Re: One-Time Pad Encryption Software to Debian Repository

[Anthony DeRobertis]

Debian only includes free software, which CC-BY-NC-ND is not. It's also (like 
all the Creative Commons licenses) not intended for software. 
https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software

These issues are likely to keep most Linux distros (not just Debian) from 
including your program.

That's aside from any technical issues (e.g., embedding a copy of the JRE isn't 
OK for a package in Debian).

Re: One-Time Pad Encryption Software to Debian Repository

[Ondřej Surý]

Michael,

your understanding is correct and it’s XOR. Also the use of the password is 
more harmful than useless. If you glance in the source code, the author just 
generates MD from the password and XOR the input with it as a “protection”. 
This is more than useless this is actively harmful.

There’s more nonsense about combining two random numbers into one for “even 
more random”. (Oh gee, why we haven’t thought about this before...)

Anyway, after some more private conversation with the author, I think he’s 
beyond help. He’s so convinced that he’s right and standards based crypto has 
been flawed by NSA that he’s unable to listen. He’s also unable to understand 
that one must look at the security of the whole system and not just the 
security properties of the one-time pad function. Not to mention that he 
consistently calls functions that do XOR “encrypt” in the code.

I am sorry to say that it seems the Schneier’s law is in effect here...  And I 
would normally ignore this, but perhaps some poor soul who Googles FinalCrypt 
will find this email and won’t put their sensitive data into the hands of 
this...

Ondřej 
--
Ondřej Surý 

> On 15 Oct 2019, at 22:03, Michael Stone  wrote:
> 
> On Tue, Oct 15, 2019 at 05:07:33PM +0200, Ondřej Surý wrote:
>> First of all, all software in Debian must adhere to Debian Free Software
>> Guidelines. And I can’t find the source code anywhere on your website.
>> 
>> That said - who you seem to use a lot of buzz words and bold claims, but I
>> would recommend the old wisdom: “don’t ever roll your own crypto”. I would
>> recommend you to speak to an actual cryptographer before you do more harm to
>> your users.
>> 
>> I hope a cryptographic software based on hand-waving and no crypto audit 
>> would
>> never be uploaded in Debian.
> 
> Source code seems to be at 
> http://www.finalcrypt.org/downloads/other/finalcrypt_sourcecode.zip
> but otherwise I agree that using this versus a recognized encryption tools is 
> a bad idea. The general mechanism seems to to generate a random string equal 
> to the size of the input data, then perform some operation (presumably xor?) 
> to generate ciphertext. The usual weak link from a theoretical standpoint is 
> the strength of the pseudo random number generator. In this case it's using 
> the java SecureRandom function, so it's as strong or weak as that. If you 
> don't trust complicated mathematical functions to secure your data, I don't 
> know why you'd trust SHA-256. The weak link from a practical standpoint is 
> the need to securely store random pads equal in size to the data 
> encrypted--if you can secure the one time pad, you could just as easily 
> secure the data and not need the one time pad. Disclaimer: I only gave the 
> source code a cursory glance so there may be additional elements of this 
> implementation that I overlooked either for better or for worse. 

Re: One-Time Pad Encryption Software to Debian Repository

[Michael Stone]

On Tue, Oct 15, 2019 at 05:07:33PM +0200, Ondřej Surý wrote:

First of all, all software in Debian must adhere to Debian Free Software
Guidelines. And I can’t find the source code anywhere on your website.

That said - who you seem to use a lot of buzz words and bold claims, but I
would recommend the old wisdom: “don’t ever roll your own crypto”. I would
recommend you to speak to an actual cryptographer before you do more harm to
your users.

I hope a cryptographic software based on hand-waving and no crypto audit would
never be uploaded in Debian.


Source code seems to be at 
http://www.finalcrypt.org/downloads/other/finalcrypt_sourcecode.zip
but otherwise I agree that using this versus a recognized encryption 
tools is a bad idea. The general mechanism seems to to generate a random 
string equal to the size of the input data, then perform some operation 
(presumably xor?) to generate ciphertext. The usual weak link from a 
theoretical standpoint is the strength of the pseudo random number 
generator. In this case it's using the java SecureRandom function, so 
it's as strong or weak as that. If you don't trust complicated 
mathematical functions to secure your data, I don't know why you'd trust 
SHA-256. The weak link from a practical standpoint is the need to 
securely store random pads equal in size to the data encrypted--if you 
can secure the one time pad, you could just as easily secure the data 
and not need the one time pad. Disclaimer: I only gave the source code a 
cursory glance so there may be additional elements of this 
implementation that I overlooked either for better or for worse. 

Re: One-Time Pad Encryption Software to Debian Repository

[ghostbar]

On 10/15/19 10:24, FinalCrypt wrote:
> Hello,
> 
> Regularly I get questions from Debian (based Linux) users, which
> FinalCrypt  package (*.deb / *.rpm) they
> should install.
> Would you be interested in having the latest FinalCrypt Debian package
> added to the Debian Repository ?
> 
> Currently there is no Linux distribution that offers mature One-Time Pad
> Encryption software from its repository.
> Debian could be the first to offer mature unbreakable encryption
> software and of course I would feel honored as well.
> 
> Surprisingly enough currently there is no serious alternative One-Time
> Pad File Encryption software besides FinalCrypt.

Hi Ron!

FinalCrypt can't be included into Debian repositories. The CC license
you chose is not compatible with the requirements of Debian (you can see
a lit of acceptable licenses here: https://wiki.debian.org/DFSGLicenses)

I can tell you don't want your software to be modified and hence why the
license chosen but Debian needs the ability to change software so it can
patch software in case of requirements. Not just that, we can't control
if software is being used commercially or not.

Re: One-Time Pad Encryption Software to Debian Repository

[Ondřej Surý]

First of all, all software in Debian must adhere to Debian Free Software 
Guidelines. And I can’t find the source code anywhere on your website.

That said - who you seem to use a lot of buzz words and bold claims, but I 
would recommend the old wisdom: “don’t ever roll your own crypto”. I would 
recommend you to speak to an actual cryptographer before you do more harm to 
your users.

I hope a cryptographic software based on hand-waving and no crypto audit would 
never be uploaded in Debian.

Ondřej 
--
Ondřej Surý 

> On 15 Oct 2019, at 16:42, FinalCrypt  wrote:
> 
> 
> Hello,
> 
> Regularly I get questions from Debian (based Linux) users, which FinalCrypt 
> package (*.deb / *.rpm) they should install.
> Would you be interested in having the latest FinalCrypt Debian package added 
> to the Debian Repository ?
> 
> Currently there is no Linux distribution that offers mature One-Time Pad 
> Encryption software from its repository.
> Debian could be the first to offer mature unbreakable encryption software and 
> of course I would feel honored as well.
> 
> Surprisingly enough currently there is no serious alternative One-Time Pad 
> File Encryption software besides FinalCrypt.
> 
> Here is a small list of why users would choose FinalCrypt:
> 
> • FinalCrypt uses unbreakable One-Time Pad File Encryption
> • Revolutionary Automatic Keys on One-Time Pad Encryption
> • Installation & Portable Packages for Windows, Mac & Linux
> • Completely Free of Use including Free Support for all Users
> • Independently tested for Safety at 70 AnitVirus Companies
> • Non-Profit OpenSource private initiative for Digital Privacy
> • If you already use encryption it probably is AES encryption
> • Asymmetric encryption is vulnerable to The Shor's Algorithm
> • Disk Encryption does NOT protect you from active Spyware
> • Today's Mass Privacy Violations in the Cyber Security News
> • FinalCrypt protects your Constitutional & Human Rights §8
> 
> FinalCrypt software packages come with a working JRE as the default Linux JRE 
> do not contain the JavaFX GUI Widget Toolkit.
> Besides offering a modern GUI, FinalCrypt also offers a fully featured 
> Command Line Interface to automate OTP encryption.
> 
> Kind regards,
> 
> Ron de Jong
> FinalCrypt

One-Time Pad Encryption Software to Debian Repository

[FinalCrypt]

Hello,
Regularly I get questions from Debian (based Linux) users, which
FinalCrypt package (*.deb / *.rpm) they should install.Would you be
interested in having the latest FinalCrypt Debian package added to the
Debian Repository ?
Currently there is no Linux distribution that offers mature One-Time
Pad Encryption software from its repository.Debian could be the first
to offer mature unbreakable encryption software and of course I would
feel honored as well.
Surprisingly enough currently there is no serious alternative One-Time
Pad File Encryption software besides FinalCrypt.

Here is a small list of why users would choose FinalCrypt:

FinalCrypt software packages come with a working JRE as the default
Linux JRE do not contain the JavaFX GUI Widget Toolkit.Besides offering
a modern GUI, FinalCrypt also offers a fully featured Command Line
Interface to automate OTP encryption.
Kind regards,

Ron de Jong
FinalCrypt

• FinalCrypt uses unbreakable One-Time Pad File Encryption


• Revolutionary Automatic Keys on One-Time Pad Encryption


• Installation & Portable Packages for Windows, Mac & Linux


• Completely Free of Use including Free Support for all Users


• Independently tested for Safety at 70 AnitVirus Companies


• Non-Profit OpenSource private initiative for Digital Privacy


• If you already use encryption it probably is AES encryption


• Asymmetric encryption is vulnerable to The Shor's Algorithm


• Disk Encryption does NOT protect you from active Spyware


• Today's Mass Privacy Violations in the Cyber Security News


• FinalCrypt protects your Constitutional & Human Rights §8