HACKERALERT/Picocrypt

picocrypt informs the attacker that key files were used during encryption

hakavlad opened this issue · 7 comments

Expected behavior: picocrypt does not tell the attacker whether keyfiles or passwords were used during the encryption.

pico

This wouldn't help because whether keyfiles are used or not is stored as a flag in the header. So for a standard volume, a hacker can just look at the raw header to tell if keyfiles were used or not. If you don't want this behaviour, you can use the deniable mode which will encrypt the header so that no one knows whether you used keyfiles or not unless they enter the correct password.

hacker can just look at the raw header to tell if keyfiles were used or not

This is the problem: picocrypt gives hackers hints when using default values.
Okay, this problem can't be fixed without breaking backwards compatibility.

Well, remember the target audience for Picocrypt -- the average Internet user. They won't care that much about whether a hacker can tell whether they used keyfiles or not. In fact, the average person probably won't use any keyfiles at all. For the advanced users who need that protection, the deniability feature exists. I think that's a pretty good balance of usability and security. Besides, knowing that keyfiles are being used does not effectively decrease security since security through obscurity doesn't do much. Knowing that the door to a house is locked doesn't make it any easier to get inside.

the target audience for Picocrypt -- the average Internet user

I think that's a pretty good balance of usability and security.

I did not see the phrase "the average Internet user" in the README. But I saw the following words there: "It's designed for maximal security, making absolutely no compromises security-wise".

For the standard usage and user, there are no compromises being made. High Argon2 parameters with XChaCha20 encryption and Blake2 authentication is not a compromise in any way. Neither is using any of the advanced features or keyfiles generated with the built-in generator. But if it really bothers you that much, I can remove that sentence entirely.

Picocrypt is a very small (hence Pico), very simple, yet very secure encryption tool that you can use to protect your files. It's designed to be the go-to tool for encryption, with a focus on security, simplicity, and reliability. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security, even from three-letter agencies like the NSA. Your privacy and security is under attack. Take it back with confidence by protecting your files with Picocrypt.

Alright, I will do it later today. Thanks for the feedback.

Removed. Hopefully the introduction paragraph sounds better now.