VisiCrypt: Strong Symmetric Encryption Spreadsheet

Discussion in 'privacy technology' started by danleonida, Aug 27, 2012.

Thread Status:
Not open for further replies.
  1. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    I developed a strong, symmetric encryption spreadsheet in Excel and am trying to start a dialogue about it. Call it a poorman's peer review technology. It is free and copylefted.

    It exploits the fact that spreadsheets allow up to 32K characters in a cell. The advantage of doing it in a spreadsheet -- was successfully tested in MS Excel and OpenOffice -- is that it can be used from just about any public PC on the continent.

    It is not intended to encrypt files. It is primarily meant for email encryption.

    Here she comes...

    2012.08.24…VisiCrypt 1.1.xls
    This is the main xls file.

    2012.08.24…VisiCrypt 1.1.csv
    Same as above only in csv format. The intent is that users could use the xls file as a model and reconstruct the xls file privately and offline. During the development process I got infected on several occasions and that’s how I made sure the users of VisiCrypt would not have to go through all that suffering.

    2012.08.22...VisiVirus - 2.3 meg empty file.xls (download pwd="infected")
    2012.08.22...VisiVirus - Selection too large.xls (download pwd="infected")
    Above two links are to some of the viruses I mentioned above. The first is a 2.3 meg EMPTY xls file which resisted all my efforts of garbage collection. If anyone can decompile it… I’m very curios as to what the hell is in there!!

    The second VisiVirus link is to a locked xls which does not allow the user to expand the software. This “feature” vanishes if one recreates the VisiCrypt.xls from the dot-csv version.

    2012.08.26...VisiKey 1.2.xls
    Last one generates random keys by XOR’ind Excel RAND() with some graphics file to mask the PSEODOrandom attribute of the RAND() function. This allows two parties that want their privacy to generate a large number of long and disposable keys that CANNOT be guessed by ‘people’ with insider knowledge of the operation of RAND() function.

    Hope that’s enough of a dialogue starter. Have fun and…

    Please do disturb!
    Not disturbed enough yet.

    danleonida-at-yahoo-dot-com
     
    Last edited: Aug 29, 2012
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ danleonida

    Hi, what makes you think those files are infected ?

    I uploaded them to here

    2.3 meg empty file.xls - *

    selection too large.xls -

    Nothing found by ALL those AV's !

    I converted them to .TXT & discovered LOTS of "interesting comments in them :D for eg

    What's all that about ?

    I can't help with the Encryption though, over my head ;) All the best with it though.
     
    Last edited by a moderator: Aug 28, 2012
  3. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    The fact that one oof them is just an empty xls and saves in 2.3 megs. I’m an ol’ timer in Excel and never saw a file I could not clean up. What’s in the 2.3 megs?

    *

    Those are commercial virus scans. The viruses I contracted were custom made for my enjoyment by someone with a stake against strong encryption for emails.

    The ‘selection too large’ xls prevents one from pasting a simple Excel line more than 3-400 times. The ability to paste once for every character you want to encrypt is essential to the VisiCrypt end-user.

    That’s just sample text included in the file so that users can ‘play’ with it! Try it! You may be surprised.

    You seem to be selling yourself short! Are you familiar with the basic operation of a spreadsheet? That’s all it takes! One of the reasons I’m trying to start a dialogue is to see just what kind of difficulties people have in using it!

    Be good and do disturb!
    Not disturbed enough.

    danleonida-at-yahoo-dot-com
     
    Last edited by a moderator: Aug 28, 2012
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    You didn't explain that originally ! So how did you get Uninfected ?

    I would suggest you post both those files here http://www.kernelmode.info/forum/viewforum.php?f=16&sid=2d3ce9368eda38b62dbe19c661d4d3d8 FULLY explaining the situation. You won't find much better skills most place else to analyise them. If there is "something" dodgy in them, they "should" discover it ;)

    I see
     
  5. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada


    I wrote equations which extracted only MY equations and place them in a new tab in dot-csv format. Dot-csv, if you don't already know, is WYSIWYG text and has no 'room' to place a virus. I used this file to totally recreate by cut&paste the original file in a brand new Excel workbook.

    It worked like a charm and I'm advocating the very same technique to anybody having a need for max level of security. The operation only takes from to two hours, depending of one's level of cut/paste expertise in Excel. BTW, Excel macros can be distributed in the same way, too!

    About the URL to the site able to find the virus. Thx! I'll try it. I think what I need is more like Microsoft expertise to decompile/analyze the files. I'm quite sure there are hidden macros in there which run even if macros are disabled.
     
  6. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    Hi CloneRanger,

    I did and here's the link.

    About...
    Cryptography ranges from second grade all the way to way post doctoral complexity level. Let me give you an example of unbreakable second grade level encryption.

    1 – Write ALL characters [including non printable] you want to encrypt in a row.
    2 – Tape the row in a loop and make another identical loop for the person receiving the cryptogram.
    3 – The key is numeric and decimal.
    4 – Place the key under the plaintext, one digit below each character. Repeat key as needed.
    5 – To encrypt, advance the the loop at [2] clockwise the number of places in the key digit below. To decrypt do the same, only counterclockwise.

    Now… If the key is, say, 13 then breaking the cipher by brute force [trying ALL possibilities] is no problem. But what if the key is 100 digits long?! There are one google possibilities!!

    That’s the ‘secret’ of VisiCrypt! It allows key of up to 2^15 characters! The encryption algorithm is a no-brainer! Just the bit-by-bit exclusive-or of the characters with the key. VisiKey [find link in opening post] allows for easy, untraceable creation of thousands of random [as opposed to pseudo random] keys so that each one of them can only be used once. BTW, if you don’t know what “excliusive-or’ing” is, I placed a simple demo of it in VisiKey.

    Symantec, I hear, purchased PGP sometime in 2010 and is no longer available for free. They charge about $100 per year just for the license!

    I’m unaware of any other free&strong encryption for emails anywhere! VisiCrypt has the added advantage of its software being visible at all times and quite uninfectable if distributed as a text file.

    That is why I want to start a public dialogue on the subject. Will you give it a try?!
     
    Last edited: Aug 29, 2012
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Be interesting to see what happens. At least one of the members on there works for MS in AntiMalware etc & is highly regarded.

    I don't have Excel or anything similar, as i have no need for it, so i won't be able to assist !
     
  8. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    So far, nothing happened! Some views but no replies, or any signs of curiosity!

    Do you happen to know the UID of the MS AntiMalware guy? I might be able to find him in another thread and ask him. However… I have my doubts he’ll be able/willing to embarrass his employer publically. Excel is notorious for its MISERABLE security! It’s worth a try, though!

    VisiCrypt works just fine in OpenOffice Calc. You will not be able to easily reconstruct the spreadsheet from the published dot-csv file. I can provide a dot-csv for OpenOffice Calc if there is a demand.

    Just in case you are curious, here’s OpenOffice 3.2.0 download.
     
    Last edited: Aug 29, 2012
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, OpenOffice requires Java which i don't have or want :p I'll PM you the username ;)
     
  10. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    CloneRanger,

    I added download pwd to the virus files on my server. for the record, however, I've never experienced any effects of these viruses on the PC! Only on the running encryption Excel!

    But you had a good point!

    BTW, Do you know why the mod - I assume - removed the links to the virscan reports?!
     
  11. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    danleonida, as a new member, perhaps you are not aware of our Policy Regarding the Posting of Jotti/Virus Total Results.
     
  12. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Moved here from: US government developing ultimate cyber weapon

    Congratulations, you have reinvented the one-time-pad, though a weak easily breakable version.

    As Bruce Schneier says:

    "Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break".
     
  13. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    Thank you! Now I know what is called. I'm NOT a cryptographer; I'm a retired h/w designer, which is the area of my inventions.

    I knew the technique was uncrackable, only I read about that in an article whaich called OTP the First Axiom of Cryptography.

    Here's is what the textbook of all textbooks has to say about OTP.

    That's interesting, very interesting!

    How can an encryption algorithm be categorized by someone as both OTP and 'weak'??!! That's an oxymoron!

    In the first part of the last quote you make a very strong statement: "weak easily breakable".

    How in the world can I defend myself in a way other then issuing a challenge to you?! I don't want to do that except by request only.

    Have you even looked at it or read the rest of the thread?
     
    Last edited: Sep 6, 2012
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Sounds a lot like the "wheel cipher" system Thomas Jefferson invented in the 18th century. The system Jefferson used had 2^138 complexity but is still *easily* breakable today. Read the cryptanalysis section at the Wikipedia article to see why. http://en.wikipedia.org/wiki/Jefferson_disk

    What you have done is reinvent the stream cipher, although a simplified and easily breakable one.



    How are you getting truly random numbers on a computer? Or are you rolling dice? And why would anyone want to use a cipher where one has to remember a different key for each message? Moreover, how do you propose for key exchange to happen? Via carrier pigeon?

    So? Gnupg is free and open-source and is fully PGP compatible. Don't trust it? Then read the source code and find the errors yourself and let the rest of us know about them.

    Gnupg.

    Basically you are committing the cardinal sin of cryptography -- inventing your own home brew cipher without proper peer review. Run this idea by the guys on sci.crypt and see what they say. :-*
     
  15. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    That's a highly unusual and long reply! I only have the time right now to comment on your last statement because the comment I have in mind is soo...oo short, sweet and simple.

    About "peer review"...

    What the h... do you think I'm doind here?

    About "inventing my own cypher"...

    THE ALGORITHM IS HARDLY MORE THAN JUST AN XOR WHICH I DID NOT INVENT!!

    I did however invent other useful things which 'created the need' for VisiCrypt in the first place!

    About sci.crypt ...

    I'll pay them a visit right after this board. I still want to read your reply in the Zimmermann thread.

    Got to go...
     
  16. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada


    Not “*easily* breakable today” by a second grader!! That was just AN EXAMPLE!

    Edit: I checked the wikilink you gave and the two cyphers are not even close! The one in my example has two 'disks': one for the sender; one for the receiver!

    Oh dear!

    You didn't read the post?! Now, did you!

    Edit: One thing I forgot to mention in the original post is that the thousands of keys are generated in a face-to-face meeting of Alice/Bob and put on a memstick. The stick stays around their necks 24/7 and, if lost in an attack, they just get together again to generate a new memstick. There NOTHING lost if the keys are only used once. Caching of cryptograms will not work.

    ...or use VisiCrypt.xls which their accountant can verify!!! ...and, of course, they can let YOU know what they found!!!!

    Let's get serious around here, shall we?!

    Your prose comes across as that of a caffeine-deprived, bored academic that's very, very good at name-dropping! Not a good candidate for a peer review! Don't you agree?

    How about it?!

    Would you – or anyone else for that matter – enjoy a challenge??!

    Edit: And what about all them viruses coming my way while talking/developing VisiCrypt/VisiKey and am talking [to myself] about on another forum?
    The link is on this forum #6, top!
     
    Last edited: Sep 6, 2012
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Well then you have reinvented the One-Time-Pad. A OTP is essentially a stream cipher where the keys are only used once, which sounds an awful lot like what you've done here. I'm still trying to figure out what the spreadsheet is for.

    There are numerous problems with OTP's. For one, each bit of data must be encrypted with one bit of truly random key. This means the keys will be extremely large, especially when talking about moving lots of data. For instance, if I wanted to encrypt my 2 TB hard drive with a OTP, I would have to keep a second hard drive sitting here with 2 TB's of key on it. So it makes it worthless. If an adversary gets the "key" hard drive, he gets all the data. Protecting the key is a major problem with OTP's.

    Second, the key can never be reused. Even part of the key cannot be reused. During the Cold War the U.S. cracked some Soviet OTP's because the Soviet's got lazy and reused their pads.

    And third, key exchange is a *major* hassle. As you said, you have to meet in person to exchange pads. This simply isn't practical for 90% of the people on the Internet wanting to exchange e-mails with someone thousands of miles away.

    This is *exactly* why Whit Diffie and Martin Hellman discovered public-key cryptography (along with people at GCHQ). It allows you to securely exchange keys over an insecure medium. It was the biggest breakthrough in cryptography in centuries and is available to everyone on the Internet for free. I see no reason to reinvent OTP's when we have better and much more practical options.




    .
     
  18. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada


    Will you, please, stop using the word ‘invention’ and its derivatives? I am an inventor and quite sensitive about the misuse of the word et al! Thank you!

    The encryption algorithm is just an XOR function which I DID NOT invent. It is a stupid, naturally occurring logic equation: A xor B = A not B or B not A!! Nothing else! The spreadsheet approach is another story though I still think it is not (although it may be!) an ‘invention’.

    Do you use them, or have some experience in the area?

    They are INTRINSICALLY OPEN!

    1 - You click on a value – any value – and see the expression that generated it.

    2 – Excel/OpenOffice allows for up to 2^15 characters per cell. THE KEY CAN BE THIS LONG!!

    3 – They can be distributed (this MAY be an invention, but I don’t care!) as a dot-csv file. If you don’t already know… It stands for comma-separated-values and it is just a text file. It can include chksums, CRCs, etc and cannot be bugged ‘in transit’. The distributor of such s/w can be his/her own ‘authenticator’!

    4 – It is part of various Office s/w suits and, therefore, run from public computers (e.g. libraries) that may not provide users with execute privileges.

    Encryption and spreadsheets are a match made in Haven, for my money!


    You seem to know more about encryption/general security! Can you see any ‘hole’ in my rationale?! That’s what peer-reviews all about!




    We almost agree! ‘Truly random’ only as far as Eve is concerned!

    Specifically, I’m currently considering another spreadsheet – VisiKey – which XORs a ‘truly’ randomly chosen graphics file with locally generated pseudorandom numbers to generate thousands of truly random keys stored on two identical memsticks in a Alice/Bob face-to-face meeting. These keys are used ONCE, zeroed out and saved again, hopefully, to avoid their presence on disk blocks labeled ‘available’.

    Goes without saying that the PC doing it is NOT online, never was and never will be for max. security. Also the ‘truly’ randomly chosen graphics file (or random portions thereof) is never stored or talked about outside the Alice/Bob face-to-face meeting.



    Sorry my friend! VisiCrypt is meant to EMAIL!!

    I’m afraid your 2 TB hard drive will have to be done by hand!!! Sorry! :argh:



    Yes and no! For max. security ‘yes’!

    For not-so-max security, one can send a first key by regular mail or imbedded in a graphics file (spreadsheet for that in progress!) and subsequent keys imbedded in the current cryptogram. Well… No such thing as a free lunch!



    Don’t you think I know that?! Really…!?

    VisiCrypt Short History

    Developed it in 2006.
    Submitted for review (I literarily gave them a floppy) to the Local National Insecurity Industrialists.:)
    Review No.1: “We didn’t think you were going to make this far! You should suggest in the VisiCrypt documentation that users could use PGP to exchange keyphrases”.
    Review No.2: “We don’t mind if you are using it but, please, (they actually said “please”!) do not distribute it!”

    Chronomatic, Assuming that you don’t think that I’m lying to you, are you still convinced that RSA is “free” on the Internet?! Do you still “see no reason to reinvent OTP's”?!

    Edit: Given the number/nature of the viruses I contracted, I would say that somebody out there sees a reason to reinvent OTP. I placed the viruses on kernelmode forum in an effort to find pros to look at them. No luck! All quiet!

    Yesterday I PM'ed a guy described as knowledgeble in malware and invited him to join my thread!

    Today...The site has been down for several hours. I just don't know if that's normal, a coincidence, or what... Here's the link if anybody wants to try it!
     
    Last edited: Sep 7, 2012
  19. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
  20. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    No one. You can't trust hardware like that unless it is fully open and can be analyzed.
     
  21. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    I have been trying to follow this thread but really can't figure out what it is about.
    I think the OP is trying to make One Time Pad encryption simple to use via a spreadsheet. The purpose of this is to generate encrypted messages that can be attached to email.
    Question: What is the threat model this is intended to address?
    Really, if you don't define the threat you are trying to protect against, you end up in hopeless arguments about hypothetical attacks.

    Don't know what to say about the virus thread that is embedded in the main thread. It's really hard to analyze virus code that is generated by alien technology from Area 51.
     
  22. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    The ol' saying holds true in cryptography more than anywhere else: If you want it done right, do it yourself!

    I miss my old parallel printer port which MS "strongly discourages" system makers from providing. It was memory mapped, fast, required no installation or drivers and just perfect for apps like the milsCard!

    http://en.wikipedia.org/wiki/Parallel_port
     
  23. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada
    You got it! It doesn't have to be attached; it could be included.

    Also virtually unbreakable by virtue of the very long keys. Keys generated face-to-face and stored on USB. Consist of XOR of pseudoRAND numbers generated by spreadsheet with truly randomly chosen txt, png, bin file selected during the preliminary Alice/Bob meeting and NEVER stored.

    Immune [?] to MITM attacks by virtue of its text file distribution. Chksum, CRC, etc in the works. I still want some opinions from people more knowledgeable than me on the subject of keygen!

    o_O!!! I'll publish some shots of the 'aliens' in action! Not all viruses are 'photogenic' enough for screenshots! I'm not at 'home' just now, so I got to go...
     
  24. danleonida

    danleonida Registered Member

    Joined:
    Aug 27, 2012
    Posts:
    30
    Location:
    Vancouver, B.C., Canada


    Back to 'homebase' and took the pictures I promised you!

    Infected Excel: 2012.08.22...VisiVirus - Selection too large.xls
    Virus screenshot:2012.09.10...VisiVirus - Selection too large - Screenshot.PNG

    There is a download password for the Excel file: "infected"

    Edit.2: Sorry! I forgot!

    THE FILE IS INFECTED BUT I HAVE NEVER KNOWN THE INFECTION TO AFFECT THE COMPUTER! JUST THE SPREADSHEET! The file is also locked so it cannot be used for encryption. Only for the alien virus demo![/edit.2]

    The screenshot shows what happens if one wants to copy the full row 37 and paste it down about 500, or so, rows. The message "Selection too large" IS NOT FROM EXCEL!!! IT IS FROM THE VIRUS!!!

    The top of the screen contain my whereabouts courtesy of WhatIsMyIP.com

    PROOF:

    If one reconstructs the Excel file from the dot-csv I provide: 2012.08.24…VisiCrypt 1.1.csv

    ...one gets a perfectly operational VisiCrypt like this: 2012.08.24…VisiCrypt 1.1.xls

    ...which allows a user to paste line 37 as many times as needed (once for every character in the plaintext/cryptogram.


    CONCLUSION:

    Since someone went through the trouble of creating a virus with "my name on it", it follows that VisiCrypt is a threat to him/her if made public.


    SO,...

    Let's not just make it public, let's make it public AND as perfect as we can!

    Is anybody game in this mildly risky venture?!


    Edit.1: All together I contracted 3 viruses while developing VisiCrypt. Someone on this board sent me here where, he said, the MS malware people 'hang out'.

    I sent a PM last Thursday. Since last Friday the site was only up for long enough to see that the PM was answered, one out of three viruses were looked at and the conclusion was 'not malware'.

    Really?![/edit.1]
     
    Last edited: Sep 10, 2012
Loading...
Thread Status:
Not open for further replies.