[cryptography] Introducing SC4 -- feedback appreciated

Ron Garret ron at flownet.com
Fri Apr 17 16:15:34 EDT 2015

On Apr 17, 2015, at 12:32 PM, zaki at manian.org wrote:

> I don't think this really solves any actual crypto problems.

Just to be clear, I’m not claiming to solve any actual crypto problems.  I’m claiming (or maybe “aiming” is a better word) to solve a UI/UX problem.

> I also suspect it's pretty hard to solve any of the big problems while retaining this level of simplicity. But I'm sure you'll learn stuff along the way.

Yep, that’s also one of my goals.  :-)

> You should take a look at reop as well which is an even older nacl PGP clone.
> https://github.com/tedu/reop

Thanks.  Just FYI, this was my first attempt at a PGP clone:


That code implemented passphrase protection on the keys.  But someone here (Robert Ransom) pointed out to me that if you really care about file security then you should be using a secure file system instead of trying to implement a “half-assed” password protection scheme.  That led me to thinking deeply about attack models and the conclusion that a browser based solution could be reasonably secure, where “reasonably secure” means “as secure as the current state of the art in the hands of a non-technical user”.

> > Minilock uses a compressed curve25519 point without any metadata as public key. This is more compact than your format. It'sBase58 encoded it is tweetable which is very nice.
> SC4 and Minilock use the same underlying crypto.  The reason SC4 keys look longer is that it gives you separate keys for signing and encryption.  But SC4 keys could be easily made tweetable if people cared about that.
> NACL encryption is authenticated. The shared secret is used in the MAC as well encryption steps. If all you want is an encryption app, you don't need a ed25519 signing key as well.

Yes, I know.  Signing is a separate feature.  (SC4 lets you sign without encrypting and vice versa.)  The main reason for separate keys is that I didn’t know if it was possible to securely convert back and forth between them (but I know now!  Thanks for the pointer.)

Another reason to keep the keys separate is so that you can revoke them independently.  But I’m not sure that’s a good enough reason.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150417/fec05c85/attachment-0001.html>

More information about the cryptography mailing list