6.1 Choice of keys

When selecting an encryption key (to be entered at the keyboard) it should be a key that cannot easily be guessed. This is easier to do if you have 64 characters available than if you have only eight characters (as in Unix passwords), since there is less temptation to use your birthdate, your mother's maiden name or the name of your home town — or even such obvious possibilities as "my own key", "my secret key", "no-one else knows this!", etc. An attacker attempting to decrypt your data will first try all of the obvious possibilities before resorting to more time-consuming methods.

Literary quotes (suitably modified) are good for encryption keys because
(a) they are often more than thirty characters long,
(b) are easier to remember and
(c) are not obviously associated with you.
So review your Collected Works of William Shakespeare for some memorable phrases ("As flies to small boys are we to the gods", etc.).

One might also use the first (or second, etc.) line of a certain page in a certain book (then you have only to remember the book, the page number and the line number — assuming you have the book to hand).

A major problem with using as the key a phrase which consists only of English words plus punctuation is that the number of such phrases is dramatically smaller than the number of possible ME6 encryption keys, and an attacker (with computerized dictionary) will first try all the English phrases.

Suppose that a 64-character phrase contains on average eight words, and that those words are taken from a 10,000-word dictionary (which includes the usual punctuation marks). Then the number of such phrases is something like 10000⁸, i.e., 10³², which is about 2¹⁰⁶. Since the number of possible ME6 keys is about 2⁵⁰⁰, using a key consisting solely of English words plus punctuation reduces the size of the key space by a factor of 2³⁹⁴, or c. 10¹¹⁹. This obviously makes the job of the unauthorized decryptor much easier.

Inclusion of foreign words, e.g., "Merci beaucoup, danke vielmals and thanks a lot!" helps a bit, but not much. If the attacker knows that the phrase consists of words from any of ten natural languages, and that in each language the dictionary is at most 20,000 words in size, then the total number of possible words is 200,000 and (assuming an average of ten words per phrase) the total number of possible phrases is 200,000¹⁰, i.e., c. 10⁵³ or c. 2¹⁷⁶, again way below the number of possible ME6 keys, 2⁵⁰⁰.

If using a phrase as the key it is advisable to include a word which does not occur in any dictionary (either for English or for any other language), e.g., "Time flies like an arrow abcxyz".

Another way to use and to remember a key which is not made up of English words is to use a key consisting of the first (second or last) letters of a long phrase or quotation. For example, if the quotation is "To be or not to be, that is the question; whether 'tis nobler in the mind to suffer the slings and arrows of outrageous fortune" the key would be:

tbontbtitqwtnitmtstsaaoof

Another method of remembering a key which does not consist of English words is to use a quotation but to drop the last letter of each word. E.g., if the quotation is "And with hearts emboldened by the firm resolve to live free from tyranny" then the key would consist of the 47 characters:

An wit heart emboldene b th fir resolv t liv fre fro tyrann

that is (after spaces are removed):

anwitheartemboldenebthfirresolvtlivfrefrotyrann

But even if ten special characters (such as punctuation marks) are available in addition to the 26 letters of the alphabet the number of such keys is still only 36⁶⁴, less than 10¹⁰⁰ or c. 2³³², but at least the use of a key made in this way leads to a keyspace whose size is about 10²¹³ larger than that obtained when keys are all English phrases.

The only way to be sure of using a key which can be any key in the full 500-bit ME6 keyspace is to use a random key, as described in Section 4.7(d). Such a key must be stored in a keyfile, and then one has the problem of ensuring that the keyfile does not get lost and also does not fall into the wrong hands. But you have the same problem with normal keys to normal locks, so the same security measures can be used (the difference being that if you lose the keyfile and there is no backup then there is no data locksmith available to recover your data).

6.2 Possible effects of using an incorrect decryption key

When using an encryption key which you keep in your memory it is possible to make an error when recalling it. It may happen that you used a particular encryption key, for example:

It's time for a change!

but later, when decrypting you inadvertently use:

Its time for a change!

which will not work.

If the reason for an unsuccessful decryption is that the incorrect decryption key has been used, and the correct key cannot be found, then the data is gone forerver.

Decryption may fail for reasons other than the use of an incorrect key:

(a) Prior to an attempt at decryption the encrypted data may have been modified accidentally, and so have become "corrupted".
(b) The disk to which the decrypted data is being written may become full before decryption is completed (but ME6 checks that there is enough space on the output disk before performing the operation so this is unlikely).

Cryptosystem ME6 cannot determine what encryption key was used to encrypt a particular file (because the key is in no way hidden in the ciphertext), and it will attempt to decrypt that file with whatever decryption key you supply. If an attempt is made to decrypt a file using an incorrect key there are three possible results:

(a) The most likely result is an Invalid block size error message (adding that the "Decryption key is incorrect or ciphertext is corrupt").
(b) The next most likely result is a One block expansion error occurred error message, or perhaps more than one block expansion error (adding that the "ciphertext is corrupt or decryption key is incorrect").
(c) Least likely, but possible (with perhaps a chance of about 2%), is that the incorrectness of the decryption key will not be detected, and ME6 will produce a "decryption" which is incorrect.

If an incorrect decryption key is used and is detected, as in (a) and (b) above, then the input file will remain intact. It will also remain intact if decrypting to a file with a different name. Loss of the ciphertext will occur, however, if the incorrect decryption key is not detected, as in (c) above, and the output file has the same name as the input file (so that the ciphertext file is deleted, though not purged). Thus if decrypting many files and you are not entirely sure of the correctness of the decryption key then it is advisable to make backup copies of the ciphertext files before decrypting, or else decrypt to files with different output names.

6.3 Possible effects of ciphertext corruption

As noted above, decryption may fail for reasons other than the use of an incorrect key. The encrypted data may have been modified accidentally (e.g., an accidental overwrite of part of the file because of an operating system bug, or a chance burst of cosmic rays), and so have become "corrupted".

Most files are compressed before encryption and if the ciphertext is corrupted then the data given to the decompressor will usually cause an error during expansion.

If the ciphertext has become corrupted then the result of an attempt at decryption depends on how much damage has been done to the ciphertext. If there is a lot then the program may terminate after attempting to decrypt the first block, as is usually the case with an incorrect decryption key.

If there is less damage then an error message such as one of the following may be displayed:

Decrypting a5.enc in C:\_temp\
a5.enc        Invalid block size.
              Decryption key is incorrect or ciphertext is corrupt.
              Partial plaintext may be in a5.dec.

Decrypting a5.enc in C:\_temp\
a5.enc        3 block expansion errors occurred.
              Probably the ciphertext is corrupt.
              Partial plaintext may be in a5.dec.

Inspection of the output file (a5.dec in these examples) will reveal some sections that are partly or totally unintelligible. Such a section will usually (though not always) be enclosed in BAD BLOCK markers, for example:

!!! START OF BAD BLOCK #1 !!!

!+@s3kj5naV)
	nNNNumi
.AAA0^mmm 08:mo
 ailo
Ta7]
k_7 kES:nan (E) wnFud)idWokkk

!!! END OF BAD BLOCK #1 !!!

If data corruption results only in block expansion errors then it is possible that only particular blocks will be bad, and the good blocks will all be decrypted successfully (unless ME6 encounters nine block expansion errors, at which point it abandons the attempt at decryption).

If the corruption produces an Invalid block size error then the attempt at decryption will be abandoned at that point, although it is still possible that some plaintext may be available.

If the ciphertext has been corrupted in only a minor way then it is possible that no error message will be displayed, ME6 will report that the file has been decrypted, but the decrypted file will not contain the intended plaintext, and may even be entirely unintelligible. In this case the error will be revealed by an inspection of the file or by an attempt to use it for its intended purpose. If the original file was text then it may be found that most of the plaintext has been recovered, but that there are strings of unintelligible characters, or it may be that erroneous characters or short strings of erroneous characters are scattered throught the plaintext.

This situation does not occur when an incorrect decryption key is used but only when a small part of the encrypted data has been corrupted, in which case the unintelligible bytes in the decrypted file will normally be confined to the area of the corrupted data.

6.4 Double encryption

It is possible to doubly-encrypt a file using ME6, i.e., to encrypt the ciphertext again using the same or a different key, but this results in only a slight increase in security, and has two disadvantages:
(i) If you use double encryption then you must use double decryption.
(ii) It is easy to forget whether you encrypted twice or just once.

It may happen that you accidently re-encrypt a file which is already encrypted. The result will be that when you decrypt (assuming you use the correct decryption key) ME6 will perform normally but the resulting file will look like garbage (as ciphertext normally does).

If you decrypt a file, and ME6 reports no error, but the resulting file looks like garbage, then don't panic. This situation usually means that you accidentally encrypted the plaintext file twice (not necessarily on the same day). At this point make copies of all files involved, then re-decrypt the file resulting from the first decryption. This will usually produce the original plaintext.

ME6 will always reproduce the original plaintext if the correct decryption key is used and the ciphertext has not been changed. If decryption produces (what looks like) garbage, and a second decryption (as above) does not fix the problem, then it means either that the decryption key is incorrect (although in this case ME6 will usually produce an error message) or that the ciphertext given in the first decryption has been corrupted (but not badly enough to produce an error message).

6.5 Anti-forensic-software measures in ME6

If an attacker convinces himself that an encryption method is not obviously weak then he is not likely to spend a lot of time attempting a simple brute force attack, which might take years. Instead he will examine the method of key generation to try to identify a de facto keyspace which is sufficiently small that a brute force attack, using keys within this keyspace, might be feasible (he will have no luck if you have used a random key).

But frequently an attacker will not even bother to do this, but rather will look for instances of the plaintext that happen to be lying around on the hard disk. This is one of the main uses of so-called forensic software (used in criminal investigations and in legal discovery). You do not have to be a criminal for your computer to be subjected to the attentions of forensic software. If you arrive in the U.K. from, say, some Asian country, then customs officials may decide to examine your laptop to see if there are any (child) pornographic images on it (some government officials have dirty minds and may assume that you have too). There will be, of couse, no such images on your laptop, but in the course of the search they may find your bank records, your travel plans and the confidential spreadsheets that you have prepared to assist you in your presentation to the board of your company at its London office.

Windows is a notoriously insecure operating system. It may leave copies of a file in various places on the hard disk even if you believe you have deleted that file (e.g., if you print a file then Windows makes a copy of the file for the print spooler, and after printing it the print spooler "deletes" the file in such a way that the text remains on the hard disk, waiting to be discovered by some forensic software unless those disk sectors happen to be overwritten first).

Wndows NT 5.0 and Windows 2000 sport an "Encrypting File System", but what Microsoft doesn't tell you is that when a file is encrypted a copy of it is first made; the copy is encrypted, the ciphertext is then written over the plaintext and the copy is then "deleted", again in such a way that the plaintext data is left lying around in disk sectors where it can be read by forensic software.

When you encrypt a file using Cryptosystem ME6 the program cannot know if there are copies of it lying around somewhere, but it can at least avoid creating any more. When you encrypt a file to a file with a different name then of course the plaintext remains. Here we will consider the case where the output file has the same name as the input file. What happens in this case is as follows:

Cryptosystem ME6 first opens a temporary output file. It reads the input file in blocks of about 8K in size and writes the encrypted blocks to the temporary output file. After each block is encrypted the memory buffers used for the plaintext, the ciphertext and the keytext are cleared (overwritten by zero bytes). (If there is a power failure during the encryption then the plaintext remains unaffected.) At the end of the encryption the input file is not simply deleted, rather is purged: it is overwritten once with random bytes. After the original input file is deleted the temporary output file is renamed to have the same name as the input file. Thus after the encryption has been completed there is no plaintext left — there is nothing for forensic software to find (at least, nothing left by Cryptosystem ME6).

6.6 Excluded files

Cryptosystem ME6 will not encrypt or decrypt the current ME6 executable file (that is, the ME6 program currently being executed) or the currently specified keyfile, if any.

If you wish to encrypt or decrypt the currently specified keyfile then simply erase the key first (one of the options in the encryption key submenu).

Files with extension bat, bin, com, dll, drv, exe, ini, ovl, pif, swp or sys are handled with care to prevent accidental encryption of files which are, or may be necessary, for the proper operation of ME6 or of your PC, as explained below.

A file with one of these file extensions may be encrypted or decrypted only if the output file has a name different from the input file. If you wish to encrypt or decrypt a file with one of the file extensions listed above then you can do so if you first rename the file so that it has a different extension, e.g., ex, then rename it to restore the original file extension. Also, to encrypt, you can zip up the file into an archive and encrypt the zip file.

6.7 Purge process

When Cryptosystem ME6 purges a file (which is done when a file is encrypted and the ciphertext file has the same name as the plaintext file), that file is overwritten once with random bytes before it is deleted. The file overwrites are done using low-level disk I/O functions so the bytes are actually written to disk each time, not just to a disk cache.

Overwriting the plaintext once with random bytes will prevent recovery by the kind of forensic software that searches disk sectors looking for text. It may, however, be possible, even after overwriting once with random bytes, for some data to be recovered by special apparatus which examines the magnetic signals more closely. To foil such an attempt it is necessary to overwrite the sector several times. This can be done by the use of another Hermetic Systems program called Data Destroyer.

6.8 Encryption/decryption of floppy disk files

The speed of read/write operations on floppy disks (a.k.a. diskettes or 3.5" disks) is much less than that for hard disks (a.k.a. fixed disks), so it is preferable to perform all encryption and decryption operations with files on a hard disk. If the input files are on a floppy disk then they may be copied to the hard disk, the required operations performed, then copied back to the floppy disk as required. Any plaintext files which have been copied to the hard disk may then be purged using Data Destroyer. However this may be inconvenient when there are several folders and subfolders on the floppy disk. In this case Cryptosystem ME6 may be used with files on a floppy disk in the same way as with files on a hard disk, but operations involving many files or large files may take several minutes to be completed, especially if they involve the purging of files on the floppy disk. If an operation goes on longer than expected, just allow it to finish (and do not be alarmed by the presence of hard disk activity, since, as explained below, temporary files may be written to the hard disk).

Due to the limited capacity of floppy disks (1.44 MB) floppy disk files are encrypted and decrypted in a way slightly different from files on a hard disk in the case where files are encrypted or decrypted "in place", i.e., when the output filenames are the same as the input filenames. In this case some error conditions are possible which do not arise with files on a hard disk (which normally has at least several megabytes of free space).

When a plaintext file on floppy disk is encrypted in place, a temporary output ciphertext file is created on the hard disk, not on the floppy disk (since there may be insufficient space on the floppy). After encryption is completed the plaintext file is purged and the ciphertext file is copied to the floppy disk and is given the same name as the input file.

When a ciphertext file on floppy disk is decrypted in place, a temporary output plaintext file is created on the hard disk. After decryption is completed the ciphertext file is deleted, the plaintext file is copied to the floppy disk and given the same name as the input file, and the temporary plaintext file on the hard disk is purged. Thus, even when floppy disk operations are involved, there is no plaintext left either on the floppy disk or the hard disk to be found by forensic software.

Decryption of floppy disk files is much quicker than encryption, since encryption involves purging of (original) plaintext files on the floppy disk, whereas decryption involves purging of (temporary) plaintext files on the hard disk, and purging is much faster on a hard disk than on a floppy disk.

An error condition which is possible with floppy disk operations but which does not occur when all files involved are on the hard disk is that which arises when the temporary output file on the hard disk is too large to be copied to the floppy disk. In this case an error message will be displayed, and the name of the temporary output file (ciphertext or plaintext) on the hard disk will be given (it will be a file in the root directory of the hard disk). In this case the advisable course of action is to free up some space on the floppy disk and copy the temporary output file to the floppy, renaming it if necessary. If the temporary output file on the hard disk consists of plaintext (in a decryption operation) then that file can be purged using Data Destroyer.

If plaintext files on a nearly-full floppy disk are all encrypted then the resulting ciphertext files may occupy only about two-thirds of the floppy disk capacity due to the use of compression. Thus if ciphertext files are stored on a floppy disk then to avoid the above error condition (in the case that all such files are decrypted in one operation) it is advisable that not more than two-thirds of the floppy disk capacity be used.

6.9 Testing non-ME6 ciphertext

If you have a ciphertext file which has been produced by some encryption software other than Cryptosystem ME6 then you may care to test its randomness value using ME6's randomness report capability. Specify that file as the input file then get a randomness measure and a graphical display of the randomness of the bytes in that file by clicking on Randomness report.

If the randomness value is less than, say, 0.8, or the graphical display reveals obvious irregularities in the byte distribution, then either of two conclusions can be drawn:

1. The encryption method used to produce this ciphertext is not a good one, since a good encryption algorithm should produce bytes which appear to be random (if not then there is information available which will help an unauthorized decryptor).
2. The encryption method is good and the ciphertext does (if it can be inspected) appear to consist of random bytes, but the ciphertext forms only a part of the file, and the non-ciphertext part contains regularities (e.g., long sections of zero bytes) which are distorting the randomness test. If this is the case then the file should be examined with a hex editor to see whether there are in fact sections which look regular and which might account for the non-randomness (though whether these are part of the ciphertext itself is another question).