Quick text encryption with ImmediateCrypt

[lotuseclat79]

Quick text encryption with ImmediateCrypt.

-- Tom

[chronomatic]

Only problem with that is you have to exchange a key securely beforehand. This is the entire reason public-key schemes were invented back in the 1970's.

[LockBox]

Quote:

Originally Posted by chronomatic

Only problem with that is you have to exchange a key securely beforehand. This is the entire reason public-key schemes were invented back in the 1970's.

True. But, it's perfect for couples who are going to be away from one another and can exchange the password on the drive to the airport. It's not high security, but it opens the door to greater use of encryption. That's key. (no pun intended!)

[giacomodrago]

I'm the author of that small tool.

Actually, I agree with both of you, chronomatic and LockBox: ImmediateCrypt is a "piece of crap" (no joke) for anyone having some knowledge about PGP or S/MIME stuff. Public key schemes are a thousand times better, and there are several open-source tools which are proven to be effective and have been inspected and reviewed by many talented security experts.

ImmediateCrypt is just a small piece of code with a funny name built around a good Java cryptography API: you have a text box and a password, you click "encrypt" and you're done. The only advantage is its ease of use, and it can eventually make people curious about security/cryptography issues.

The only drawback is a false sense of security: passwords may be weak, the computers may be infected (keyloggers, etc...), the password exchange is a very tough task to do and ... the program may have bugs reducing the strength of the algorithms being employed (I never trust the programmer, including myself).

[chronomatic]

Quote:

Originally Posted by giacomodrago

I'm the author of that small tool.

Actually, I agree with both of you, chronomatic and LockBox: ImmediateCrypt is a "piece of crap" (no joke) for anyone having some knowledge about PGP or S/MIME stuff. Public key schemes are a thousand times better, and there are several open-source tools which are proven to be effective and have been inspected and reviewed by many talented security experts.

Wow, it's refreshing to see someone who authored a tool like this to admit that schemes that have been peer reviewed by professionals for 20 years are the best route to take. Most people who author crypto tools like this come on here proclaiming that their proprietary closed-source tool is better than GnuPG or Truecrypt. One poster on here even claims to have invented his own crypto algorithm which is "stronger than AES." A lot of people fall for snake oil such as this.

This is not to say your tool is bad or implemented incorrectly, but I always warn people on these forums to use well vetted and peer reviewed crypto solutions.

Quote:

ImmediateCrypt is just a small piece of code with a funny name built around a good Java cryptography API: you have a text box and a password, you click "encrypt" and you're done. The only advantage is its ease of use, and it can eventually make people curious about security/cryptography issues.

Yes, I see this as being beneficial. And I respect your candor and your reasoning behind writing such a tool.

Quote:

The only drawback is a false sense of security: passwords may be weak, the computers may be infected (keyloggers, etc...), the password exchange is a very tough task to do and ... the program may have bugs reducing the strength of the algorithms being employed (I never trust the programmer, including myself).

Yep. Even the best programmers make mistakes, and even one tiny mistake can break an entire crypto system. This is why it is best not to rely on any solution for real security unless it has been out in the open for years under close scrutiny.

Your tool does have uses and I hope it does draw more people into thinking about using crypto on a regular basis.