BFA7 Blowfish Advanced 7 Version 7.0 (c)1996 AtmuteSoft U S E R M A N U A L GENERAL REMARKS: 1. THERE MIGHT BE SOME MORE OR LESS HEAVY GRAMMATICAL OR LANGUAGE STYLE ERRORS. SORRY FOR THAT, BUT THE AUTHOR WAS BORN IN GERMANY, DOING HIS BEST ON WRITING THIS MANUAL. 2. ALL TRADEMARKS ARE TRADEMARKS AND OWNED BY THEIR OWNERS, OF COURSE. 3. YOU CAN PRINT OUT THIS DOCUMENT EASILY BY TYPING "COPY MANUAL.TXT PRN" IN THE DOS PROMPT. The topics covered in this documentation: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Introduction 2. Working with BFA7 2.1 Installation 2.2 How to use this program 2.2.1 Operation modes 2.2.2 Options 2.2.3 File selections 2.2.4 Error levels 2.3 While BFA7 runs... 3. Problems? 4. Security aspects 5. Copyright & warranty 6. Registration notes 7. BFA for Windows(tm) 95 8. Thank you... 1. Introduction ~~~~~~~~~~~~~~~ Blowfish Advanced 7 (BFA7) is a file encryption utility. This means you can input a secret password, which should be only known by you, and BFA7 will encrypt all selected files with that password. After the encryption nobody has access to the original data if (s)he doesn't know the right password. If you want to restore your original files you only have to type in the same password and BFA7 will do the rest. So far, so good. But why do I need such a program, you might ask. Well, we're living in a world where informations becomes more and more important. And today informations are mostly stored on computer systems. Ask yourself : which data on my computer's hard drive is private? There might be some love letters you want nobody to read them. Or, much more important, sensitive buisness data, documents containing informations about your financial status and so on. Or just those sexy pictures you got from the Internet :) Now the second important question : who has access to your computer? Please don't be naive, the answer is : everybody. Everybody can turn on your computer and get any information that's stored in it. In a network people might have access to your computer because all users might have the same rights. If you have a special account the system administrator is still the last instance and is able to watch everything you read or write in the network. Not to talk about the real bad guys : crackers breaking into computer systems to steal important informations (maybe hired by the competition?). The list of those frightening situations is very long and if you've enough fantasy and/or technical background you'll find even more of them. Sounds like paranoia? No, it's not. We're in the digital age now and we should get used to accept digital keys as well. In real live we use keys to lock the door to our homes, to avoid someone reading your diary and so on. Now it's time to protect the privacy in the computer world as well. The solution for all these problems is encryption. If you encrypt a sensitive file with a proved algorithm and a password complex and long enough to resist a brute force attack (that means to try out all possible passwords) your private data will be save. Crackers might copy the encrypted files but they are absolute worthless without the right password to decrypt them. But that's not all encryption can do. File-based programs as BFA7 are able to encrypt your valuable software in an easy way. Just encrypt your new word processor in the office before you leave to home. Nobody can stole the program now. Another important aspect is authentication. You're writing a new book or just an interesting article for the local newspaper? Encrypt it and you can be sure that nobody will be able to modify even a single bit in your document without your knowledge. File encryption software should be easy to use, should offer the best encryption technology available and last but not least it should be fast. BFA7 was designed to cope with all of these demands. It's very comfortable to use, has powerful features for every daily situation and uses the newest and safest state-of- the-art technologies to protect your data. Besides it uses the full 32bit power of the Intel processors 386/486/P5 and P6 (plus the clones) for maximum speed. And its successor for Windows(tm) 95 is already on its way. 2. Working with this software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.1 Installation ~~~~~~~~~~~~~~~~ It's very easy. The executable file BFA.EXE is a standalone program. However it'll be good to have the configuration file BFA.INI in the same directory. You can edit BFA.INI with every ASCII editor, configuring BFA7 for your own personal demands. I recommend to copy BFA.EXE and BFA.INI in a directory on your hard disk which is declared by the PATH directive in your AUTOEXEC.BAT. If you're not sure which directories are PATHed, copy the files to the DOS directory C:\DOS. Or create a special directory for BFA7 on your hard drive and add the right path information to your AUTOEXEC.BAT. E.g. create C:\BFA7 and copy BFA.EXE and BFA.INI into it. Then add the line "PATH %PATH%;C:\BFA7" to your AUTOEXEC.BAT. After a reboot you can use BFA7 everywhere on your PC system, on every drive and in every directory. With its small size of about 140 kB you can even execute it from floppy disks very quick. BFA7 needs a 386sx processor or better, DOS 3.0 or higher and at least about 490kB of free memory to run. 2.2 How to use this program ~~~~~~~~~~~~~~~~~~~~~~~~~~~ BFA7 is a program to be run in the DOS command line. You must give BFA7 a number of parameters before the program is able to start its work. Let's see first how you can arrange these informations correctly for BFA7. There are three types of parameters, which are defined like in the following scheme : bfa [operation mode] [options] [file selections] Here an example for better understanding: bfa e /r *.doc /-h Now let's examine this call to BFA7: - "bfa" is the call for the program. You may also type "bfa.exe", but this isn't really necessary. - "e" is the operation mode. It forces BFA7 to work in encryption mode. Files will be encrypted after you entered the password. - "/r" and "/-h" are options to activate or deactivate special features. Here "/r" will force the program to include all files in subdirectories and "/-h" will deactivate the renaming of encrypted files. - "*.doc" is the file selection. This special one will tell BFA7 to encrypt all found files with the extension "doc". Paramaters can be set in any order you like, except of the those defining the operation mode. They must always be placed behind the BFA program call. Options and file selections can be mixed. If you already have worked with command line based programs like XCOPY, PKZIP(tm) and so on, you're certainly familiar with this usage of parameters. If you have no or little experience with the handling of such programs it would be a good idea to read the DOS manual for the basic rules. Now let's have a look at the different operation modes and options of BFA7. You should read the following chapter very carefully. Only in this way will you be able to use the full power of BFA7. Please remember that all your input isn't treaten case-sensitive, except of passwords. 2.2.1 Operation modes ~~~~~~~~~~~~~~~~~~~~~ With BFA7 there are three operation modes which you can select by one of the following letters : e - Encrypt files. BFA7 will start to encrypt all the files you have selected after a correct password is entered. Please remember that encrypted documents can't be loaded in any application anymore and that encrypted programs can't be executed, too. They might contain such silly byte combinations that the system will be totally confused and might crash! And don't encrypt anything you might need for running your system properly, e.g. inilialisation files or systems files (like COMMAND.COM). Remember also that encrypted files aren't compressible any more. If you want to save disk space compress them before with programs like PKZIP(tm), ARJ, RAR or LZH (or use the built-in data compression by setting the /c option). d - Decrypt files. BFA7 will try to decrypt all files you have selected with the given password. v - View files. If you only want to know the states (encrypted or not) of your files, you should use this operation mode. The original files won't be touched in any way. If you intend to examine a large number of files it might be better to additionally create a report file (see /y option). If you typed any other letter than "e", "d", or "v", BFA7 won't work and will show you its help screens. 2.2.2. The options ~~~~~~~~~~~~~~~~~~ Options are usefull to switch BFA7's functionality in that way to fullfill your wishes as best as possible. With options you can turn special features of the program on or or off, declare an algorithm, other ways to input the password and so on. Although BFA7 works fine without any option, please read the following lines carefully to master critical situations and to use all the powerful feastures. Options must be defined with a leading oblique, e.g. "/c" to turn on the data compression. The program doesn't support the UNIX style, e.g. "-c", because under DOS hyphens are allowed to be used in filenames. Some options are switches, that means they only define two states (on and off, or true and false). To turn such an option on you must write "/x" (x stands for any legal option identifier), to turn it off write "/-x". This allows you to overwrite option switches predefined in BFA.INI. The following options are built in BFA7 (sorted by names) : /aX{Y} To decide on one encryption algorithm (single encryption) or two encryption algorithms (mixed encryption). The following numbers are valid for X {and Y} : 1 : Blowfish 2 : Blowfish32 3 : GOST 4 : TDES 5 : Cobra Blowfish is the fastest, TDES the slowest algorithm you can select. For more information about the used algorithms please read the file SPECS.TXT. For single encryption you have only to define one number, e.g. /a4 to encrypt your files with TDES. For mixed encryption you have to enter two numbers, e.g. /a13 for a Blowfish/GOST combination. If you don't define this option the program will choose Blowfish (single encryption) as for default. Please remember two important things : a) The numbers of the used algorithms are't stored in the encrypted files, so you have to remember which combination you've used (otherwise you'll have to try out all possible combinations, actually 25). b) If you used mixed encryption : the order of the defined algorithm must the same for decryption be as it was for encryption. E.g. /a45 and /a54 will produce totally different results. In the same way it isn't possible to encrypt a file with mixed encryption and to decrypt it in two single stages (e.g. encrypt with /a23 and decrypt first with /a2, then with /a3). The algorithms are internally "glued" together and work as one single unit. /b The program will store every file's original name in the header of the corresponding encrypted file. If you decrypt the file the original name will be restored. By defining the /b option you can tell BFA7 not to do this, but to keep the actual filename. This might be useful if you have changed the file's name while it was encrypted and want to keep these changes now. /c{f} BFA7 is enable to compress the data before it's going to encrypt it. By defining the /c option you can turn on this data compression. If a file can't be compressed (e.g. multimedia documents like JPG, GIF, MPG or just the archives of compression programs like ZIP, ARJ, RAR and LZH) it'll be stored uncompressed. By using the option's extended form /cf you can force the compression of a file, in the worst case the file will be about 10% bigger than it was before. Depending on what a file contains it can be compressed up to 98%. Data compression takes a lot of performance, so please keep in mind that the whole process while take much more time than without compression. /dxxx Normally encrypted files will be written at the same place were the original files were placed. If you want to create the encrypted files at another destination, e.g. for backup purposes, you can define a destination xxx with the /d option. The destination can be anything but a filename. You can declare a drive or a path or both combined. Please remember that you must write the option and the destination together, e.g. /dt:\bak. /eN The password (or the key in generally) can be entered in different ways. With this option you can choose which one you prefer. The following modes N are valid: 1 : The password is put in as you usually do it. You can enter a name or even a complete sentence. The letters of the password are converted to their corresponding ASCII values, e.g. an "A" has the ASCII value 65, a "0" the value 48 and a " " the value 32. 2 : In this mode you can enter the key values directly. That enables you to enter values who aren't accessable on your keyboard, e.g. the value 0. Using this mode makes it much harder to find out a password by trying all possible combinations because all values (from 0..255) can be used. 3 : Entering a password by defining the values directly is easy to use and makes the whole thing more secure. But what values should you choose? Don't make the mistake and enter 1, 2, 3, 4, 5 because such sequences can be guessed. The best way is to choose them randomly. But it isn't also wise to generate them by a program. The best random values are produced by nature. And an easy way to get some of them into the computer is by moving the mouse. If you use the /e3 option you can create such random values by just moving the mouse and clicking some times to generate the next value. Move the mouse wildly! Shake it! Only then the values will be mixed really well. Use the mouse button to move the virtual cursor as described in the input window. The mouse input mode isn't available in combination with the /l option. Because it's hard to enter an value exactly BFA7 will turn in the mode 2 if files have to be decrypted. 4 : If you're very distrustful this input mode might be the right one for you. The values are taken directly from the keyboard controller (for experts : the scan codes), ignoring every keyboard driver of the operating system. You will recognize that because you only can press one key at one time. Getting the key code in such a direct way avoids the danger that your passwords would be intercept by a special spying driver that records all your keystrokes (including the password) before transfering them to the application. The so called antitap mode is really useful because you can type in the password as in the mode /e1 but the bandwidth of the values (there are 102 keys on a stadard keyboard) is much better. Don't be shy to use F1..F12 or even the page-up/page-down keys within your password. But please be careful! Some keyboards may return different values for the same keys, especially the new ones with cool keys for Windows(tm) 95. I don't recommend to use special keys who aren't available on any standard keyboard. The antitap mode is more or less ineffective under multitasking operation systems like Windows(tm) or OS/2(tm), because there all direct hardware i/o is been isolated by the processor and the kernel. You should use /e4 under DOS. If you want to encrypt files you have to enter the password twice a time, except if you put it in via mouse (/e3). This avoids hitting the wrong keys by mistake and create a password you didn't actually want. For decryption you have only to type in the password one time. It isn't necessary to choose the same input mode again If you're smart you can try to enter the ASCII values of your pass phrase directly in the numerical mode or try to find corresponding letters or the values entered in the antitap mode. But normally it will be better to choose the same input mode again. It's just faster to do. The standard mode for password input is /e1. /fN Normally all your input (except if you're using the mouse) is covered be asterisks. With this option you can change the visibility of your password. The following modes N are valid: 1 : Your password will be covered with asterisks "*" as already mentioned. 2 : The password will completely be hidden. You won't see anything. This mode is only availabe if you give your password in the "conservative" way (/e1 option). 3 : All the letters or rather the values are visible. Please make sure that you aren't watched by someone behind you. And look out for hidden cameras aiming your computer screen! /g After it has created a file list BFA7 will ask you to start encrypting/decrypting or viewing. If you use the program in batch files or if you are absolutely sure doing always the right things this option may be useful. It turns the additional start and stop confirmations off. /h{e} Encrypted files aren't useful for anyone who hasn't access by knowing the right password. With the /h option all your encrypted files will be renamed with 13 random letters from the set "A..Z" and "0..9". This is useful for two reasons : a) nobody can predict anymore what was in your file because the original name and extension have vanished b) you can easily see which files are encrypted and which are not (so there isn't the danger to start encrypted executables and risk a system crash). If you want to keep the files' extensions, e.g. to have the possibility to delete all textfiles from within an encrypted set of files, then use the /he option. Please don't use this option in combination with the option /n, otherwise your original filenames will be lost forever! I have doubts you want an unencrypted file with the name 1CQP91YR.SJM, right? /i To check the integrity of a file's originial data after it has been decrypted BFA7 makes a CRC32 checksum comparison. If the checksums aren't equal the file won't be stored and the encrypted filed is recovered to give the user the chance to solve the problem (fix disk errors, choose another password, ...). With the /i options you can turn off this integrity check. A file will always be decrypted, even if some data areas are damaged. Please use this option VERY CAREFULLY! Use it only if you're 100% sure that the password is the right one. And don't forget to backup the encrypted file to have another chance for decryption. A file decrypted with the wrong password is trash, just trash! It's strongly recommended to let the entry "IgnoreChecksums" in BFA.INI always set to "off". If CRC32 errors occur please try to fix them manually with the /i option. /j If you don't want BFA7 make any sound use this option. /k The date and time information of a file is stored together within the encrypted counterpart and restored after decryption. You can force BFA7 to keep the original date+timp stamp even in the encrypted state by using this option. /l This option turns the display off and forces the program to put out all the informations via DOS. This allows you to redirect the output of BFA7 to any DOS device (e.g. to NUL or to a file). Be aware that the so called standard output shows much less informations that the display. The /l option is useful especially in batch files and for shells who call the program and don't want any visible output. /m If you're a laptop user and the BFA7 colors don't appear clearly on your LCD screen this option might help (also the color display has been successfully tested on a B/W LCD screen). It turns the colors off and switches the display into black and white. /n As already mentioned BFA7 stores the original filenames in the encrypted files (of course the filenames are encrypted there). If you don't want the program to do this then use the /n option and you'll save 8 or 16 bytes per encrypted file. Please don't use this option in combination with the /h one! /o{r}{N} This option forces the program not only to delete the original file but also overwrite its data before it's going to be deleted. The reason is that if you delete a file conventionlly only an entry in the file allocation table (FAT) is changed, but the original data stays onto your hard disk until it'll be overwritten by a new file. Until. It's hard to say when this situation will occur. But it's easy to undelete a file or to read out the data with a disk editing utility. Very easy, just anybody can do this. With the /o option this danger will vanish. The original data will be physically deleted by overwriting it according to the NTSC-TG-025 regulations (Version 2, Sep 1991). Sounds cool, doesn't it? If you use /or the program will continuously create random data. This might be useful in combination with online disk compression programs (so the data for overwriting can't be compressed at any time). You can repeat the overwrite process up to 99 times by adding a number, e.g. /o7. Please remember that overwriting does only make sense if any write cache is turned off in your system. Under DOS e.g. you might deactivate the cache for drive D: by typing "SMARTDRV d-". Unfortunately some other operating systems, like Windows(tm) 95, don't allow you to control their cache systems. Especially for Windows(tm) 95 it'll be the best to do all the encryption in DOS mode (not just in the DOS box, you have to leave the GUI completely). /p You can predefine a password in the command line with this option. Just append the password directly after the option character, e.g. /pgirlfriend. You can enter a complete pass phrase if you put it in quotation marks, e.g. you may type /p"The weather is green next car!" (this is really a good password, the less sense it makes, the better!). Remember that the password is visible while you enter it! Don't use this option in batch files! If you do the batch files must be destroyed after! It's not possible to define passwords for mixed encryption by this option. /q{ahrs} Due to the fact that a file's original attribute is stored in its encrypted counterpart and will be restored after decryption BFA7 is able to encrypt any file on your hard disk, system and hidden files included. With the /q option you can set the so called excluding attribute mask. This mask defines a number of attributes. If a file has one of the attributes defined with the /q option it will not be encrypted or decrypted. The following letters are valid: a : exclude files with the "archive" attribute set h : exclude hidden files r : exclude write-protected files s : exclude system files If you want to encrypt everything just type "/q". The default attribute mask is /qhrs, this means that the program will encrypt any normal file, but ignore readonly, hidden and system files. Please remember that encrypted files will always have the "archive" attribute, even if they originally were hidden, system and/or readonly. /r This option tells the program to go into recursive file search mode, extending the looking up for files to all subdirectories of your selection. If you type "bfa e c:\*.* /q /r" the program will encrypted really EVERYTHING on your C: drive. Don't forget to create a bootdisk with BFA.EXE on it to reactivate it :) /s For default BFA7 checks if a file is already encrypted. If it is it won't be encrypted a second time. By defining the /s option you can turn off this check. The program won't check (and skip) now for already encrypted files. Please remember that if you encrypt a file multiple times you have to decrypt it multiple times in reversed oder, too. /t If you've defined a special destination for the files with the /d option the result will look like a copy procress with additional encryption. Use the /t option and the original files will be deleted, too. So you'll have a file movement. I strongly recommend to use this option in combination with the /o one to destroy any original data. /uN The display isn't dependant on the normal text mode resolution 80x25. You can use any text mode that is available on your system and can be displayed by your monitor. The following settings N are valid : 1 : 80x25 2 : 80x30 (only VGA) 3 : 80x50 (only VGA, on EGA 80x43) 4 : VESA textmode #1 (if available) 5 : VESA textmode #2 (if available) 6 : VESA textmode #3 (if available) 7 : VESA textmode #4 (if available) 8 : VESA textmode #5 (if available) 9 : VESA textmode #6 (if available) The modes 1 to 3 should run fine on every computer system. The VESA text modes are a little bit more critical. Either they might not be available (BFA7 will use mode 1 then) or the resolution can't be display with your monitor, so the screen might turned black or even be damaged! Please consult your hardware manual what's possible on your system. /v This options will force the program to query the user before it starts encrypting or decrypting each file. This might be useful if you want to encrypt only some special files. The message dialog also allows you to exit the program prematurely. /w If you define this option the program won't warn you before it's going to overwrite an existing file. I don't recommend to use this option. Even if files have the same name they might be totally different. /x After BFA7 has parsed the command line BFA7 checks the integrity of the executable (normally BFA.EXE, if you didn't renamed it). If the program was modified by a cracker or a virus it'll be detected and you will be notified by a warning message, except you've set the /x option. This might be useful in combination with virus scanners who add checksums to executable files or if you launch the program on slow systems from uncached floppy disks to save some time. I recommend to avoid this option! If your BFA.EXE seems to be modified then contact the author to get an original copy. Anything other might produce a bad encryption, spread viruses or blow up your whole system. Nobody knows. /y{+}{xxx} This option will force the program to create a so called report file. This is an ASCII textfile named BFA.RPT where every action of BFA7 is logged. If you add the "+" switch, the new informations will be appended to an existing report file. You're allowed to supply the destination of the file BFA.RPT (xxx). If no other destination is given, the program will use BFA.RPT in the current directory. Please remember, that BFA7 will refuse to encrypt or decrypt any file named BFA.RPT! /z As already mentioned the original attributes are stored in the encrypted files. If you don't want them to be restored then use the /z option. This might be useful e.g. if you don't want to recreate writeprotected files (e.g. if the original counterparts were located on CD-ROM). /# This option restricts the passwords to a maximum length of 5 characters/bytes. Might be useful for system administrators who offer the program to network users which aren't allowed to use uncrackable long passwords (a sysadmin will have to give BFA.EXE and BFA.INI special attributes, of course, so that the user can execute but not copy the files, maybe you (s)he turn on the /x option). Please remember that you can't turn off this option if it was set in the configuration file BFA.INI. /% To set the CBC inialisation vector and the output of BFA7's random generator to zero you must use this option. This enables you to create identical cryptfiles with the same password and the same source. Only useful for experts to check the correct work of the program. For more informations please read the file SPECS.TXT. 2.2.3 File selections ~~~~~~~~~~~~~~~~~~~~~ You can give BFA7 as many file selections as you want. It's possible to declare a single file or wildcard, multiple selections, or all combined. The syntax is the same as in all other command line programs in DOS, Windows(tm), UNIX or OS/2(tm). Just some valid examples : bfa e *.* (all files in the actual directory ) bfa e *.htm *.gif (all files with the extensions "HTM" and "GIF") bfa e d:\text\*.txt (all files in the directory d:\text with the extension "TXT") bfa e \*.zip a:*.asm e:\doc\e???0??.doc (all ZIP-files in the home directory on the actual drive, all assembly sources on the floppy disk in drive A: and all documents in the \doc directory on drive e: that fit into the "e???0??" mask) 2.2.4 Errorlevels ~~~~~~~~~~~~~~~~~ The program returns the following error levels to the operating system: 2 : no error, everything worked fine 3 : program initialization failed 4 : fatal error occured (file couldn't be closed, etc.) 5 : user break detected 6 : no files were found 7 : illegal command line 8 : invalid password entered 9 : out of memory These codes are useful in batchfiles were you can read them out with the ERRORLEVEL expression. While BFA7 runs... ~~~~~~~~~~~~~~~~~~ ... you won't have to do much more. If you have defined options and fileselections right the only thing you have to do is to enter the password. BFA7 will start then to search all files fitting to your first file selection. If you haven't defined the option /g or set Confirmations=Off in the BFA.INI the program will query your permission to start. Depending on the speed of your computer system and the selected algorithms BFA7 will now start to encypt/decrypt/view your files. If you didn't turned the display off you'll see the progress of the program's action in clearly arranged windows. In the window "Files" you'll see the processed files with their pathnames, the compression ratio (100% means no compression, 50% e.g. that the file could been shrinked to half of its original size) and some results messages. In the window "Status" BFA7 will show you the selected workmode and the destination you've defined to copy/move the files. "Operations" shows the name of the actual processed file and a nice progress bar. The progress bar changes its color depending on what BFA7 is actually doing (red = encrypting, yellow = wiping (overwriting original data), green = decrypting, blue = viewing file states). The window "Statistics" will show you the number of files, the encryption speed rate in kb/sec, how much files were processed successfully and some byte statistics. 3. Problems? ~~~~~~~~~~~~ Am I able to halt the run of BFA7 while it's working? Yes you can. Press one of the following keys to interrupt the program : [Esc], [Alt]+[F4], [Alt]+[X] or [CTRL]+[Break]. BFA7 will query you before it'll returns to DOS. The actual file will of course be restored before the program will terminate. What errors might occur with BFA7? There are two classes of errors : file dependent errors and system dependent errors. File dependent are such exceptions like if a file isn't encrypted (decryption) / has already been encrypted (encryption), can't be decrypted due to a wrong password, was created by a future version (and isn't compatible to the actual one) or CRC32 errors. Only the last one (checksum errors) is real critical : it means that data was damaged more or less. Try to decrypt it with the /i option after you've made a backup the original file. If your password doesn't work anymore then you're in some kind of trouble. Perhaps you have used an older password, the [CAPS LOCK] key was pressed or (in antitap mode) you're using keyboards with different scan codes. The second class are system errors, e.g. if the program tries to write on a CD-ROM (open to read errors), if files were deleted after BFA7 has completed its search list or (probably the worst case) if your data carrier is damaged. If you use the recommended random file renaming (/h option) then it might be possible that there were 2 encrypted files with different random, but equal original names in the same directory. The first one will ve decrypted and restored correctly, but the second one will activate the overwrite warning. Then you have to decide whether the files were equal and the first one can be deleted or not. 4. Security aspects ~~~~~~~~~~~~~~~~~~~ If you choose a password there's one important thing you must think about first : every password barrier can be broken using a brute force attack. This means an attacker will try out every possible password If your password is three letters long and the bad guy estimates that you've only used characters from 'a' to 'z' then are 26 * 26 * 26 = 17,576 possibilities for choosing a password! Yes, I said 'only'! In the worst case (s)he have to try 17,575 combinations to find your password. With a well optimized key search program run on fast computer system the attacker cracks you password within a second! But if you're using only 2 letters more, (s)he must try out 26 * 26 * 26 * 26 * 26 = 11,881,376 combinations, which takes much more time, even with a fast computer. The rule is simple : the more letters (or in binary mode : the more bytes) you use, the more possibilites exist, the harder is the encrypted file to break. Using binary passwords is a fine method (/e2,3,4 option). With a 6 bytes long binary password there are 256*256*256*256*256*256 = 281,474,976,710,700,000,000 (281 trillion) possibilites. Let's assume a supercomputer can try 1 million keys per second, them it'll take about 9 years to test all possible combinations. Using just one byte more and the brute force attack will be senseless. Registered users will get BFACRACK.EXE, a brute force key search program, e.g. useful to find passwords that have been entered with light errors, for example "imagintaion" instead of "imagination". How should you choose your password? Don't use personal common words, such as the name of your husband, wife, daughter, son, dog, cat, lover, your insurance, house or telephone number, the numbers of your birthday or -year (not even in reversed order or another combination), etc. You can be sure an attacker will try these ones first! If you don't want to use binary passwords then use passwords at least 8 letters long. Don't use only small letters! Use some of the extra characters (&/%=-:,), use numbers. For example if you use "Hollywood-1995" as your password, there are over 15,515,568,480,000,000,000,000,000 (15 septillion) combinations, too many for any kind of brute force attack! But watch out: with the growing length of a password the chance to forget it grows as well. Please always remember: * * * * * * * * * * * * * * * * * * DON'T FORGET YOUR PASSWORD! * * REMEMBER IT! * * IF YOU CAN REMEMBER IT, * * WRITE IT DOWN! * * * * * * * * * * * * * * * * * * AtmuteSoft has no utilities to restore files encrypted with an unknown password of a secure length. BFACRACK can try about 10 (Blowfish) to 1000 (GOST) passwords per seconds on a 486DX4. The program BFA7 doesn't store the password, neither in the cryptfile nor anywhere else. The password is even deleted in memory before the program is terminated. For additional informations please read the file SPECS.TXT. 5. Copyrights and warranty ~~~~~~~~~~~~~~~~~~~~~~~~~~ AtmuteSoft and BFA7 are property of the author of this software, Markus Hahn. The Blowfish encryption algorithm was designed by Bruce Schneier. You can contact him via schneier@counterpane.com. The Cobra encryption algorithm was designed by Christian Schneider. You can contact him via 100542.2132@compuserve.com. The programming of the Blowfish assembly implementation was done in cooperation with Cedric Reinartz. You can contact him via cer@servww4.ww.uni-erlangen.de. YOU ARE USING BFA7 AT YOUR OWN RISK! ATMUTESOFT (MARKUS HAHN) IS NOT LIABLE FOR ANY DAMAGE CAUSED BY THE USE OF BFA7 OR BY THE INABILITY TO USE BFA7. IF YOU ARE NOT SURE ABOUT THIS, OR IF YOU DON'T ACCEPT THIS, THEN DO NOT USE BFA7! This software has been well tested on several computer systems from an antique 286/10MHz systems up to a modern P6/150. 6. Shareware notes ~~~~~~~~~~~~~~~~~~ This is a shareware version of BFA7. You are encouraged to spread it around the world by publishing it on CD-ROM, BBS, offering it via FTP or WWW. The only limitation is that the complete program package should not be changed in any way. The maximum key length of this shareware version has been restricted to 5 characters (40bit), for that there should be no problem for re-exporting BFA7 out of the United States. After the a trial time of 20 days you should get your own copy of BFA7 for a very small registration fee of US $20.00 (students US $15.00). For more informations read the file REGISTER.TXT. Users from Germany please read the file LIESMICH.BRD. If you have problems, questions or suggestions you can contact the author at the following address by snailmail : Markus Hahn Schellingstrasse 13 72622 Nuertingen GERMANY You can also send an Internet email to the address: hahn@pcmail.rz.fht-esslingen.de ( you may even try hahn@.rz.fht-esslingen.de, if the standard address doesn't work ) 7. BFA for Windows(tm) 95 ~~~~~~~~~~~~~~~~~~~~~~~~~ is already under developpment and will be available in the late summer 1996. The following additional features are planned until now : * new encryption algorithms : IDEA, MDC/SHA and SAFER * faster data compression * selectable authentication with MD5 * selectable output in an uuencoded format * a fast and easy to use interface, "Encryption at your fingertips! (R)" * some other cool things... New versions of BFA7 should be always available on the following Internet FTP services: ftp.uni-stuttgart.de /pub/systems/pc/security/bfa7xx.zip ftp.leo.org /pub/comp/platforms/pc/msdos/apps/security/bfa7xx.zip International servers where BFA7 will be uploaded are garbo.uwasa.fi and nic.funet.fi. If you only have access via email or if you don't trust the copy you got you can contact the author directly to send you the newest shareware version (if available) in uuencoded format (and encrypted with PGP on demand). 8. Thank you... ~~~~~~~~~~~~~~~ to all my betatesters and all people who have supported me writing this program, especially to Cedric Reinartz, Chris Schneider, "vfast" Steve (for interesting insider informations and language translation support) and Tobias Ueberschaer (betatesting). A special thank you goes to Bruce Schneier for its absolutely brilliant 2nd edition of "Applied Cryptography" (John Wiley & Sons, ISBN 0-471-11709-9), the bible for all code hackers and for his fairness to place the Blowfish encyrption algorithm in the public domain. -end-