ATBASH2.TXT -- DOCUMENTATION FOR ATBASH2.EXE WHAT IS THIS? ATBASH2 is a simple, efficient file encryption program that can also be used to convert any binary file to a format that can be transmitted by Morse Code or other similar techniques. Features: + Can encrypt any text or binary file (without loss of data). + Ciphertext can be transmitted through various archaic channels, such as Morse Code or reading letters and numbers over a telephone. + Very small executable fits on a floppy disk with lots of room left over. + Very fast encryption, especially considering the strong security provided. + Encryption that is very difficult to break, even for professional cryptanalysts. + There are no intentional "back doors" or "weak links" to enable some criminal to pilfer your private files. + Can be used without encryption just to convert to an ASCII format and back (for uses where encryption is not allowed, like ham radio). + Uses the Sapphire Stream Cipher for excellent security with good speed. + Ciphertext can be transmitted via email. + Simple key management (memorized pass phrase). + Adds no "known plain text" or other aids to brute force cracking operations. Limitations: - Cipher text is always longer than the plain text file (about double the size, for most files). (Cipher text can be compressed to about half size with a good compression utility, if binary storage or transmission will be used). - If you forget your pass phrase, your data is lost. I can't get it back for you. - There is no provision for law enforcement access to encrypted files, since any such scheme could be perverted by criminals (including some very expensive ideas being promoted by certain government agencies), and most people who would use this are basically honest, anyway. - Does not overwrite and delete the plain text after encryption. You need a separate utility to do that, like my DELETE in (DEL105.ZIP or a later version) or Norton's WIPEINFO. - Only gives two options for entering the pass phrase (interactive prompt and on the command line). - The Sapphire II Stream Cipher is new, and although it looks good so far, it has not been reviewed extensively by others, and might possibly have a weakness in it somewhere. - Does not automatically detect wrong pass phrases (produces garbage file, instead). - Does not compress files before encryption. Use a separate utility (like ARJ, ZIP, LHA, or PKZIP before encryption to do that). - Does nothing to randomize cipher text initialization vectors or session keys, so identical files encrypted with an identical pass phrase will produce identical output files. - Does not pad the cipher text, so that the length of the plain text can be computed from the length of the cipher text. QUICK START Syntax: ATBASH2 [/d] inname outname [pass phrase] /d means decrypt, default is encrypt. inname is the name of the file to encrypt or decrypt. outname is the name of the output file. The output file may not already exist, because ATBASH2 will not overwrite. Entering the pass phrase at the prompt instead of the command line is more secure, and some characters cannot be entered at the command line. outname will be garbage if the pass phrase is wrong, but you will get no warning message about this. You have to check it yourself. INSTALLATION 1. Decompress the distribution archive. 2. You may wish to place ATBASH2.EXE someplace in your DOS path. 3. Read this file. TO ENCRYPT A FILE Simply run ATBASH2 with the input and output file names on the command line (in that order). You will be prompted for a pass phrase. Type carefully, since you must type EXACTLY the same pass phrase to decrypt your file. Pass phrases are case sensitive (Secret is not the same as sECRET, which is not the same as sEcRet). If you plan to delete the plain text file, and the data is important, then I strongly recommend that you try decrypting the file first, and comparing the results with the original file. That way you know that you typed the pass phrase correctly and that your copy of ATBASH2 is working correctly. After this test, you can then overwrite and delete the plain text without fear of losing your data (unless you forget your pass phrase). For example: ATBASH2 DIARY.DOC DIARY.ENC If you want to put the pass phrase on the command line, enter it after the file names. Note that some characters cannot be used on the command line that can be used when entering a pass phrase at the prompt, like Esc and |. Also note that entering a pass phrase on the command line is not as secure, since someone else with access to the same machine might be able to recall that same command line (an easy task if DOSKEY is loaded) and learn your pass phrase. TO DECRYPT A FILE Simply run ATBASH2 with /D (or /d) and the input and output file names on the command line. When prompted, enter the proper pass phrase. If you entered the right pass phrase, the decrypted file will contain the same data as the one that was encrypted. If you get the pass phrase wrong by even one letter, the output will be total binary garbage. You must manually check the output to see if it makes sense, depending on what kind of file you encrypted. If you want a program that automatically detects mistyped pass phrases, I recommend my QUICRYPT program or Philip Zimmermann's PGP instead of this one. For example: ATBASH2 /D DIARY.ENC DIARY.DOC You may optionally enter the pass phrase on the command line after the output file name if the pass phrase doesn't contain characters that the DOS Command interpreter cannot pass through (like Esc, <, >, |, Ctrl-P, Ctrl-C, etc.). TO ASCII ARMOR WITHOUT ENCRYPTING This is the same as encrypting and decrypting, except that you just press "Enter" when prompted for a pass phrase. PICKING A GOOD PASS PHRASE Obviously, if someone can guess your pass phrase, they can read your private data. One way to pick a good pass phrase that is hard to guess is to include at least two unrelated words, mix upper and lower case, and include some punctuation and numbers somewhere in the middle of the words. Picking a single word or common name (in any language) is a bad idea, even if you do something like spelling it backwards or adding a punctuation mark at the end, because there are password cracker programs that can check all of these in a matter of hours on a fast enough set of computers. Try for the longest, most complex pass phrase that you can memorize reliably. The maximum pass phrase size is 254 characters. When you enter a pass phrase at the keyboard prompt, almost anything you can enter from the keyboard can be used as part of the pass phrase, except for Enter, which indicates the end of the pass phrase. TRANSMISSION OF CIPHERTEXT The easiest way, of course, to get an encrypted message to someone is to transfer it with a modem, on a disk, or by electronic mail. If you want to send a short encrypted message from your cellular telephone or a pay phone somewhere, you can just read the ciphertext to someone. When doing that, a good way to prevent errors is to read the letters of the alphabet using phonetics, or words beginning with the letter of the alphabet you are reading. One standard phonetic alphabet you can use is: Alpha Bravo Charlie Delta Echo Foxtrot Golf Hotel India Juliett Kilo Lima Mike November Oscar Papa Quebec Romeo Sierra Tango Uniform Victor Whiskey X-ray Yankee Zulu ATBASH2 doesn't care if the letters are typed in as upper or lower case. Note that the numerals 0 and 1 don't occur in the ciphertext, so there is no guessing if a character is the numeral 0 or the letter O, or if a character is the numeral 1 or the letter I or l. Since the output is all upper case, the letters I and L should look different in almost any font. The ciphertext is arranged as 13 five-character groups per line. if there is an error in one of the characters, ATBASH2 will attempt to guess which line the first error was in to help you find the error and correct it. OTHER ENCRYPTION PRODUCTS Some other encryption programs that you may wish to consider are available on the Colorado Catacombs BBS (303-772-1062) and many other locations. These include DLOCK, PGP, CRYPTE, QUICRYPT, SFS, SECDRV, SECDEV. CRYPTE is good for encrypting and decrypting large numbers of files at a time. Uses a proprietary cipher. DLOCK is one of the strongest single-key encryption programs available, and it comes with complete source code. Uses the Diamond encryption algorithm. PGP is the best full-featured electronic mail encryption and signature program available. Uses RSA and IDEA encryption algorithms. There is a freeware version (with use restrictions) and a commercial version. QUICRYPT is one of the most user friendly and easy to use file encryption programs available, but this one is "crippleware" in the sense that it was designed to be legally exportable (meaning that the NSA can read any message encrypted with QUICRYPT). The non-exportable registered version, called QCRYPT, does not have this weakness designed into it, and offers an excellent combination of strength and speed. Even if you like ATBASH2's ASCII output, you might like to use QCRYPT for encryption and ATBASH2 just for ASCII armoring. Uses the Sapphire Stream Cipher. Look for QCRYPT10.ZIP (or a later version number). The next revision of QUICRYPT will generate files encrypted with the Sapphire II Stream Cipher, but will be able to read old files, too. SFS, SECDRV, and SECDEV all do on-the-fly disk encryption. WHY THE NAME ATBASH2? Why not? Atbash is the name of a simple substitution cipher over the Hebrew alphabet that was used thousands of years ago. Thanks to Rabbi Bryan for this information. The cipher used in this program is considerably more complex than its namesake, but the name is a reminder that people have valued privacy for a long time. The "2" indicates that this is version 2 of this program, which is different from the first version in that it uses the Sapphire II Stream Cipher instead of the Sapphire Stream Cipher. Because of this, files encrypted with ATBASH are not compatible with files encrypted with ATBASH2. HOW DOES THE SAPPHIRE II STREAM CIPHER WORK? Very well, thank you. See SAPPHIRE.TXT for details. IS THE SOURCE CODE FOR ATBASH2 AVAILABLE? Sure, IF you register your copy of ATBASH2 AND request the password to decrypt the source code at the same time (promising not to reveal it to others), you can decrypt SOURCE.ENC with ATBASH2 and the password I supply. Unzip the resulting file to get the source code. For example: ATBASH2 /D SOURCE.ENC SOURCE.ZIP PKUNZIP SOURCE.ZIP Source code for the Sapphire II Stream Cipher is also available in SAPPHIRE.TXT, and can be used in other applications if you wish. LEGAL NOTICES ATBASH2 cipher program and documentation version 2.00 Copyright (C) 1995 Michael Paul Johnson. All rights reserved. This program comes with no warranty, expressed or implied. It is your responsibility to determine if this software is suitable and safe for your use before you use it. The nature of encryption software is that data loss may be the result if you lose, mistype, or forget your pass phrase. Although this may change after I write this (and I hope it does), strong encryption software that cannot be easily broken by the U. S. Department of Defense (like ATBASH2) is considered a munition (like nuclear bombs, fighter jets, missiles, bazookas, guns, ammunition, and warships) by the U. S. Department of State. (No need to tell me how silly or wrong it is to group privacy software in with things that can kill people -- tell your senators and congressional representative, instead). Therefore, I will not export this program (except to Canada, which is subject to an exemption in the regulations and which has similar export restrictions). I advise you not to transmit this program to any location outside of the United States of America and Canada without proper legal authorization. REGISTRATION This is shareware. That means you can make copies and distribute it freely (within the limits of other possibly applicable law), and try this program for up to 60 days for free. If you continue to use this program after 60 days, you are required to register it. To register, send $49.00 for registration with disks and printed documentation or $20.00 for registration only, and the name of this program (ATBASH2) to: Mike Johnson PO BOX 1151 LONGMONT CO 80502-1151 USA Look for updates on the Colorado Catacombs BBS, 303-772-1062. The author can also be reached via the Internet at m.p.johnson@ieee.org or on CompuServe at 71331,2332. Registration entitles you to mail or email support and notification of major upgrades. REGISTRATION & INVOICE Note that the ATBASH2 software has been delivered and accepted by the customer. Upon receipt of this paid invoice, the printed documentation and disks paid for (if any) will be sent. Disks and manuals can only be sent to U. S. or Canadian destinations. Remit to: Ship to: Mike Johnson ________________________________ PO Box 1151 ________________________________ Longmont CO 80502-1151 ________________________________ USA ________________________________ Contact person: ________________________________ ________________________________ Email address:__________________ Quantity Description Unit Price Total ________ ATBASH2 registration with disk & manual. $49.00 ______ ________ ATBASH2 single copy registration only. $20.00 ______ ________ Site license for unlimited use of ATBASH2 at one corporation (includes one disk & one manual). $295.00 ______ Sales tax (if you are in Colorado) ______ Shipping and handling if a disk and manual has been ordered. $5.00 ______ Total ______ Please check all that apply to you (and only those that apply to you): __ I am a citizen of the United States of America or Canada. __ I am not a citizen of the USA, but I am a permanent resident (with a "green card"). __ I promise not to export ATBASH2 without proper legal authority and without registering every copy in use. __ I promise not to give ATBASH2 to anyone who would export it without legal authority or use it without registering it. __ I prefer 3.5" disks. __ I prefer 5.25" disks. __ I want the source code password, and won't reveal either the source code or the password to others. _____________________________________________ _______________ Signature Date