The Vault - File Encryption

Re: The Vault - Hide your Files

First of all, his thinking that releasing the source code would open his program to attack shows his complete ignorance with cryptography.

I wasn't "comparing" their program and TrueCrypt. The developer said he had never heard of TrueCrypt. RED FLAG. What if a developer of a new image viewing program had never heard of Irfanview or Faststone Image Viewer? What if the developer of a new word processing program had never heard of Word? What if someone developing a new operating system claimed to have never heard of Windows or OS X? In the world of cryptography, TrueCrypt is that big. That's why it matters. Credibility.

Implementation of cryptography can be tricky and is the #1 security problem with so-called "encryption" products. Most are not implemented correctly. I just gave you a perfect example with a cursory look at a "vault" revealing the names of the files. And yes, it does matter. The guy said this thing is "encryption and hiding" software, yet his program leaks the names of the files INSIDE his "encrypted vault."

Where is the demand for high standards? This isn't a place for a kitchen table hobbyist programmer to be posting his software (that he claims to have begun working on just "days ago") and have people thinking this is good cryptography.

 

Re: The Vault - Hide your Files

The Vault 1.1.0.1 released.

Changes:
- Some more bugs fixed related to success messages
- Filenames in the vault are encrypted too

NOTE: Because of using encryption for the file names, previous vault's are not compatible to 1.1.0.1!

I am sure not a "kitchen table hobbyist programmer". IF you would take the time to check the biography on my website, you would know that I am programming since a long long time...

And when I said that the vault is this and this days old only, you should believe me, I know what I am talking about and sure not making up stories here!

I am spending my little free time with it, to give the community something which cost MY money and MY time, consider this too.

Anyway, if you don't like it, just ignore it, or open your own hate-thread for it.

There are some great people here, like n8chavez and HAN, who support the idea, and THIS is what produce High standard products.

Btw, The Vault is now exact 7 days old since the first line of code was written.

 

Re: The Vault - Hide your Files

I think that what is not so elequantly being proposed is that you offer proof that the data that is being encrypted is actually and correctly being encrypted. You have provided the hex reader, which I thank you for. I do not believe this to be an "attack" on you, or your software, just a plea for proof on correct implementation.

There is no place for personal attack here, and there never has been. I don't believe that was/is the intention here.

 

Re: The Vault - Hide your Files

Very well said!

Seriously bro, theirs to many wannabee encryption software's out their, I think I will stick with the ones I trust, and ignore the rest, why use something with no credibility, when theirs plenty with credibility!

The rest is obsolete and becomes useless overkill!

 

Re: The Vault - Hide your Files

I always reserve the right to know more today than I did yesterday. I try to allow the same opportunity for others as well. If you always user older, more established, software then I assume you never try anything new, right? If that is true than how will you ever know if what is out there might possibly be better than what you are using? Every product had to have started somewhere, and had to have had users take a chance on it.

While I agree there is no need for secrecy here, there is also no need to act this way towards someone who is obviously trying to help fill a perceived need.

Having options is a good thing. If anyone believes they can do a better job than, by all means, do so. I for one am not skilled enough, so I will throw no stones.

Allow for progress, and the growing pains that come with it.

 

Re: The Vault - Hide your Files

First, I apologize to Gerard Morentzy in case my reply was rude, that was not my intension!

About truecrypt, I seriously did not have information about it. And I don't care if it is "the standard" for most people or not. That truecrypt exist does not mean that no other program has the right to be developed.

I am most of the time working on professional software for clients, and do not have the time to browse all day long and download/test software, that might have been a reason why I did not know about truecrypt.

I just got the idea about a week ago to write something which would allow me to store and prevent access to some important files, and so The Vault was born. I thought that maybe somebody else would be interested in it, and so I posted it.

The Vault is freeware, not openware, nor public domain.
One reason is that I have purchased many commercial components of which some are used in The Vault, and I just cannot publish the source of them, I would violate the copyright of the developer of such components. Please accept this.

 

Re: The Vault - Hide your Files

If we could please get back to talking about The Vault development I'd appreciate, as the previous conversations were going nowhere.

I would like to see The Vault be able to handle entire directories. It makes organization a lot easier.

I'd change the name of Rijndael to it's better known name AES (256?)

I'd still like more information on the Erasing method used

Possibly provide more information as to the encryption algorithms being used; adding the strength, or listing them in descending order by strength.

Could anyone verify that the auto-close option works as intended. For me, using version 1.1.0.1, it does not seem to close.

 

Re: The Vault - Hide your Files

Important:

V1.1.0.1 had a little bug! The new version is V1.1.0.2.

But, the V1.1.0.2 is NOT compatible to any prior version.
To use this new version, you have to:
- Extract your files from your vault(s)
- Delete the Vault Base folder
- Delete the thevault.ini (VERY important)
- Copy the new version into your vault folder (or just use another folder)
- Start it, create a vault, import your extracted file back.

I had to change something related to the filename encryption, which rendered it incompatible to prior versions. But that's why we are testing it, right?

Until it is stable, you should NEVER delete your original data during the testing/development period!

Do you mean, having folders in the vault or do your mean drag/drop/add the content of selected folders?

Should be one of the best encryption in my opinion.

I mentioned that, at the moment, files will be completely overwritten before they will be deleted. When I tried using recovery software, it only could recover the overwritten file (filled with 0's), but never the original file.

This is hard to tell. A better way would be to just google it. There are so many discussions which is stronger etc.

My personal preference would be:
1. Rijndael (new AES)
2. Blowfish
3. Twofish

Autolock only works when you have entered a password. It does not make sense to lock it when no password is given.

 

Re: The Vault - Hide your Files

I mean the ability to "store" entire directories within the vault.

Right. I saw that. Do you think we could get a confirmation message describing what was deleted. That would be beneficial to the overly-security aware here.

I just thought of some possible confusion. What do you mean by auto-lock; an individual opened vault, or the program itself. Both of which can be protected with a password. When I suggested the feature I was referring to each individual vault, not the program in general.

And what about the ability to generate and use keyfiles?

 

Re: The Vault - Hide your Files

In a while...

 

Re: The Vault - Hide your Files

Thanks

 

Re: The Vault - Hide your Files

The list of deleted and files which could not be deleted are now displayed.

About the keyfiles, what kind of keyfiles shall be generated?

Directories inside the vault would require rewriting lot of code, maybe changing the listview for a treeview etc...

 

Re: The Vault - Hide your Files

Thanks.

Having a proper opinion on that would require more knowledge on the subject that I currently have, at least if you want that feature to be implemented properly.

What about having both views, letting the user decide which one they prefer by a button?

 

Re: The Vault - Hide your Files

I guess, to change all functions to manage folders and subfolder would require so much time, that I believe it will be better to create a new "The Vault", which will not have a single vlt file, but will have the encrypted files stored in folders.
This also allow user to see the encrypted files. Anyway, folder names and file name will be encrypted too.

Reason for this:
- Much faster file handling with very large files
- Easy to transfer files from one vault to another vault
- User see his files, so nothing suspicious about it anymore
- Treeview interface with folders and subfolders
- Drag 'n Drop between folders

 

Re: The Vault - Hide your Files

You might be a very experienced programmer, but it sounds like you have no experience in security and encryption. And considering that you are trying to develop a security tool that uses encryption, this rings a loud bell. Security is not intuitive and is not trivial, and needs to be considered from the first day of life of a tool/project/anything.

Please, do not contribuite to put on the market a new flawed (under a security point of view) product... we have loads of them already and they create a dangerous fake sense of security. Please, spend some time and effort into learning about security and encryption before continuing on this project. Many users of the forum can help you with this, and I am sure they will.

 

Re: The Vault - Hide your Files

Softtouch, can you kindly explain what you mean by “internal keys”?

Thanks.

 

Re: The Vault - Hide your Files

I am ashamed of the entire Wilders community right now. There is no need for this ridiculous behavior. The point has already been made that some of you feel The Vault might be improperly implemented in its cryptography. That point has been made and heard. Now move on. Nothing new or good is going to come from bring it up again and again. I do not have the knowledge to know if these concerns are warranted. But I chose to give the program and the programmer the benefit of the doubt until proven otherwise, which is something no one here has done yet.

This thread has at least tried to move on from these negative mentalities but there are those that simply will not drop this. Using words like "please" in your posts, as polite as they may be, still does not subtract the intention of the post, to bully the author of a program.

If there are errors in the cryptography implementation they share those specific examples and reasons. That is helpful, and I'm sure would be very much appreciated. Otherwise, there is no point to being negative here as it will serve no purpose.

It is my prerogative to give the benefit of the doubt to whoever I wish, just as it is that of everyone else to do the opposite if they so wish. Posting as such and continuously picking at someone's character is unwarranted and just plain mean. This might end up being a very useful and handy tool, as are other that might not even be in the concept stage yet from this or any other author, but if you do not support then and chose to constaly belittle them then how will we ever know.

 

Re: The Vault - Hide your Files

Thanks n8chavez.

I guess, if my name would be Bill Gates, people would start supporting me...

Anyway, back on topic.
I am doing at the moment the new version, which has a treeview.
Encryption is identical, filenames are encrypted too.
I reduced the cipher and hashes to 4 each.
It will use just blowfish, twofish, serpent and aes as the cipher, and md5, sha 256, sha384 and sha512 as hashes.
Encryption of every fault is different, based on the key the user enter. This key in combination with a program generated key is used for the encryption.
Every time a file will be encrypted, the salt is generated randomly.

Additional functions will be to create folder, remove folder, delete multiple folder and files at once (treeview is multiselect).

Before it start all over again here, I DO NOT claim that the program is 100 secure at this stage of development. Tests will reveal bugs, which will be fixed. Over time, it will be more and more stable.

More tomorrow... is past midnight here.

 

Re: The Vault - Hide your Files

No, he doesn't. He seems to think that closed-source encryption software is safer than POS software like Truecrypt or dm-crypt/LUKS!

You know, open-source encryption software exposes all of the "internal keys" which is a no-no.

 

Re: The Vault - Hide your Files

I think a huge majority of Wilders members would be ashamed if some of us did not speak up. You seem to be arguing not to bring up anything negative about something with glaring problems. Do you really believe that showing how your data's file names are exposed in an "encrypted" state INSIDE a "vault" is "ridiculous behavior?" In the rest of your post you seem to be arguing for some kind of security design-by-committee on a public forum and to advise the developer on the basics of security and encryption so as to be "helpful." I think the best advice he could follow would be Markoman's where he suggests the developer spend some time learning about encryption before proceeding so as to not put insecure software into the marketplace.

Softtouch, you said if your name was Bill Gates maybe more people would be supporting you. With all due respect (and I do appreciate your enthusiasm), Bill Gates would have extensive knowledge of his product, competitors, and would not be hashing out his software on a public forum. You yourself said this project is not even a week old and you're here providing download links. This isn't personal. It's not about being "against" you, it's about common sense and good practices.

Again, to be ashamed of responsible members calling attention to problems just doesn't make sense. I'm certainly not trying to be combative, I, and others, are calling attention to problems that can't be swept away with angry calls for the responsible voices to pipe down and go away. The anger and combative tone seems to be coming from the poster quoted above who seems angry that anything about this is being questioned and posting should only include tutoring of the developer. That's what is not responsible.

 

Re: The Vault - Hide your Files

I agree with you, to an extent. If there are problems with this or any software they should be mentioned so that the author can see them and make the required changes. But simple shouting "blah, blah, blah!" without any specifics is not going to help anyone. Softtouch now knows of the concerns, so it does nothing good to keep pointing out the same thing without any definitive specifics; what could be accomplished that way anyway? You were very helpful, at least to me, in mentioning your issue with the filenames being exposed in notepad. That was a true concern. And, I remember correctly that issue was promptly dealt with. If you could break the encryption of point out more errors like this then please say so. That is the point of this thread, pointless attacks are not.

I agree with that, at least in part. But remember, this is a freeware project. As such I think that the non-cryptography standards should be relaxed; Softtouch is not Bill Gates. That is where your argument is flawed

Again, I have no issue with "responsible" members that are indeed trying to be helpful, everyone benefits that way. But if there is nothing definitively helpful in a post, if it is a personal attack, there is no place for that here.

Speak up, but be helpful at the same time.

 

Re: The Vault - Hide your Files

The fact that softtouch has acomplished this much so far with the project in ONLY 7 days, is to be applauded. Not forgetting that he is also working on other Apps too. Plus this is all done in his spare time.

Apart from the time involved, bandwith etc costs $.

A number of people have raised genuine concerns, and there have been several decent sugestions, this is all good.

But keeping it civil is the best way forward for everyone i believe.

Thanx

 

Re: The Vault - Hide your Files

My try to be helpful was in advising the developer to get some experience on security and criptography before implementing such a product. Starting to develop a "security product" and THEN learning about security is not the correct way: Security needs to be planned since the beginning, together with the features a software will have.

If you have time, take some time to read Schneier's Blog... you can read the archives and the users' comments. The community of that blog is extremely skilled, and they will help you to create a security mindset, which is essential for a project like yours.

 

Re: The Vault - Hide your Files

Thanks for your comment, but the cryptography is absolutely fine. What people complained was that the filename itself was visible, but that had nothing to do with the file itself, there as no flaw related to the file encryption.

I am currently changing the gui and the way files are stored.

Misleading was maybe the title of the thread, "The Vault - Hide your Files"... But I CANNOT change the title, not even the first post in this thread.
It should be "The Vault - File Encryption" or similar...
Maybe an admin can change this please!

Because it will encrypt files, but not hide them, the upcoming version will not try to hide anything, but just encrypt the files and filenames.


Filenames will look similar to this:
4834454D684E7968774A64556C34685A4B4C7A6E2F2B633D

The name is encrypted with blowfish and sha512, and converted to characters which are allowed as a filename under Windows.

The salt for the encryption is generated randomly every time a file or filename will be encrypted.

The key is generated from a user provided key/password in combination with a key generated by the program.

Is there anything unsafe with this? If so, please let me know.