MySecret Blowfish Encryption Utility
MySecret is a command-line freeware utility that can be used to encrypt and decrypt messages in an email-friendly manner. It works by encrypting or decrypting the contents of the clipboard. It can also work in file mode.
MySecret.exe is small - 150 kB - and quick. It uses the Blowfish algorithm to create base64-encoded text output that can be easily transmitted over the Internet or stored on any computer system. For more information on Blowfish see the web site of its inventor, Bruce Schneier and his references to Products that Use Blowfish.
Contents
- Introduction
- Download
- Terms and Conditions
- To install
- To use to encrypt a message in CLIPBOARD mode
- To use to decrypt a message
- Syntax
- Using the in-line password option
- To use to encrypt a file
- Using MySecret in Batch Files
- Remarks
- Security Considerations
- Using from web mail
- Examples in use
- Linux Version
- Acknowledgements
- The program
- Technical details
- Security Enhancements in Version 3
Introduction
I wrote the first version after I'd been travelling and needed a simple utility I could keep on a floppy that would enable me to create and receive encrypted emails from Internet cafes and friends' PCs. You can also use it in batch files to carry out automated encryption of backup files.
Version 3 has improvements including compression of data before encryption, random padding characters, and confirmation of the password when encrypting. Data encrypted with versions 1 and 2 can still be decrypted using version 3. There is an option to encrypt using the Version 2 algorithm, if needed.
thanks for a great program !!i've been testing some programs (using either rijndael or blowfish) and i ended up using MYSECRET.. why?because..
it's fast !!
it's a command-line program (easy to use with vb ;)
it's blowfish and it supports large keys..
it copies the encrypted/decrypted text to the clipboard (easy to use with vb)
thanks again, blowfish is indeed a great algoritm..-Noaz
But...Your "MySecret" has got to be just about the best freeware utility of its type available - Thanks!!I love its simplicity, the ability to en/decrypt text or files easily (I knocked up a trivial script to help with that), the fact that it compresses text before encryption and that it ignores whitespace when decrypting and also looks only for data between the delimiters.All this makes it exceptionally powerful and robust, whilst still being incredibly simple to use.
-Tom
Having said all that [and meant it too], there is just one small thing that I *don't* like about it....the name "MySecret" ! It just doesn't do the program justice: to be honest, it makes the program sound like something some script-kiddy has knocked up instead of the exceptional bit of software it actually is. I suspect that a number of people might not take it [the program] seriously, which would be a shame.
-Tom
Download
Download the latest version of MySecret.zip (82.6 kB) from here[sha1=8bde7405e15c6d5997daeb087f40879ee480a4f5]
.
The MySecret.exe file version 3.1.0.3 was recompiled and signed on 2 July 2018 (using our signing certificate issued to "D.I. MANAGEMENT SERVICES PTY LIMITED").
The executable is 148944 bytes and has an SHA-1 checksum of 9aad6c4cebbfb9ce3a9feab6830ea19cbae62f24
.
Why is the executable so large now? It used to be 50 kB, now it's 150. I mean, what's with all this bloat? The old version (2007) was compressed using UPX. Sadly, that triggers too many false positives with the poorer AV programs, so we've stopped using it. Plus the newer MSVC compilers add a bit more overhead. (The latest July 2018 compile should be compatible with old XP platforms, but not earlier ones).
Terms and Conditions
MySecret is copyright (C) 2002-18 DI Management Services Pty Ltd, all rights reserved. MySecret is freeware. Install and use entirely at your own risk. This Program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. By using the Program YOU EXPRESSLY AGREE to these conditions. If you do not agree to these conditions, DO NOT USE THE PROGRAM.
To install
- Copy the file MYSECRET.EXE into a directory on your PC's path, e.g. C:\Windows.
- That's it!
- We recommend you set up a C:\Bin directory for files like this.
To use to encrypt a message in CLIPBOARD mode
- Copy the text you want to encrypt into the clipboard. This might have been typed first into Notepad, for example, or be from the body of an email.
- Open an Command Line window: Start > Programs > Accessories > Command Prompt.
- Type:
MYSECRET
- The contents of the clipboard will display (this is a useful check).
- Enter a password when prompted. This is case-sensitive, so be careful. Your password can be any phrase with any normal characters including spaces and punctuation. The password is not displayed. Press Enter to finish. (New in Version 3) You will be asked to confirm the password, so type it again.
- The encrypted message will display.
- The encrypted message is now also in the clipboard. It can be pasted into an email or into a text editor.
To use to decrypt a message
- A message created with MySecret looks like this:
-----BEGIN MYSECRET----- TVn8APjdMOdLPUBQ2OWsEh7wWnihhKKOKf11Vj0oo4pM20BPwrRXJyL+nBOL dpxdc+PQQoQlr0Vz1n1Fv932HQ16DG712ui69T3O0jI3NfX8jRjtZkal/sFy Vu9JJEWPfZ2Ri1fkfOCqe9ZvFEmJ78BcUVmf37SYbgKi8UcAv4i1heHfJ05e nde6nFeiyDptYflT7SiIGHcO1cVya22b1OLHakAE2paS1OJqQrHYc+5wEAdo DU/0BmNvNNYOekmHZT19C1+cIwZFo3ACLRN44gZffx+KIng570UcoNYa7NWn hzt6gvQHXEp2jnE= -----END MYSECRET-----
- Copy the message into the clipboard. Make sure you include the BEGIN
and END lines, including the five dashes before the word BEGIN. It
doesn't matter if there is other text before or after these lines; text
outside will be ignored.
- In an Command Prompt (MS-DOS) window type:
MYSECRET
or, to be sure you mean decrypt, typeMYSECRET -d
where -d means decrypt. - The contents of the clipboard will display as a check.
- Enter the correct password (in the example above it is "abc").
- If correct, the decrypted message will display on the screen.
- The decrypted message will also be in the clipboard for you to paste into a text document.
Syntax
Usage: MySecret [OPTIONS] [-p password] [[-i] infile [[-o] outfile]] OPTIONS: -?|-h display this Help -e|-d force Encrypt/Decrypt -n do Not ask to confirm password -w Warn before overwriting existing outfile -2 use v2.0 algorithm (no compression) -@ use stdin/stdout pipes if in/outfile not given -L display licence conditions EXAMPLES: MySecret (=clipboard-mode, prompts for password) MySecret -p "my pass phrase" MySecret infile outfile (=file-mode) MySecret -@ infile (output to stdout) MySecret -@ -o outfile (input from stdin) MySecret -@ (input from stdin/output to stdout)
Using the in-line password option
The default mode is to prompt for a password which will not be displayed when typed. Alternatively, you can use the -p option to enter a password in the command line.MYSECRET -p abcwill use the password "abc" to encrypt the contents of the clipboard.
To use a pass phrase with spaces or other punctuation characters in it, surround the pass phrase with double-quote characters, e.g.
MYSECRET -p "hello world#"Note that a space is required between the "-p" and the password itself.
To use to encrypt a file
If you enter both an input and an output filename in the command line, you can encrypt or decrypt files. When encrypting. the output file will be an ordinary ANSI text file that can be viewed in any text editor, albeit in encrypted and base64 encoded form. The input file for encryption, however, may be a text or binary file of any type.MYSECRET C:\mydrive\myfile.txt C:\mydrive\myfile.txt.myswill create the encrypted file myfile.txt.mys. Alternatively
C: CD \mydrive MYSECRET myfile.txt myfile.txt.mysTo decrypt
MYSECRET -d myfile.txt.mys myfile.txtIf the name of the file or the folder contains spaces, enclose the name in double-quotes
MYSECRET "My Documents\myfile.txt" "My Documents\myfile.txt.mys"
Using MySecret in Batch Files
This example will allow you to do "automated" encryption of a particular file using a batch file.- Create a text file ENCR.BAT as follows:
=====(cut)===== echo password is "%1" if "%1"=="" goto NOPASSWORD set mypwd=%1 mysecret -p %mypwd% $backup.zip $backup.zip.mys if not errorlevel 1 del $backup.zip set mypwd= goto DONE :NOPASSWORD echo no password :DONE =====(cut)=====
- Open a command prompt (MS-DOS) window in the relevant directory where your file is.
- At the command prompt type
ENCR password
where "password" is your password. - The file in this example "$backup.zip" will be encrypted and the output will be the new file "$backup.zip.mys".
Remarks
- If you want to encrypt clipboard data or a file that actually contains the text
"-----BEGIN MYSECRET"
, the program will automatically try to decrypt it. To prevent this include the-e
option in the command line. For example:MYSECRET -e
orMYSECRET -e myfile.txt myfile.txt.mys
- Use the "-n" option to avoid having to re-type the password.
MYSECRET -n
- To encrypt or decrypt files, both the input and output filenames
must be in the command line, or the program will default to clipboard mode.
The default is to overwrite the output file without warning - you have been warned!
To prevent this, use the -w option which will prompt if an existing file of the same name exists.
The output filename may be the same as the input filename, in which case the original
data will be overwritten.
- The program needs at least two times free memory as the size of the object you are encrypting or decrypting. So don't complain about your 1 GB file.
Security Considerations
MySecret is a software application that provides a method for encrypting data using the Blowfish block cipher algorithm. The security provided in theory is the lesser of 128-bits and the entropy provided by the user's password. No opinion is offered on the security of the Blowfish algorithm itself. It is the responsibility of the user to provide a password or pass phrase of sufficient strength and to protect the secrecy of that password, including protecting against exposure by malware or keystroke loggers on the user's computer.
Using from Web Mail
Peter Brown suggests emailing MySecret.exe as an e-mail attachment to each of your web-mail accounts. Simply double-clicking on the attachment runs the program in clipboard mode (depending on your browser security settings). In this way you can encrypt and decrypt from any computer in the world that can access the web. Thank you for an excellent suggestion, Peter.
Examples in Use
There is a demonstration VB6 project using CryptoSys API.
Linux Version
The file 'MySecret' is an executable compiled using gcc version 2.91.66 on an i686 computer running Linux 2.4.30: MySecret-3.1.1.bin-i386.tbz (44 kB), MySecret-3.1.1.bin-i386.zip (43 kB). It is compiled from the same source code as the Windows version, but it only works in file-to-file mode. (Hint: You may find the -@ option useful.) If it works for you on your ix86 Linux system, please use it.Acknowledgements
The source code used in MySecret is original code written by David Ireland except for the following:
- The Blowfish encryption functions use code placed in the public domain by Bruce Schneier as published in Applied Cryptography (second edition, John Wiley, 1996).
- The base64 encoding functions use code derived from work placed in the public domain by Carl M. Ellison in 1995.
- The CRC-24 function uses code derived from RFC 2440 OpenPGP Message Format, Callas et al, November 1998.
- The basic code implementing the RSA Data Security, Inc. MD5 Message-Digest Algorithm
is derived from that published in RFC1321
and is covered by the following copyright:
Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the ''RSA Data Security, Inc. MD5 Message-Digest Algorithm'' in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as ''derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm'' in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided ''as is'' without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.
- The ZLIB data compression utilities use source code with permission from the 'zlib' general purpose compression library version 1.2.3 Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler.
The executable was compressed using UPX, the Ultimate Packer for eXecutables available from http://upx.sourceforge.net. Sorry, too many false positives from AV products.
Thanks to 'Chris' for pointing a bug in version 3.1.0 with strings of a certain length (like "abc").
The Program
MySecret is written in ANSI C and has been compiled using Microsoft Visual C++ v12.0. The program is a Win32 executable that requires Windows XP or above. There is also a version compiled on a Linux machine. The first version was published on 8 February 2002. Version 2 was released in June 2003. The current Version 3 was first released on 11 May 2007. MySecret is Copyright © 2002-17 DI Management Services Pty Ltd. All rights reserved.Technical details
For the technical minded, here's how it works in Version 2 and Version 3.
The program takes its input buffer from either the clipboard or the specified file.
Unless the program is explicitly instructed to encrypt or decrypt with the -e or -d
options in the command line, it will examine the input buffer for the
"-----BEGIN MYSECRET"
framing characters. If the framing is present, the program will attempt to decrypt the characters up to
"-----END MYSECRET"
.
In all other circumstances, it will encrypt the entire input buffer.
- Checksum: Compute a 24-bit CRC checksum of the plaintext input buffer.
- Generate an IV: Generate a 64-bit Initialisation Vector (IV) by making an MD5 hash of the current time and the CRC value computed above. Set the IV to be the first 8 bytes of the resulting message digest value.
- Set key: Generate a 128-bit key by using the IV as a salt (s) and
stretching the user's pass phrase (p) by hashing with MD5 repeatedly as follows:
- Set X(1) = MD5 (p || s)
- For i = 2 to 1024, set X(i) = MD5 (X(i-1) || p || s)
- Set the key as the final value of X(i).
- Construct a padded encryption block:
Version 2:- Append the 3-byte CRC-24 checksum to the input buffer in big-endian order.
- Pad the result of the previous step by appending a padding string of between 1 and 8 bytes to make the total length of the encryption block an exact multiple of 8 bytes. The value of each byte of the padding string is set to the number of bytes added - i.e. 8 bytes of value 0x08, 7 bytes of value 0x07, ..., 2 bytes of 0x02, or one byte of value 0x01. This is the padding method recommended in RFC 2630, RFC 3370, RFC 1423, PKCS#5, and PKCS#7.
Version 3:- Compress the plaintext input using the ZLIB 'compress' function.
- Prepend the compressed data with a 10-byte header:
- a 2-byte signature ZS: 0x5A04 ('Z' + 0x04), plus
- the compressed length CLEN as a 32-bit integer in big-endian order, plus
- the original, uncompressed length ULEN as a 32-bit integer in big-endian order.
- Append the 3-byte CRC-24 checksum in big-endian order.
- Append a padding string of length NPAD between 9 and 72 bytes
to make the total length of the encryption block an exact multiple of 8 bytes.
This padding string consists of
- a "guard" block of 8 bytes each of value equal to the length, NPAD, of the padding string; plus
- a sequence of length 8*k of bytes each of random value [0,255] where k is a random integer between 0 and 7; plus
- a final block of size [1,8] bytes of value NPAD.
- Encrypt: Create the ciphertext by encrypting the encryption block using the Blowfish algorithm in Cipher Block Chaining (CBC) mode with the key and IV as generated above.
- Add header: Prepend the ciphertext with a 12-byte header consisting of
- A 4-byte signature: 0x4D59FC00 ('M' + 'Y' + 0xFC + 0x00) for Version 3, or 0x4D59FD00 ('M' + 'Y' + 0xFD + 0x00) for Version 2; plus
- The 8-byte IV
- Encode: Encode the resulting output using base64 encoding (RFC 2045 s6.8).
- Frame: Add CR-LF characters every 60 characters and surround with BEGIN and END frames in a similar manner to that used in PGP (RFC 2440 s6.2) and in Privacy Enhanced Mail (RFC 1421 s4.4).
Version 2
+---------------+ | Input buffer | +---------------+ | | +---------------+--------+----------+ | Plaintext... | CRC(3) | PAD(1-8) | +---------------+--------+----------+ |<----------(encrypt this)--------->| +------+---------+-----------------------------------+ |SIG(4)| IV(8) | Ciphertext... | +------+---------+-----------------------------------+ |<-------------------(encode this)------------------>| +----------------------------------------------------+ | Base64-encoded output... | +----------------------------------------------------+
Version 3
+-----------------------+ | Plaintext... | +-----------------------+ |<----(compress this)-->| | / | / +-----+-------+-------+--------------------+------+---------+ |ZS(2)|CLEN(4)|ULEN(4)| Compressed data... |CRC(3)|PAD(9-72)| +-----+-------+-------+--------------------+------+---------+ |<----------------------(encrypt this)--------------------->| +------+-------+-----------------------------------------------------------+ |SIG(4)| IV(8) | Ciphertext... | +------+-------+-----------------------------------------------------------+ |<-----------------------------(encode this)------------------------------>| +--------------------------------------------------------------------------+ | Base64-encoded output... | +--------------------------------------------------------------------------+
Decryption is the reverse process. The program will decode any base64-encoded data found between the framing characters. It will then look for and skip over the signature and extract the IV from the input before deciphering the remaining ciphertext using the key generated from the user's pass phrase and IV. If there is no signature, the program will assume that the ciphertext was created using MySecret Version 1 and decrypt accordingly.
After decryption, the program checks that decryption has been successful by examining the decrypted block.
Version 2: Working backwards from the end of the decrypted data, there should be between 1 and 8 padding bytes each of the same value between 0x01 and 0x08 preceded by a 3-byte CRC-24 checksum which should match a CRC checksum of the preceding plaintext data.
Version 3: Confirm that the first two bytes are 'Z' and 0x04. Convert the subsequent 8 bytes into the two 32-bit integers CLEN and ULEN. Check that the values of these integers are reasonable (not negative, not too large, CLEN < decrypted block size). Get the length NPAD of the padding string from the last byte in the block. Verify that the first 8 bytes of this padding string are all of value NPAD. Extract the 3-byte CRC-24 checksum immediately before the padding string, uncompress the compressed data to recover the original plaintext, compute the CRC-24 checksum of this, and make sure the two checksum values are equal.
If any of these checks fail, the program will indicate a "Decryption Error". Otherwise it will output the recovered plaintext either to the clipboard or to a file.
There is a VB6 project that demonstrates the algorithm available here.
Security Enhancements in Version 3
- Asking for confirmation of the password should eliminate typing errors.
- Compression of the plaintext before encryption adds to security by removing a lot of the structure in the data. For longer messages, it reduces the amount of data in the output. For shorter messages (where the 'compression' algorithm actually outputs a longer string than the input), it helps to disguise the length of the message.
- Adding a small random number of random padding bytes helps to disguise the actual length of short messages. This makes the same message encrypted twice harder to identify.
- Confirmation of correct decryption is now confirmed by several overlapping checks:
- A two-byte (16-bit) signature
- An 8-byte (64-bit) "guard" block in the padding string
- A 32-bit length value in the header
Contact
For more information or to comment on this page, please send us a message.
This page last updated 28 June 2021