M ASTER S OFTWARE
QUALITY SOFTWARE SINCE 1958
|
M ASTER S OFTWARE QUALITY SOFTWARE SINCE 1958 |
||
|
PROTECT YOUR PRIVACY -- PROTECT YOUR SECURITY
with the strongest line of data file and message encryption software available. |
GK-Crypt Data Security Package Version 03
User Manual - March 12, 2024
1. GK-CRYPT
GK-Crypt keeps your computer files secret and private. It
keeps them secure against any snooping, industrial espionage, or
intrusion via the Internet. Even if your computer or your data
disks were stolen, and even if they had the GK-Crypt software on
them, nobody could read your data.
GK-Crypt is far stronger than any other commercial file
encryption product in the world, and stronger than nearly all of
the world's diplomatic and military encryption packages, whether
software, microchip, electro-mechanical, or any combination.
GK-Crypt is strong enough so that governments could use it for
their most sensitive data.
GK-Crypt could insure the privacy of your computer files
even if an opponent had available all of the computing power in
the entire world. And, your files will stay private for decades
to come. Even if computers increased in power over the next 50
years by the same factor that they improved over the past 50
years, your files would still remain secure.
The 128-bit encryption products now in use will become
obsolete in 10 to 15 years. The 256-bit products that are
designed to replace them will become obsolete in 20 to 30 years.
But files encrypted with 640-bit GK-Crypt will still be secure
even 50 years from now.
GK-Crypt is easy to use. You can encrypt hundreds of files
with a single command. You don't need to choose and remember any
of the file keys. GK-Crypt will generate a secure 640-bit key
for each file, and remember all the keys for you.
GK-Crypt is also the safest privacy product you can buy. It
is loaded with safety features to prevent loss of data and other
problems that are common with lesser data security packages. You
cannot decrypt a file with the wrong key, or encrypt a file that
is already encrypted.
TABLE OF CONTENTS
1. GK-CRYPT
1.1. GK-Crypt Version 03
1.2. GK-Crypt Version 02
1.3. What is encryption?
1.4. Who needs encryption?
2. USING GK-CRYPT
2.1. A GK-Crypt session
2.2. Sample session
2.3. Decrypting files
2.4. Setting shortcuts
2.5. Listing the encrypted files
3. FILES
3.1. Identifying files
3.2. File groups and wildcards
3.3. Defining shortcuts
3.4. Using shortcuts
3.5. Group overlap
4. KEYS
4.1. Key Do's and Don'ts
4.2. Letters, digits and punctuation
4.3. Key blocks
4.4. Pronounceable keys
4.5. Patterns
4.6. Secretaries and clerks
4.7. Key strength
4.8. Summary: Picking a key
5. INSTALLING GK-CRYPT
5.1. Copying the GK-Crypt files
5.2. Multiple copies of GK-Crypt
5.3. Installation
5.4. Practice
6. SAFETY FEATURES
6.1. Lost keys
6.2. Strong Master Key
6.3. Unauthorized users
6.4. Double encryption
6.5. Double copies
6.6. Partial encryption
6.7. Master and cache
6.8. Adding and renaming files
6.9. Backup and recovery
7. COMPARING ALGORITHMS
7.1. The GK-Crypt algorithm
7.2. AES Advanced Encryption Standard
7.3. RSA public key cryptography
7.4. Quantum cryptography
7.4.1. Photon cryptography
7.4.2. Quantum entanglement
Appendix A. DOS BASICS
A.1. Starting DOS
A.2. Sizing the DOS window
A.3. Directories
A.4. Current directory
A.5. Working with directories
A.6. Identifying files
A.7. Long names
A.8. File operations
A.9. Batch files
1.1. GK-Crypt Version 03
GK-Crypt Version 03 is easier and safer to use than Version
02.
(1) You no longer need to remember which files are encrypted, or
to type the names of the files you want to decrypt. GK-Crypt 03
displays the list of files, and you just point to the ones you
want to decrypt.
(2) You can create shortcuts to reduce the task of typing long
file names. For example, you could let
bridge
represent
\DrawMaster\architecture\NJparkproject\bridge.jpg
(3) The methods for choosing random file keys have been improved.
(4) Only one copy of GK-Crypt is needed. It may be run from
anywhere on your computer.
(5) Every file is identified with its full path. This prevents
problems when there are files with the same name in two or more
different directories.
1.2. GK-Crypt Version 02
GK-Crypt Version 02 offers several improvements over the
original Version 01.
(1) The encryption has been made even stronger, with no
significant loss of speed.
(2) The operation is now fully automatic. There are no options
to choose. You get the highest level of security for every file.
(3) You can now change the Master Key without needing to decrypt
and re-encrypt any files.
(4) The new version automatically detects files encrypted with
the old version and converts them to use the new, stronger,
encryption.
(5) After a file has been encrypted, the old copy is now shredded
3 times.
1.3. What is encryption?
Encryption is the process that keeps your data secure. The
GK-Crypt program takes your data file and transforms it into a
form that nobody can read without the key. The encrypted file
looks perfectly random and totally meaningless. Even the most
sensitive and sophisticated statistical tests cannot detect any
difference between your encrypted file and a pure random file.
The reverse process, which is called decryption, takes the
garbled, unreadable data file and transforms it back into the
original data. The decryption process requires full knowledge of
the key in order to reconstruct the original data. Only you, and
anyone to whom you give the key, can retrieve and read the data
file. For an unauthorized person who does not have the key there
is no possibility whatsoever of reversing the process and reading
your file.
You can think of encryption and decryption as locking and
unlocking your data files. The key is just like the combination
for a safe or vault. Without the combination the vault cannot be
opened. Without the key your data file cannot be read. But,
unlike a safe or vault, there is no other way in. The snooper
cannot cut through the walls or manipulate the tumblers with
magnets. The key is the only way in.
1.4. Who needs encryption?
You need encryption whenever you have both of the following
conditions:
(1) You have data that you need to keep private or confidential,
and
(2) Someone has access, or could possibly have access to your
computer, or to any external media where your data is stored, or
to any channel over which you transmit your data.
Here are some kinds of data that you might want to keep
secure.
Private individuals
Bank account numbers Health information
Book or play manuscripts Inventions
Brokerage account numbers Journals or diaries
Computer passwords Photos, movies or videos
Credit card numbers Private letters and emails
Downloaded files Spreadsheets
Financial records
Companies
Ad campaign plans Merger plans
Claims data Orders
Client records Organization charts
Commissions Patient records
Compliance data Product specifications
Contract terms Recipes
Credit histories Real estate plans
Customer accounts Research findings
Expansion plans Revenue projections
Employee health data Salaries
Interfaces Sales records
Inventory Settlement records
Letters and memos Supplier data
Mailing lists Tax information
Marketing plans Yields
Military
Armaments Resupply schedules
Attack plans Ship movements
Contracts Supply levels
Defense plans Targets
Emplacements Trajectories
Munitions depot Troop movements
Radar frequencies Troop strength
Radar locations Unit readiness
Research reports Weapons capabilities
For some types of data, you may have a legal obligation to
safeguard its privacy. For example, the Gram-Leach-Bliley Act
(GLBA) which Congress passed in November 1999 requires that
companies protect the security and confidentiality of their
customers' private information. Financial institutions and other
businesses must assure that their customers' data is kept private
and confidential.
Similarly, since April 2005, nearly all healthcare
institutions need to comply with the security requirements of the
Health Insurance Portability and Accountability Act (HIPAA).
If you take your legal obligations seriously, then you
should use the strongest encryption product available, the
GK-Crypt package.
Your data could be vulnerable because clients, or
unauthorized employees, may be able to enter an area where your
computer is located, or where another computer or terminal on the
same local network is located. Sometimes a careless employee or
family member may leave a computer unattended where someone might
use it to find sensitive files.
Sometimes a disgruntled employee, or even an angry family
member, may copy data files in order to harm you or your company,
or to sell the data for profit. The employee could make a disk
or print out a file and take it home. An employee who works from
home, or someone else in that household, may be able to dial into
your computer and obtain access to sensitive files.
Access to your data might be gained while your computer is
connected to the Internet by using spyware or a computer virus.
Files transmitted on the Internet are not secure at all.
It is also possible that your computer or data disks or
tapes will be stolen, or obtained from the trash. A thief who
breaks into a safe looking for valuables may take backup disks
containing your sensitive data and later discover what they
contain.
2. USING GK-CRYPT
Each time you use GK-Crypt is called a session. During each
session you can encrypt files (lock them to make them secure),
decrypt files (unlock them to use them), or get a list of the
encrypted files. You may encrypt or decrypt as many files as you
like during each session. You can even encrypt and decrypt the
same files in a session, should you wish.
You start each session by typing the GK command. This
starts the GK-Crypt program. You start a session by typing
GK
and pressing Enter. After GK-Crypt is started it will tell you
exactly what to do at every step. Everything is clearly
explained as you go. (But you should still read this manual and
the Installation Guide before you begin.)
2.1. A GK-Crypt session
The first thing GK-Crypt will need is your Master Key. This
is the key that opens the Master File which is required to run
the GK-Crypt Data Security Package. It is absolutely essential
that you choose a very strong Master Key. If the Master Key is
weak, or only moderately strong, then your security will be
compromised.
Using an ultra-strong encryption algorithm like GK-Crypt and
then choosing a short or weak key is like building a bank vault
from the strongest thickest steel available, and then locking it
with a flimsy padlock. Several sections of this manual will be
devoted to choosing keys that are both strong and easy to
remember.
2.2. Sample session
Before getting into the full details of a session, let's
take a quick look at a sample session. You start GK-Crypt by
typing the command
GK
The first thing GK-Crypt needs is your Master Key. GK-Crypt will
prompt you to enter the Master Key by displaying
Please enter the Master Key
Key:
You type your Master Key exactly the way you entered it when you
installed GK-Crypt, for example,
Key: KXWVT 39463 HMCTU 90413 GSVIF 85721
Remember that the Master Key is case-sensitive, so KXWVT and
kxwvt are different keys. If the Master Key is correct, the
session can begin.
GK-Crypt will next need to know which files you want to
encrypt (lock) or decrypt (unlock). It will first ask what
operation you want to perform, like this,
Options:
E - Encrypt a file. Make it unreadable to protect it.
D - Decrypt a file. Make it readable to use it.
S - Create shortcuts.
L - List the encrypted files.
M - Change your Master Key.
Q - Quit.
Type your choice (E, D, S, L, M or Q):
You may encrypt and decrypt as many files as you wish during a
session. After each operation you will be returned to this menu
until you type Q to quit.
Suppose that you want to encrypt a file. You type E to
select encryption. GK-Crypt will then need to know the name of
the file, or the group of files that you want to encrypt. It
will prompt you for the name,
Enter the name of the file group to be encrypted,
or type Q to quit.
File group name:
Suppose that you want to encrypt the group of files in the
directory patent that start with the name motor. You would
respond by typing \patent\motor*, like this
File group name: \patent\motor*
GK-Crypt will ask you to verify your choice, so that you don't
accidentally encrypt the wrong group of files. It will ask
Is (\patent\motor*) the correct file group? (Y or N):
You would type Y to indicate that it is correct. GK-Crypt will
then generate a strong encryption key for each of the files,
encrypt each file with its key, and record the keys so that the
files can be decrypted when you need them.
This sample should give you a good sense of how a GK-Crypt
session will proceed. At every step GK-Crypt will instruct you
on what information you need to enter. Now let's look at some of
these items in detail.
2.3. Decrypting files
Decrypting (unlocking) files is very easy in GK-Crypt
Version 03. You no longer need to remember which files are
encrypted, and you no longer need to type the file names. When
you select D on the main menu to decrypt files, you will be shown
a list of the encrypted files, like this
C:\MEDICAL\CHART\ADAMS.XML
> C:\MEDICAL\CHART\SMITH.XML
C:\MEDICAL\CHART\WILSON.XML
Use arrows to move cursor, D to decrypt file, Q to quit: ');
You can use the up arrow, down arrow, PgUp and PgDown keys on the
numeric keypad to move the > cursor to the file you want to
decrypt. When the cursor is pointing at the right file, press D
to decrypt the file.
2.4. Setting shortcuts
Press S on the main menu to define or change a shortcut.
You will see
Shortcut name:
Type in the name you want to call the shortcut. If you type the
name of an existing shortcut, then you can edit that shortcut,
change its name, change its text, or delete the name to delete
the shortcut.
2.5. Listing the encrypted files
Press L on the main GK-Crypt menu to get a list of all of
the encrypted files. The list will be written to the file
GKCRYPT.LST. You can use this list, for example, to check
whether all of the files that you want to keep private have been
encrypted.
You could keep a separate file containing the complete list,
and compare GKCRYPT.LST to this file using the Comp utility. The
Comp utility is a handy and inexpensive tool available from
Master Software Corporation (www.mastersoftware.biz).
3. FILES
In order to use GK-Crypt you will need to tell it which
files to protect. On your computer the files are organized into
directories or folders. Directories and folders are two names
for the same thing. When you are in Windows, the computer will
show you lists of files organized as folders. When you are in
DOS, the computer will show you lists of those same files in
directories. Directories and folders are equivalent.
You need to identify which files contain your private data.
These are the files that you need to encrypt. Often these files
will be in directories that are named for the program that
created them. For example, if you create drawings using a
program called EZ-Draw, then the drawings are likely to be in a
directory with a name such as
\EZ-DRAW\
or
\PROGRAMS\EZ-DRAW\
or in a subdirectory of these directories, say
\EZ-DRAW\PORTRAIT\
It is generally safe, but not necessary, to encrypt the
application program and the files that it uses along with the
files you created. For example, it is safe to encrypt word
processors, spreadsheet programs, or graphics programs. Of
course you must decrypt them before you try to use them. This
may take some time, but it may be easier for you to encrypt the
entire directory, along with all of its subdirectories, than for
you to try to identify all of your data files individually.
WARNING!! You must never encrypt a system file. You must
never encrypt any file that is part of the operating system on
your computer, such as Windows, Unix or Linux. If you encrypt a
system file, your computer will be unable to use that file, and
therefore may not be able to function correctly. If you simply
went ahead and encrypted every file, your computer would stop
running, and you would not be able to restart or reboot it, so
you would not be able to fix the problem. Similarly, if you
encrypted any of the GK-Crypt files, such as GK.EXE, GKMASTER.1,
or GKCACHE.1, then you would not be able to use the GK-Crypt
package to decrypt them, so all of your encrypted files would be
permanently lost.
You should always give your data files and folders names
that clearly identify what they contain. That way, you will know
which files are yours, and which files you want to protect. You
can find all of the files on your computer by clicking the "My
Computer" icon on the Windows desktop. Equivalently, you can
find all of your files by using the DIR command in DOS.
3.1. Identifying files
Each time you encrypt files you must identify those files to
GK-Crypt. GK-Crypt will prompt you for the file identifier at
the appropriate time. You identify files to GK-Crypt the same
way that you identify files to DOS, namely by specifying the
drive, path, filename and extension. (If you already know DOS,
you can skip or just skim this section.)
drive is the device where your file is stored, usually C
for your hard drive, A or B for a floppy drive,
and
D or E for a CDROM drive.
path is the directory on your drive where the file is
located.
filename is the name that you gave your file. The name
usually
indicates the contents or purpose of the file.
extension is a suffix that indicates the kind of file, such
as
TXT for a text file, JPEG for a picture file, EXE
for an executable file, etc.
A full file identifier might look like this,
c:\company\mydepartment\2005\sales.wp
In this example, c: identifies that your file is on the C
drive, which is your hard drive. \company\mydepartment\2005\ is
the path to your data. It shows that the data file is located in
the 2005 folder, which is inside the mydepartment folder, in the
company folder. So the path consists of nested folders, or a
list of directories. sales.wp is the file with the data. The
filename is sales, and the extension is wp, which indicates that
it is a WordPerfect document.
In a file identifier all of the fields except the filename
are optional.
drive can be omitted if the file is on the current
drive,
that is, the drive where you are now working.
path can be omitted if the file is on the current
directory
of the drive.
extension can be omitted if the file does not have an
extension
on its name. For example, if the file is just
named
oldstuff then no extension is needed.
Here are some examples of valid file identifiers:
a:budget
identifies the file budget in the current directory
of the A drive.
\jones\commissions
identifies the file commissions in the \jones directory
on the current drive.
late\requests.txt
identifies the file requests.txt in the late
subdirectory of the current directory.
3.2. File groups and wildcards
GK-Crypt allows you to encrypt or decrypt groups of files
with a single command. There are two ways to do this. The first
method is to use wildcards when you give the filename or the
extension. Instead of giving the entire filename or extension,
you give the first few characters, and then type * asterisk. The
file operation will be applied to all files whose names or
extensions begin with the letters you gave. Here are some
examples.
TAX* specifies any file in the current directory
whose
name begins with TAX. For instance this would
include TAX, TAXES and TAX2005 but not TAXES.WP.
T\*.DOC specifies any file in the T subdirectory of the
current directory, whose extension is DOC. For
instance this would include T\SALES.DOC and
T\INVEST.DOC.
\A\PR*.S* specifies any file in the A directory of the
current drive whose filename starts with PR and
whose extension starts with S. For instance
this would include \A\PROFIT.S and \A\PRICE.SET.
The second method for specifying a group of files is to give
the path with no filename or extension. In this case, the file
operation will be applied to all of the files in the current
directory, and all of its subdirectories. For example
\MENU\ specifies all of the files in the MENU directory of
the current drive, and all of its subdirectories.
For instance it would include \MENU\TODAY.TXT,
\MENU\BEEF\RECIPES and \MENU\LAYOUT\PIX\SALAD.JPG.
Any time you are prompted to give a file group you may give
either a single file, a set of files using wildcards, or a
directory.
3.3. Defining shortcuts
Some of the files you wish to keep private may be in deeply
nested directories, such as
\programs\artshop\drawings\plato\cover.jpg
\programs\artshop\drawings\plato\cave.jpg
\programs\artshop\drawings\plato\teacher.jpg
It would be tedious to continually type these long names when you
encrypt these files, especially if you do this often.
Starting with GK-Crypt Version 03 you can define shortcuts
to make this task easier. To define a shortcut you choose S on
the GK-Crypt main menu. You will then see
Enter the name of the shortcut. The name may be
1 to 12 letters and digits, for example Plan10X
Type = to show the list of shortcuts, or type Q to quit.
Shortcut name:
Type a suitable short name for your shortcut, for example plato.
You will then be prompted to enter the text of the shortcut.
This text can be all or part of the directory path and/or the
file name. You will see
Enter the text of the shortcut or type Q to quit.
The text may be any portion of a directory path or file name
such as \MyStuff\drawings\bridge.jpg
Shortcut text:
You then type the text of the shortcut. The shortcut will stand
for whatever text you enter. In this case, suitable text might
be
\programs\artshop\drawings\plato
since this occurs in all three of the file names.
3.4. Using shortcuts
To use a shortcut when you are telling GK-Crypt which file
to encrypt, you type an equal sign = and then the name of the
shortcut, plus the rest of the file group name. For example, you
could enter the file name as =plato\cover.jpg like this
File group name: =plato\cover.jpg
This would cause the file
\programs\artshop\drawings\plato\cover.jpg to be encrypted.
If the name of the shortcut is not followed by a delimiter,
such as . or \ then leave a blank after the shortcut name. The
blank will be removed when the shortcut name is replaced by the
shortcut text. For example, if dime were a shortcut for
\coins\catalog\dimes\ then
File group name: dime 1952
would cause \coins\catalog\dimes\1952 to be encrypted.
You can use more than one shortcut in a file group name, and
you can use one shortcut in another shortcut. For example,
suppose that you want to encrypt the files
\programs\artshop\drawings\plato\cover.jpg
\programs\artshop\drawings\plato\cave.jpg
\programs\artshop\drawings\plato\teacher.jpg
\programs\artshop\drawings\odyssey\siren.jpg
\programs\artshop\drawings\odyssey\hydra.jpg
\programs\artshop\drawings\odyssey\cyclops.jpg
You could define a shortcut draw to represent
\programs\artshop\drawings and then you could define two more
shortcuts plato and homer using the draw shortcut.
plato as =draw\plato
homer as =draw\odyssey
If you now wanted to encrypt the file
\programs\artshop\drawings\odyssey\cyclops.jpg you could simply
enter the name as =homer\cyclops.jpg like this
File group name: =homer\cyclops.jpg
and the correct file would be encrypted.
3.5. Group overlap
It would be dangerous to encrypt two groups of files that
could potentially overlap. For example, if you were to encrypt
the group TOP*.D* and then encrypt the group TO*.DOC the file
TOPIC.DOC would get encrypted twice. If you then decrypted those
two groups in the same order, the file TOPIC.DOC would get
hopelessly garbled. It could never be recovered, because the
keys would no longer be in the cache.
To prevent this sort of catastrophe, GK-Crypt detects
possible overlaps of file groups, and prevents you from
encrypting such overlapping groups. This is one of the many
safety features built into GK-Crypt.
4. KEYS
Choosing the keys for encrypting your files is one of the
most critical steps in using the GK-Crypt package. If you choose
a short or weak key, it may be easy to remember and easy to type
each time you need it, but your data will not be secure. It is a
serious mistake to think that you can use a weak key simply
because you are using such a strong encryption package. A strong
safe with a weak lock is not secure.
If you choose a long strong key your data will be more
secure, but it will be harder for you to remember it and to type
it accurately each time it is needed. This chapter will describe
techniques for choosing keys that are both secure and easy to
remember and to type accurately.
4.1. Key Do's and Don'ts
Many people try to take shortcuts in order to have keys that
are easy for them to remember. You need to assume that any
opponent will also be aware of the same shortcuts. Here are some
simple rules that can help prevent a costly error.
When you choose a key, do not base the key on your personal
information. Assume that your opponent knows all of your
personal data.
DO NOT base your key on
Your birthday
Your telephone number
Your Social Security number
Your license plate number
Your spouse's, child's, parent's, sibling's or even
your pet's name, birthday, phone number, etc.
DO NOT base your key on commonplace phrases
Nursery rhymes
Song titles or lyrics
Folk sayings
Names of famous people, groups, places or events
Names of books, plays or TV shows
Punchlines from jokes
Well-known dates
Tongue twisters
Words or phrases in other languages
DO NOT use data widely known within your specialized field
Digits of pi or e
Names of bones, nerves, or organs
Names of stars, minerals, geological features, bacteria,
ancient cultures, alloys, proteins, theorems, etc.
Mnemonics
Names of people, schools, companies, places, etc.
The speed of light, Avogadro's number, the Golden Ratio,
etc.
DO NOT choose sequences of consecutive letters from the alphabet
or from the keyboard, whether forwards, backwards or diagonally.
DO NOT use the keys that appear in this manual. Always assume
that your opponent has read it, too.
DO use a long key.
DO try to make your key as random as possible.
DO read this entire chapter on picking keys.
DO evaluate the strength of your key according to the principles
in the following sections.
DO make your Master Key extra long and strong.
4.2. Letters, digits and punctuation
If there are several people who need access to the data, and
who are trusted with the keys, then the problem of recording or
memorizing the keys becomes multiplied. Some people have the
capacity to memorize long strings of random-looking letters
and/or digits, but most people cannot do this. The safest course
is to write down your key, and keep it in a secure place, such as
a locked safe. Other techniques will be discussed in a later
section. It is advisable to have several copies, in case one
copy gets lost, stolen or destroyed.
The strength of an encryption key is measured in bits, the
binary digits that are used by your computer's hardware. Here is
a rough guide to how many bits you get from each character in an
encryption key when the characters are chosen randomly.
Table 1. Strength of each character in a key.
Decimal digits = 3.3 bits
Single case letters = 4.7 bits
Mixed case letters = 5.7 bits
Mixed letters and digits = 5.9 bits
Mixed letters, digits and punctuation = 6.3 bits
Based on this chart, here is the strength of some sample
10-character keys
Table 2. Strength of 10-character blocks.
5835701483 = 33 bits Decimal digits
CIWMRPTNZX = 47 bits Upper case letters
tyuhbivxks = 47 bits Lower case letters
DmbHaqREkV = 57 bits Mixed case letters
ku8Je94Lg7 = 59 bits Mixed letters and digits
g"p5WZc4%F = 63 bits Mixed letters, digits, punctuation
As you can see, the strength of the key increases when you
choose randomly from a larger set of characters. However, the
difficulty of memorizing the keys and typing them accurately
becomes much greater as the keys get more random.
Note that all of the keys illustrated above are too short to
be considered secure.
4.3. Key blocks
There are several methods for producing keys that are
secure, yet easier for people to manage. The first technique is
to break your keys into blocks. It has been a common practice
for many years to break coded messages into blocks of 5
characters each so that they can be transcribed more accurately.
The same idea works for keys, too. Notice how the key
CNWIALVMXBTEPOSBXRNH
becomes much easier to read when it is broken into groups of 5
letters
CNWIA LVMXB TEPOS BXRNH
For longer keys it may be advisable to use additional
punctuation to organize the blocks into groups of blocks. For
example,
48591-04528-16392, 35207-31654-74925, 09482-71653-42570
GBXTL=PRBUI=LVZEW..BXGMN=LUIQT=SPFAE..VZJOQ=HUKBW=OZCND
The second technique is to use groups that have the same
structure. Here are some examples, and the strength of each key
block
91486 61872 94373 16 bits per block 5 digits
T3708 D6204 F5193 18 bits per block 1 letter, 4 digits
GS437 BR092 LX528 19 bits per block 2 letters, 3 digits
UHM15 XTN63 MYA74 21 bits per block 3 letters, 2 digits
QRILC PJRMS OVDZK 23 bits per block 5 letters
The strength remains the same when the letters are placed in
different positions. For example, all of the following keys have
the same strength, namely 2 letters and 3 digits
GS437 BR092 LX528 Letters at the start of each block
943KP 471GQ 205YL Letters at the end of each block
V107J X219C F738L Letters at both ends of each block
6WF52 9TU48 7JN13 Letters in the middle of each block
One advantage of using key blocks that always have the same
structure is that there is no confusion between letters and
digits. Some letters and digits that may get confused are
Letters B G I l O S T Z
Digits 8 6 1 1 0 5 7 2
Its position in the block tells you whether the character is a
letter or a digit, so there is no need to avoid these characters
when you use blocks with a fixed structure.
Another variation on this idea is to make each key block
uniform, but to vary the types of blocks randomly. Here are two
30-character keys with uniform blocks. Each block consists of
all digits, or all uppercase letters, or all lowercase letters.
KNUHW 50258 fewrz 39274 gyakf obqnk
doztc 81463 69917 AGNDL rdefo PUIZH
4.4. Pronounceable keys
Another technique that can be used to produce keys which are
secure, yet easy to remember, is to make the keys pronounceable.
That is, you would use pronounceable combinations of vowels and
consonants to form syllables, and combine these syllables to form
artificial words. This method may be valuable in situations
where it is unsafe to write down the keys, and they must be
memorized. Here are some examples.
shambu dilp prelec oltu domex sarbuti shum obior
Yotz doruc flean jadmek pra kerazi, Lagatu limbrazon.
You can burn the key into your memory by starting with just
a few artificial words, say DOZEK ULM HAPLICO, and repeat these
to yourself for a day or two. Then add another few words, say
DOZEK ULM HAPLICO GRUX ANTIAM, and repeat those in your head for
a few more days. You can add some more words the following day.
dozek ulm haplico grux antiam ludovesk gur amesqi
You can complete the process by adding capitalization and
punctuation, like
Dozek ulm Haplico "Grux Antiam" ludo-vesk gur a'mesqi.
Using mixed-case letters and punctuation increases the strength
of your key.
You can imagine the key to be a saying in some private
language, and make up a translation, in order to fix it more
firmly in your mind. For example,
Wise king Haplico "Lion of Antioch" out-witted a sorcerer.
In a pronounceable key each letter has a strength of about
3.3 bits if the words are fairly uniform in length, and about 3.5
bits if the words are more variable in length. For example, the
first key below is fairly uniform in length, while the second is
more variable.
panek dilbap greho drung fasdop ulben bukty crivan
lobykar elb dixiat glem urbiqeo dhorsh uz vilagump
4.5. Patterns
When choosing a key, avoid creating any patterns, such as
repeated letters or syllables. Patterns weaken the keys by
making them easier to guess. Here are some examples of keys with
patterns.
BBXXTT KKUUVV WWYYCC The letters are all in pairs.
aaa3gg5yyyy9ccc7uu2 There are runs of equal letters.
10704 20906 50803 The second and fourth digit in
each group is zero.
51615 38183 29092 Each group has an ABCBA pattern.
zampana reveske flogoto The vowels in each group are all
the same.
tuntam memescu saksoli The first and second syllable
start with the same letter.
debendik devogi delakt Every group starts with de.
ABC ghi LMN def XYZ Each group has 3 consecutive
letters of the alphabet.
500XD 711TJ 822GN The second and third digits in
each group are the same.
31734 23839 30376 Every group has two 3's.
dobaku levoti wafigo Consonants and vowels alternate.
vgy7 2wdc zse4 7ujm Has diagonal runs on the keyboard.
KAZ VEK CIF ZOP HUQ The vowels run in order AEIOU.
Once you have chosen a key, inspect it for patterns, and
change it to remove them. If your key is a long string of
letters or digits, look to see if there are any letters or digits
that are used too often, or that are missing. You may want to
make some changes. However, don't overdo it. If you use every
letter or every digit exactly the same number of times, or if all
the letters and digits in each block of your keys are always
different, those are also patterns which weaken the key.
4.6. Secretaries and clerks
Sometimes lower-echelon employees will not safeguard file
keys as zealously as other workers. It is common for these
employees to write down keys in places that are easily
accessible, such as on the computer itself, on their desk pads or
wall calendars, or on slips of paper on a bulletin board.
Anybody could see the keys and write them down. It is absurd for
the company president to keep the Master Key in a locked box
inside a walk-in vault, and for the secretary's assistant to
write the Master Key on a gummed label on the wall next to the
computer.
The employee might assume that nobody will ever guess that
those cryptic letters and digits are actually the Master Key that
unlocks all of the company's secret files. The employee might
assume incorrectly. If these employees must be trusted with the
keys then it is essential that they be educated to avoid such
security breaches.
Keys should never be written or pasted on the computer
itself, the computer desk, a desk pad or calendar, the cover of a
notebook or steno pad, the bottom of a stapler, telephone or
flowerpot, the back of a clipboard, letter tray or desk
organizer, or any similar place. Intruders know to look in such
places. Don't make their job easy.
4.7. Key strength
The following table is a guide to how long a key must be in
order to achieve various levels of security. For example, if you
want a key strength of 200 bits, and you use a decimal key, then
you need 60 digits. With the speed of current computers 100 bits
is the lowest level of security that can be considered safe.
The table assumes that the letters or digits of the key are
chosen completely randomly. If the letters or digits follow some
pattern then your key needs to be longer. For example, a key
such as
TC174 JF296 BH583 KD629
would be measured as 8 single-case letters and 12 digits, for a
total strength of 77 bits. Because of the LLDDD pattern it would
not be considered to be 20 mixed letters and digits, which would
have a strength of 118 bits.
Table 3. For each type of key, this table shows how long to make
the key in order to achieve the desired strength.
Desired key strength measured in bits
Type of key 100 125 150 200 250 300 400
---------------------------------------------------------------
Decimal digits 30 38 45 60 75 90 120
Single-case letters 21 27 32 43 53 64 85
Mixed-case letters 18 22 26 35 44 53 70
S-C letters + digits 19 24 29 39 48 58 77
M-C letters + digits 17 21 25 34 42 50 67
Letters, digits, punc 16 20 24 32 40 47 63
Uniform blocks 22 27 33 44 55 66 88
Pronounceable, uniform 30 38 45 60 75 90 120
Pronounceable, variable 29 36 43 57 71 86 114
For example, if you wanted a decimal key you would read across
the top row of this table. If you wanted the decimal key to have
a strength of 125 bits, you would look at the second column in
the top row to find that you would need 38 decimal digits. If
you wanted a key of mixed-case letters and digits with a strength
of 250 bits, you would need 42 letters and digits.
Note that the longest input line you can enter is 126
characters. (This is a limitation of DOS, not a limit set by
GK-Crypt.) So if you wanted 400 bits of strength, and you chose
to have a decimal key which requires 120 digits, then you would
have only 6 characters left to separate the blocks. Your blocks
would need to average over 17 characters each. (A pattern of 17,
17, 17, 17, 17, 17, 18 would fit.)
4.8. Summary: Picking a key
The best way to pick a key is to follow these steps.
(1) Decide how strong you want your key to be, say 200 bits.
(2) Choose the type of key, say blocks of letters and digits.
(3) Use the tables above to determine the key length.
(4) Randomly choose a key of the required length.
(5) Inspect the key for patterns.
(6) Adjust the key to remove or reduce the patterns.
(7) If you will need the key again, write down the key and keep
a copy in a secure place.
(8) Type the key when GK-Crypt asks for it.
5. INSTALLING GK-CRYPT
The key to using GK-Crypt effectively is planning. Before
you install GK-Crypt on your computer, you should determine which
files you need to protect. The list of sensitive data in the
first chapter can provide a starting point.
5.1. Copying the GK-Crypt files
The first step in installing GK-Crypt is to copy the
GK-Crypt files from the distribution disk onto your computer's
hard disk. Suppose that you have inserted the distribution disk
into the d drive on your computer, and that you want to install
GK-Crypt in a directory called GK on your c drive. You would
copy the files by issuing the command
copy d:* c:\gk\
This is a good way to get started. After you have been using
GK-Crypt for a while, you may wish to install additional copies
on your computer so that you have less typing of file names.
5.2. Multiple copies of GK-Crypt
Earlier versions of GK-Crypt suggested that users could
install multiple copies of GK-Crypt on their computers. These
copies would be placed in the same directories that contained the
data to be encrypted. This would save typing of long data paths.
However, it also created the potential for errors, since the same
file could get encrypted using two different copies of GK-Crypt.
The error would not be detected because each copy of GK-Crypt
would have its own cache file.
GK-Crypt Version 03 has been redesigned to eliminate this
problem. You should have only one copy of GK-Crypt on your
computer. This copy will have one cache that will keep track of
all the encrypted files on your computer, and prevent such errors
as encrypting the same file twice, or decrypting a file with the
wrong key. This is not only safer, but it saves the extra disk
space needed for multiple copies.
To access GK-Crypt from other directories you create a batch
file named gk.bat. Suppose that you have placed the GK-Crypt
program into the \myprogs\security\gkcrypt directory. Then the
gk.bat file should contain the single line
\myprogs\security\gkcrypt\gk.exe
You would place a copy of gk.bat in each directory where you
normally work with sensitive files that you may wish to encrypt.
5.3. Installation
The first time you run GK-Crypt the program will install
itself. You run GK-Crypt by typing the command
GK
and pressing Enter. During the installation you will choose your
Master Key. You need to choose the Master Key carefully so that
you do not forget it. We suggest that you read the chapter on
choosing keys before you start the installation.
The first thing GK-Crypt will need is the installation
password. You will find this password enclosed with the GK-Crypt
installation disk, unless you have made specific arrangements to
have it mailed separately. The password is not case-sensitive.
You can type it in either upper or lower case.
The installation password is not related to any encryption
key used by GK-Crypt. Knowledge of the installation password
will not enable, or even help, anyone to read your data files.
After you have entered the password, you will be asked to
accept the GK-Crypt Software License. GK-Crypt can be used only
under the terms of the Software License.
The next installation step is to enter your Master Key. It
is essential that you choose a long and strong Master Key. The
types of passwords that are used for logging onto websites are
not nearly strong enough to provide any real data security. See
the Keys chapter of this manual to learn how to choose a suitable
Master Key. Be certain that you write down your Master Key and
keep several copies in secure places, such as locked in a safe,
and off-site in a bank safe deposit box.
However, just to get started, you could use a simple key at
first, and change to a more secure Master Key later. Some people
find it easier to build up a secure key by adding one element at
a time. Maybe they start with their childhood pet's name, say
Fido. The next time they run GK-Crypt they add another layer,
say #Fido#. After a few more runs they add a prefix, maybe
zIx-#Fido#. When they have that securely committed to memory,
they add another bit, perhaps zIx-#Fido#-Q?4. When they reach 5
or 6 such elements, they will have a secure Master Key. Just
remember that each time you change the Master Key you need to
replace the copies you have made.
After setting the Master Key, and verifying that you have
typed it correctly, GK-Crypt will start your first session. The
only key that you must remember is the Master Key. All other
keys are generated and recorded for you by GK-Crypt.
5.4. Practice
Before you use GK-Crypt on valuable data, it's a good idea
to make some practice runs. Create a few small temporary files
and encrypt them. Take a look at the encrypted files. Then
decrypt the files and look at them again. Verify that the files
are back to their original contents.
It looks miraculous. The encrypted files are complete
chaos, total gibberish. Not even the most sophisticated
statistical tests can distinguish them from true random data.
But GK-Crypt restores them to their original form.
Try encrypting a group of files starting with the same
letters, such as GKTEST1, GKTEST2 and GKTEST3. Encrypt and
decrypt the group as GKTEST*. Try creating a directory and a
subdirectory, such as \GKSAMPLE and \GKSAMPLE\SUB. Put some test
files in both directories. Then encrypt and decrypt the whole
group of files as \GKSAMPLE\.
You might also want to try a few mistakes, just to see what
happens. Try typing your Master Key incorrectly. Try encrypting
a file that does not exist. Try encrypting a file that is
already encrypted. You will see that GK-Crypt protects you
against these types of errors.
Once you have gotten the hang of it, you are ready to try
encrypting some real files. For your own peace of mind, you
should back up the files first.
After you have been using GK-Crypt for a while, and you have
gained confidence in your ability to use it correctly, you may
want to take all of your old backups, the ones where the data
files are not encrypted, and destroy them. Don't just toss them
away. Cut the tapes into shreds. Chop the disks into shards.
Don't discard all of the bits in the same place.
From this point on, all of your backups will contain your
sensitive files only in encrypted form, along with the
corresponding GK-Crypt Master File and cache.
6. SAFETY FEATURES
The GK-Crypt data security package is designed with
safeguards against all of the common problems that plague other
data encryption programs. It is therefore the safest, as well as
the strongest, data encryption package you can get.
6.1. Lost keys
The most frequent problem with encryption occurs when the
user forgets or loses a file key. The GK-Crypt package has two
safeguards against this problem. The first safety feature is the
cache. GK-Crypt records all of the file keys in the cache. You
never need to remember or record any of your file keys in order
to decrypt your data. The only key you need to record and
remember is your Master Key. GK-Crypt remembers all of the other
file keys for you.
The second feature that safeguards against loss of keys is
GK-Crypt's automatic key generation. GK-Crypt generates all of
your file keys for you, so you never have to remember file keys,
or type file keys, or even see any file keys. GK-Crypt takes
care of all that work for you. It also means that the file keys
can be much stronger than user-selected keys. The file keys can
be long and completely random, since they never need to be typed
or remembered.
6.2. Strong Master Key
Some other encryption packages generate all of the keys, not
just the file keys, but the Master Key and the cache key, too.
The user does not have to remember any keys at all.
This is convenient, but it is not safe or secure. Anyone
who gets access to your computer can use the program to decrypt
your files. Anyone who gets one of your data disks can buy a
copy of that program and read your files.
Other packages use strong file keys, but require only a
simple password to operate the program. This means that anyone
who can guess the password can read your files. It is possible
to use a program to generate and try millions of passwords per
second, so it is fairly easy for somebody to get at your data.
GK-Crypt lets you use strong Master Keys, up to 126
characters long. If you follow the guidelines in the chapter on
choosing keys, then nobody can guess your Master Key, not with
all the computing power on earth.
6.3. Unauthorized users
Suppose that a malicious person obtained access to your
computer, and tried to disrupt your business by encrypting some
of your files with an unknown key. That person might try to
ransom your data, and ask for a large fee to supply the key to
recover your data.
Even if this person, perhaps a disgruntled employee or
business partner, possessed the Master Key you would still be
safe. The cache protects you. The cache records the key, so you
can recover the data even under those difficult circumstances.
6.4. Double encryption
Another large source of problems with other data security
packages is double encryption, or double decryption. This
happens when the user forgets whether a file is encrypted or not.
The user might encrypt a file that has already been encrypted, or
decrypt a file that has not been encrypted, or that has already
been decrypted.
Suppose that the user of some lesser security package
encrypts a file with key 1, and then encrypts it again with key
2. After the user decrypts the file with key 2, the file is
still encrypted with key 1, and therefore unreadable. If the
user does not figure this out, and decrypts again with key 2,
then the data is lost.
Now, suppose that the user of this other program has
encrypted the file first with key 1 and then with key 2. Suppose
that the user did this intentionally to get extra security
because the other program was not as strong as GK-Crypt. If the
user then decrypted the file with key 1, and then with key 2, the
file would be completely garbled. Unless the user could figure
out what had happened, and then unravel all of the steps, the
data would be lost. (To recover the data, the user would need to
encrypt the data with key 2, encrypt it with key 1, decrypt it
with key 2 and finally decrypt it with key 1. Any other sequence
of steps would garble the file even further.)
These types of problems cannot happen with GK-Crypt.
GK-Crypt uses the cache to prevent all such problems. It will
not let you encrypt a file twice, or decrypt a file that is not
encrypted. It will not let you encrypt a file with one key and
decrypt it with a different key.
6.5. Double copies
Another problem with other data privacy packages is that
they may make multiple copies of a file. They encrypt a file by
reading the file one section at a time, encrypting that portion,
and writing the encrypted data to a new file. After they finish
they delete the original file. This leaves two copies of the
file on your disk, the original file and the encrypted file.
Even though your original file has been deleted, the data is
still there on your disk, and someone could read it. There are
well-known utility programs widely available for this purpose.
Files often get erased accidentally, so utility programs have
been written that can recover the data from an erased file.
This problem is insidious, because the user may never know
that it has happened. The file looks fine when it is decrypted.
The file looks totally random when it is encrypted. The user may
never realize that copies of the original file are still right
there on the hard disk where anyone with a simple utility program
can read them.
GK-Crypt eliminates this problem by writing random gibberish
over the old file before it gets deleted. This is called
shredding the file. Starting with GK-Crypt Version 02, the old
file is shredded 3 times.
6.6. Partial encryption
Some other data security packages use an alternate approach
to prevent your original data from remaining on your disk. They
write the encrypted data on top of your original file. The
problem with this solution is if the power should go down, or
even flicker for a fraction of a second, you will be left with a
partially encrypted file. (A surge protector may get you a few
seconds, but any longer interruption will shut down your computer
right in the middle of whatever it happened to be doing.) It may
be possible to recover the data, if the key is known, but it will
take a great deal of work to figure out the exact spot where the
encrypted portion ends and the original data starts.
GK-Crypt takes a different, safer approach to encrypting a
file. If the power goes down during encrypting a file, your
original file will be untouched. You will not need to perform a
data recovery process. You can proceed as if the power failure
never happened.
6.7. Master and cache
The same safety features that are used for your data files
are also used for the Master File and the cache file. The new
Master File or cache is always written to your disk before the
old one is deleted.
6.8. Adding and renaming files
Although GK-Crypt takes every possible safety precaution
with the operations under its control, it is still possible for
problems to occur because of things that the user does outside of
GK-Crypt.
The first problem occurs if a user renames a file within a
group of encrypted files. GK-Crypt bases the key for each file
within a file group on its file name. If you renamed the file,
or moved it to another directory, GK-Crypt would be unable to
decrypt it correctly. You should never rename a file while it is
encrypted. Only decrypted files can be renamed or moved.
Likewise, if you restore an encrypted file from a backup
disk, it must be restored with the same name and to the same
directory. If the file has not been encrypted or decrypted since
the backup was made, then simply copying the backup file to its
old location is sufficient. But, if the file has been decrypted
and then encrypted again since the backup was made, then its
encryption key on the hard drive, and its encryption key on the
backup disk will be different. There are specific steps that
must be taken in order to make sure that the file is decrypted
with the correct key, without affecting the decryption of other
files. See the section "Backup and recovery" for full details.
If this problem happens, you can still recover the file if
you have a backup that also contains the Master File and the
cache. The need to make frequent backups is always important,
but it is doubly important when you are using encryption.
The second problem occurs if you add a new file within a
group of files that has been encrypted. Suppose that you have
encrypted the file group *.JPG and then you add a new picture,
SHEEP.JPG to the group. When you decrypt the group, the file
SHEEP.JPG will be decrypted along with all of the other picture
files. This will leave SHEEP.JPG garbled, because it had not
been encrypted.
If this happens, get a new copy of SHEEP.JPG from the
original source, or from a backup. This is perfectly safe when
the file and the group are not encrypted.
Files operations, such as creating new files, deleting old
files, and renaming files, should be done only when the files are
decrypted.
6.9. Backup and recovery
There are a number of situations where you may need to
restore your data from a backup disk. The most serious is when
your hard disk fails completely. In this situation, you need to
install a new hard drive, and reinstall the Windows operating
system before you can even address the issue of your data files.
Once your computer is up and running, you can restore your
data files. If you have included the GK-Crypt Master File and
cache on your backup disk, then encrypted files can be restored
right along with your other files. They do not require any
special measures or treatment. Once you have recovered your
files, your data will be in the same state as it was when you
made your backup.
The other, more common situation, is when you decide that
you want to restore a specific file to an earlier state. Suppose
that you have an encrypted file \novel\chapter6.wp that you wish
to restore. Let's assume the worst case, namely that you have
many encrypted files, and that you have decrypted some, changed
some, re-encrypted some, added and deleted files, and so forth.
You want to restore only the file \novel\chapter6.wp and none
others.
This can be done, but it requires care. You have to decrypt
your file with the same key that was used to encrypt it, but
without altering the encrption keys for any other file. Begin by
decrypting the current version of the file. This removes the
file name from the cache. Now, save the current Master File and
cache in a new directory. To be extra safe, also copy the
current version of \novel\chapter6.wp to that directory. Then
you can safely copy the old Master File, cache and the encrypted
file from the backup disk to their former places on your hard
disk. Decrypt \novel\chapter6.wp using the old master and cache.
Finally, copy the current Master File and cache back from where
you saved them to the GK directory.
This process is harder than a normal recovery, but with most
other encryption programs it is not possible at all.
7. COMPARING ALGORITHMS
In the first chapter of this manual it states that GK-Crypt
is far stronger than any other commercial file encryption
product. This is a bold claim. In this chapter the claim will
be justified by comparing GK-Crypt to some other encryption
algorithms (methods) that are in widespread use today.
7.1. The GK-Crypt algorithm
In order to explain why GK-Crypt is so much stronger than
other encryption algorithms, it will be helpful to explain some
of the technical details of its algorithm.
GK-Crypt is a secret-key algorithm. Its strength depends on
secret keys which are known to the legitimate user, but not to an
eavesdropper or intruder. These secret keys are the Master Key,
the cache key, the shortcut key and the key for each encrypted
file.
There are two basic kinds of secret-key algorithms, block
ciphers and stream ciphers. In a block cipher each block of
message characters is subjected to a sequence of substitution,
permutation, and combination steps in order to produce a new
block of thoroughly scrambled text. The algorithm combines each
block of the original message with some part of the key in a
fixed way.
In a stream cipher there is some method of extending the
original key to generate a stream of key characters as long as
the message. Each character of the message is combined with the
corresponding character of the key to produce one character of
the encrypted message. In very strong stream ciphers the next
character of the key will depend on both the original key, and
the contents of the message.
GK-Crypt combines both of these methods. It uses a very
strong block cipher and a very strong stream cipher. Either of
these encryption methods taken alone would be much stronger than
any current commercial encryption method. Combined, they become
stronger than nearly all military and diplomatic encryption
methods as well.
GK-Crypt treats the contents of your data file as a sequence
of blocks that vary from 16 characters to 32 characters, or 128
bits to 256 bits long. Each block is encrypted using a block
cipher. The block cipher has a 690-character, or 5520-bit key.
The original key, which is kept in the cache, is 80 characters,
or 640 bits. This is expanded into the 690-character, or
5520-bit block key. The expansion uses non-linear functions, so
that the expanded key has no linear relationship with the
original key.
The block cipher uses 9 rounds of substitutions in which
each character of the block is combined with one character of the
expanded key. Then each character of the block is combined with
another character of the block. These character pairs are
combined using three independent strongly non-linear functions.
This means that the bits of the output are not correlated to the
bits of the input.
After each round of substitutions the 16 to 32 character
block is thoroughly mixed using a key-dependent permutation. The
9 rounds insure that every character of the encrypted block
depends on every character of the file block, and every character
of the original key.
After each block is encrypted a new key block is generated,
so that every block of the file is encrypted with a completely
different key block. The new key is also generated using 9
rounds of non-linear character combination and key-dependent
permutation. This results in an ultra-strong stream cipher that
combines 16 to 32 character data blocks with 690-character key
blocks to produce 16 to 32 character encrypted blocks.
At every stage in the design of GK-Crypt care was taken to
make each element of the encryption as strong as possible. The
substitution tables were constructed to be as non-linear as
possible. The substitution and permutation portions of the block
cipher use independent keys in each round. The generation of the
next block key is done using yet a third independent key. This
was done so that if any information about any part of these keys
can be learned by an opponent, that does not reveal anything
about the other parts. Additional safeguards assure that even if
an opponent somehow knew all of the substitution keys and all of
the permutation keys for some block, it would still be impossible
to determine the keys for any other block.
There is no revolutionary breakthrough here. GK-Crypt is
just a solidly engineered process combining powerful encryption
techniques that have proved reliable for centuries. For every
conceivable attack on the encryption, counter-measures have been
designed and incorporated.
7.2. AES Advanced Encryption Standard
AES is an encryption method which was adopted for widespread
use after a lengthy evaluation of some 35 different proposed
cryptographic algorithms. This might lead people to believe that
AES is therefore the strongest available cryptographic algorithm.
This is not true.
The selection process for AES was based on several criteria
including strength, speed, size, and ease of implementation. The
algorithm that was chosen, called Rijndael, was judged to have
only medium strength. 3 of the 5 finalists in the selection
process (called Mars, Serpent and Twofish) were judged to be
stronger. They were not chosen because they were slower, more
complex, or required more storage. The GK-Crypt algorithm is far
stronger than all 5 of the AES finalists.
There are several more reasons why GK-Crypt is much stronger
than the AES algorithm. GK-Crypt was developed several years
after AES was made public. This means that all the features of
AES which made it secure were known when GK-Crypt was developed.
All of the secure features of AES were used in GK-Crypt, and
several new features were added to make GK-Crypt vastly stronger
than AES. GK-Crypt versions 02 and higher use variable block
size and other features that make it even stronger.
AES was necessarily a compromise. It had to be small and
simple in order to be suitable for use in a broad range of
applications, including tiny low-cost chips imbedded in credit
cards, passports, medical ID bracelets, military ID tags, and so
forth. In the future, even smaller AES chips may be imbedded in,
or printed directly onto banknotes (paper currency), checks,
stock certificates, and similar documents. Such chips have very
limited storage and computing power, so AES had to be limited in
size to make it fit. It also had to be kept simple because it
was going to be implemented many times by many different
programmers and chip designers, most of whom have no expertise in
cryptography.
GK-Crypt was designed solely for use on computers. It did
not have to meet stringent constraints on key size and program
size. So GK-Crypt can use more storage, take more steps, and use
longer keys than AES. It was implemented by an expert computer
programmer who is also an experienced cryptographer with several
published papers on cryptography, so it did not need to be small
and simple. (Some of the papers are available online. Links to
these papers can be found at
http://www.mastersoftware.biz/gkcrypt.htm.) The absence of these
size and complexity constraints allow GK-Crypt to be far stronger
than AES.
In terms of key size and number of steps, GK-Crypt is
roughly equivalent to encrypting 4 times with AES using 4
independent keys. AES uses 128-bit keys that are expanded
internally to 1024-bit keys. GK-Crypt uses 640-bit keys that are
expanded internally to 5520-bit keys. However, GK-Crypt has some
features that make it much stronger than 4 times AES. For
example, GK-Crypt uses a new key for every block of data. This
means that an opponent cannot accumulate a large number of data
blocks that are all encrypted with the same key. Many
cryptographic systems have been broken by using a large number of
messages encrypted with the same key. AES is vulnerable to such
an attack, but GK-Crypt is not.
7.3. RSA public key cryptography
The security of the RSA public key algorithm rests solely on
the fact that it is difficult to factor large numbers. If you
are given two numbers, say 1511 and 1747 it is easy to find their
product, 2639717. It is much more difficult to go the other way,
given a large number to find the numbers that were multiplied to
produce it. These numbers are called its factors, hence the
factors of 2639717 are 1511 and 1747. The difficulty grows the
larger the factors get. When the factors get up to 100 decimal
digits or more, it takes a great deal of sophisticated
mathematics and computing time to factor the number.
The problem with RSA public key cryptography is that it is
subject to advances in mathematics. A few years ago
mathematicians learned how to use elliptic curves to factor large
numbers. Suddenly many public keys that seemed totally secure
could now be broken, and all of the messages sent using those
keys could now be read.
The users of public key cryptography had to develop new keys
that were larger than the old keys. But, for some, it was too
late. Their secret messages and private files had already been
read.
7.4. Quantum cryptography
The newest development in secret communications is quantum
cryptography. There are two separate forms of quantum
cryptography, which may be called "photon cryptography" and
"quantum entanglement."
7.4.1. Photon cryptography
Photon cryptography uses a beam of light in which each
individual photon, or light particle, has been put into one of
two different quantum states. Each photon, therefore, carries
one bit of the encrypted message. So photon cryptography is
basically ordinary cryptography, except that a beam of photons is
being used to transmit the message, rather than a wire or radio
waves.
The advantage of photon cryptography is that anybody trying
to eavesdrop, and determine the state of the photons, would
change their state. Therefore eavesdropping could easily be
detected. That may be true, but the end result is that the
eavesdropper would receive the message, while the intended
receiver would not.
A more sophisticated approach would be for the eavesdropper
to read the message, and then generate a new photon beam with the
same quantum states. The receiver would never know that the
photons are not the originals.
7.4.2. Quantum entanglement
This method is not available to the public, may never be
available outside of government, and may still be years away from
practical use. We discuss it here because it has the potential
to become an extremely strong cryptographic method.
The basic idea in quantum entanglement is that the sender
and the legitimate receiver of a message each have a set of
quantum particles that are synchronized, or "entangled" with each
other. That is, the particles are always in the same quantum
state, even though they may be many miles apart. A change to one
particle causes the same change to its mate.
The method has a great advantage, which may also be a fatal
flaw. Any attempt by an outsider to determine the state of
either particle can change its state, and thus alert the parties
that there is an eavesdropper. However, this property means that
an opponent can completely disrupt communications simply by
listening in. The receiver cannot know if a change in the
particle is a message from the sender or an attempt by someone
else to listen in. This property, therefore, may doom quantum
entanglement cryptography.
Appendix A. DOS BASICS
GK-Crypt runs under DOS, not under Windows. DOS was the
primary operating system for personal computers from about 1975
to 1995. Older versions of Windows, prior to the introduction of
Windows 95, ran as tasks under DOS. Since 1995 the situation has
reversed, and DOS now runs as a task under Windows. Every
computer user before 1995 knew DOS well. However, newer computer
users may not be familiar with DOS, so that a little basic
orientation may be helpful.
A.1. Starting DOS
On newer computers it may be difficult even to find DOS in
order to use it. There are two methods for running DOS. The
first method is to click on a DOS icon from your desktop, or from
a taskbar at the top or bottom edge of the desktop. The icon may
say DOS, or MSDOS, or possibly CMD or COMMAND. Clicking any one
of these icons will start DOS. If there is a DOS icon on your
desktop or in a taskbar, you can skip the rest of this section.
If there is no DOS icon on your desktop or taskbar you may
find one elsewhere. Start by clicking on "Start" in the corner
of the screen. This will bring up a menu listing various
programs and options. If there is a DOS icon there, you can use
it directly, or you could drag it onto the desktop for future
use. If it is not there, click on "Programs" or "All Programs."
This will bring up a long list of various programs that are on
your computer. If one of these is DOS, you can click it, or you
can drag it to the desktop.
If you still don't see a DOS or CMD icon, put your mouse on
each of the icons that you see. Don't click, just let the mouse
cursor rest on the icon. This will often bring up another list
of programs, and DOS may be among them.
If DOS still is not there, don't give up. You just need to
search deeper. In the list of All Programs there will be some
folders with names such as "Applications" or "System Utilities."
Click to open each of these folders. In those folders you may
find DOS or CMD. Or, you may find more folders. Again, rest the
mouse on the names of programs, and click on folders to find even
more well-hidden programs and folders.
Once you find the DOS icon, drag it to the desktop. Put the
mouse cursor on the DOS icon and hold down the left button. Move
the mouse to drag the cursor onto the desktop, and then release
it to drop the icon on the desktop. Click the desktop to close
all of the other windows. Then drag the DOS icon to wherever you
want it on the desktop.
If all of this fails, it is time to try the second method.
Go back to the desktop, and click on "Start" again. In the list
of options click on "Run" or "Run Program." This will open a
small window with a box where you can type the name of a program
that you wish to run. Type CMD in this box, and then press
Enter. This will open a DOS window.
A.2. Sizing the DOS window
The DOS window will often be a small window in the middle of
the screen, probably off-center. It is easier to work with DOS
in full-screen mode, with no distracting windows or borders. To
do this, right click on the top border of the DOS window, and
select "Properties" from the pop-up window that appears. Use the
various options to select full-screen mode. This may take
several tries before it works, so don't get frustrated if the
next time you use DOS you get the same small window, and need to
resize it again.
When you do get the full screen mode, the screen is likely
to be set to 50-line mode. This makes the characters small and
crudely formed. You may be more comfortable using 25-line mode.
To switch, you can type the command
mode con lines=25
This will double the size of the characters and make them easier
to read.
A.3. Directories
In DOS your computer's hard disk is organized into
directories. All of the files on your computer are in
directories. These correspond to the folders in Windows.
Directories and folders are the same thing. A directory or a
folder can contain files and more directories or folders, so that
the folders or directories are nested one inside the other in a
hierarchy.
The top of the hierarchy is called the "root directory."
Typically the root directory does not contain any files. Rather,
it contains all of the principal directories on the computer,
such as
\Windows
\Program Files
\Documents and Settings
and so forth. The backslash \ in front of these directory names
shows that they are directories within the root directory.
A directory within another directory is sometimes called a
subdirectory. In the example above the directory Windows would
be a subdirectory of the root directory.
A.4. Current directory
Files are identified in DOS by using a path, a filename and
a filetype. For example,
direc1\direc2\file1.doc
Here the path is direc1\direc2, the filename is file1 and the
filetype is doc. The path consists of the sequence of nested
directories which contain the desired file.
If the path starts with a \ backslash, then the sequence of
directories start from the root directory. If the backslash is
omitted, then the path starts from the current directory. For
example, if the current directory is Windows, then the file
identifier direc1\direc2\file1.doc would refer to the file
\Windows\direc1\direc2\file1.doc
By setting the current directory you can shorten the names
of programs and files that you must type. For example, if you
want to use the program
\direc1\direc2\prog1.exe
to process the data files
\direc1\direc2\file1.dat
and
\direc1\direc2\file2.dat
you could type
\direc1\direc2\prog1 \direc1\direc2\file1.dat
\direc1\direc2\file2.dat
If you changed the current directory to \direc1\direc2 then this
could be shortened to
prog1 file1.dat file2.dat
The command to change the current directory is cd. To change
the current directory to \direc1\direc2 you would type
cd \direc1\direc2\
If you later wanted to change the current directory to
\direc1\direc2\direc3 it is sufficient to type
cd direc3
since you were already in the directory \direc1\direc2.
A.5. Working with directories
You can make your own directories by using the Make
Directory command. For example, if the current directory is
\direc1\direc2 and you wanted to make a subdirectory called
direc3, then you could type
md direc3
Starting from the root directory, the new directory would be
\direc1\direc2\direc3.
To remove a directory, you can use the Remove Directory
command. For example, to remove the directory
\direc1\direc2\direc3 you would type
rd \direc1\direc2\direc3
As a safety precaution, you cannot remove a directory until you
have deleted all of the files in the directory, and removed all
of its subdirectories. This prevents you from accidentally
deleting files that you meant to keep.
To list the contents of a directory, you can use the
Directory command. The basic format is
dir mydirec /options
Here mydirec is the directory you want to list. There are many
possible options. Here are a few of the most useful:
/s List the contents of all subdirectories
/on Sort the files by name
/os Sort the files, smallest to largest
/o-s Sort the files, largest to smallest
/od Sort the files, oldest to newest
/o-d Sort the files, newest to oldest
/p Pause after every 20 lines
You can use several options in the same command. For example,
dir \direc1 /s /od /p
would list the files in \direc1 and all of its subdirectories
sorted from oldest to newest, and pausing after every 20 lines.
You can also list specific files, files that have a given
filename or filetype, or files whose filenames and filetypes
begin with specific letters. Here are some examples
dir tax.ref Lists the file tax.ref.
dir tax.* Lists all files with the name tax.
dir *.doc Lists all files of type doc.
dir st*.c* Lists all files whose filename starts with st
and whose filetype begins with c, such as
startup.cfg, study.com or state.core.
The * asterisks in these commands are called wildcards because
they can be replaced by any set of letters. These commands can
tell you whether these files exist, their sizes, and the date
they were last updated.
A.6. Identifying files
All of the data in your computer resides in files. Files
contain the operating system, all of the application programs,
and all of the data that they use and create. Files are
identified to DOS by four fields, namely the drive, path,
filename and extension.
drive is the device where your file is stored, usually
C for your hard drive, A or B for a floppy drive,
D or E for a CDROM drive.
path is the directory on your drive where the file is
located.
filename is the name that you gave your file. The name
usually indicates the contents or purpose of the
file.
extension is a suffix that indicates the kind of file, such
as TXT for a text file, JPEG for a picture file,
EXE for an executable file, etc.
A full file identifier might look like this,
c:\mycompany\mydepartment\2005\sales.wp
In this example, c: identifies that your file is on the C
drive, which is your hard drive. \mycompany\mydepartment\2005\
is the path to your data. It shows that the data file is located
in the 2005 folder, which is inside the mydepartment folder, in
the mycompany folder. So the path consists of nested folders, or
a list of directories. sales.wp is the file with the data. The
filename is sales, and the extension is wp, which indicates that
it is a WordPerfect document.
In a file identifier all of the fields except the filename
are optional.
drive can be omitted if the file is on the current
drive, that is, the drive where you are now
working.
path can be omitted if the file is on the current
directory of the drive.
extension can be omitted if the file does not have an
extension on its name. For example, if the file
is just named oldstuff then no extension is
needed.
Here are some examples of valid file identifiers:
a:budget
identifies the file budget in the current directory
of the A drive.
\jones\commissions
identifies the file commissions in the jones directory
on the current drive.
late\requests.txt
identifies the file requests.txt in the late
subdirectory of the current directory.
A.7. Long names
Some Windows files and directories have long names, or names
containing blanks or dots, such as
Documents and Settings
My Music
Microsoft.Net
SharedReg12.dll
Microsoft has made the naming of files and directories
incompatible between Windows and DOS. DOS limits directory names
to 8 characters, and does not allow blanks in names.
To refer to these directories, you need to shorten the names
down to 8 characters. The short name is formed by taking the
first 6 non-blank characters of the name plus the combination ~1.
When the name of a directory contains a . dot character, each of
the parts of the name is treated separately. For example, for
the directories above,
Documents and Settings would be called Docume~1
My Music would be called MyMusi~1
Microsoft.Net would be called Micros~1.Net
SharedReg12.dll would be called Shared~1.dll
Thus a full path and file name such as
\Windows\Microsoft.Net\Framework\SharedReg12.dll
in DOS would be called
\Windows\Micros~1.Net\Framew~1\Shared~1.dll
It is a good idea to give all of your own files and
directories names that are compatible with DOS. The names should
be no more than 8 characters long and should not contain blanks.
A.8. File operations
Besides the encryption and decryption operations that you
perform using GK-Crypt, it can be useful to know several other
common file operations.
There is no DOS operation to create a file. Files are
created by application programs such as word processors, picture
editors, spreadsheets, etc. Once created, files can be copied,
renamed and deleted.
It is important to remember that encrypted files should not
be renamed, and files should not be copied into or out of a group
of encrypted files. It is safest to decrypt files before
renaming or copying.
To copy a file to a new location, the command is
copy oldfile newfile
The old file and new file identifiers can be fully qualified,
that is, they may have drive, path, filename and filetype. So
the copy command can be used to copy files to other directories
or to other drives.
Wildcards can be used in the copy command to copy groups of
files. For example, the command
copy \oldpath\*.doc \newpath\*.*
would copy all files of type doc from the \oldpath directory to
the \newpath directory.
The rename command works similarly to the copy command. The
form is
ren oldfile newname
Here oldfile can be fully qualified, with drive, path, filename
and filetype. However, newname can have only a new filename and
filetype. There cannot be a new drive or new path because the
file does not change its location, only its name and/or type.
For example,
ren target\x3*.jpg x4*.*
would rename all of the jpg files in the target directory that
start with x3 to start with x4.
The command to delete files takes the form
del file
Here, file can be a fully-qualified file identifier, with drive,
path, filename and filetype. It can also have wildcards so that
you can delete several files with a single command. For example,
del a:old*.*
would delete all files in the current directory of the a drive
whose filenames start with old.
Note that deleting a file does not erase it. The file still
exists on the disk, where it can be read by various utility
programs that are available for that purpose. The file will
remain there until some other file eventually gets written on top
of it.
A.9. Batch files
Batch files are a useful way to reduce the number and
complexity of the DOS commands that you must type. Each batch
file can contain any number of DOS commands. You execute the
entire sequence of DOS commands just by typing the name of the
batch file.
Here is a simple example. Suppose that you frequently use
the program GK-Crypt. If the current directory is \plans\tower
but GK-Crypt is in the directory \programs\download then to use
GK-Crypt you would type
\programs\download\gk
To make this easier, you could create a batch file named gk.bat
on the current directory. This file would contain the single
line
\programs\download\gk
Now when you wanted to execute GK-Crypt all you would need to
type is
gk
You could place a copy of the batch file gk.bat in every
directory where you usually work. Then you could run GK-Crypt
from anywhere just by typing gk. You would not need to have
multiple copies of GK-Crypt.
There are many other DOS commands and options. This is just
a small sample of useful DOS commands.