Is the application part of the file encrypted also?

[Hirudin]

I think I will start using this program, it sounds very cool!



I do have one question:

The application and the text are stored in one file, does that mean the application is also encrypted? The reason I ask is that I've heard it's easier to crack encryption if you already know what is encrypted.

To say it another way: If I encrypt the sentence "My password is GOD" would it be easier to decrypt if I told you the beginning of the encrypted data is "My password is "? So if some hacker person knows what the application data is when it's decrypted does that make it easier to decrypt the application + text?

[mouser]

To say it another way: If I encrypt the sentence "My password is GOD" would it be easier to decrypt if I told you the beginning of the encrypted data is "My password is "? So if some hacker person knows what the application data is when it's decrypted does that make it easier to decrypt the application + text?

what you are describing is called a "Known Plaintext Attack" in crypto terms.

the bottom line is that it helps, but for good encryption algorithms, it doesn't help much, and won't significantly help an attacker.

in generic terms it can help an attacker tell when he found the right key if he/she is just trying trillions of them, but they could probably tell that just by looking at letter frequencies almost as easily.  there are weak encryption algorithms for which knowing the plaintext could help you, but AES used by fsekrit is certainly not one of them.

so in short, knowing the start of the plaintext is not going to help anyone.

The application and the text are stored in one file, does that mean the application is also encrypted?

fsekrit is "compressed" with pecompact to make it even smaller, but as i understand it (f0dder will clarify if i'm wrong), the encrypted data is just appended to the exe basically - so it's not really encrypted or part of the encryption process, so in this case your scenario doesn't apply anyway.

[f0dder]

The application part of your notes are NOT encrypted, just compressed as mouser points out. Thus there's nothing there helping a potential attacker. The compression is done for size issues, not security - even having the source code to fSekrit would not give an attacker any benefits (and in fact I'm considering opening up the source in the future).

Also, I don't know of any current known-plaintext attacks for AES/Rijndael, even theoretic ones (but I haven't checked in a while, I must admit).

In a coming version (don't know if it'll make it into the one scheduled for early April) I'll add some more security, something called "salt". Basically it means that two identical pieces of text encrypted with the same passphrase will NOT produce the same output file.

[Hirudin]

Thank you for the replys!

Actually I did what I should have just done in the first place: opened fSekrit -> wrote a line -> saved it as a new file -> renamed the file from modified.exe to modified.txt -> renamed the original file to original.txt... then compared the 2 files. Of-course they were identical, except the bottom of the modified file had some extra encrypted data.

I haven't done it yet, but I'm going get all my serials off my PDA and put them into fSekrit .exes in my various downloaded program folders...

[f0dder]

A decent file-comparison tool would also have clued you in - even the built-in "fc" command of windows works - fc /b file.original file.new. I prefer a decent hex editor and things like http://winmerge.sourceforge.net/ though