An encryption format offering better security, performance and ease of use than PGP.

Overview

Logo

Covert Encryption

A file and message encryptor with strong anonymity

  • ChaCha20-Poly1305 stream cipher with authentication
  • Argon2 secures shorter passwords against cracking
  • Curve25519 public key encrypt & sign with SSH, Age and Minisign keys

Anonymity, privacy and authenticity

The encrypted archive looks exactly like random data, providing deniability. Every byte is protected so that not only is reading prevented but authenticity is also verified, protecting your data against any outsiders, and files may also be signed if necessary.

Other encryption tools add unencrypted headers revealing the recipients and other metadata. Covert was created to address this very problem, to stop all information leakage.

A message (base64 or binary) has no headers or anything else that could be recognized:

HDGKMFEo5cYHtUF1w9aNlX1lMmWJD3B7p8HoBoQZTNJGjg/nUOMqlXLspmmVO7PQj8Pe

Covert generates easy passphrases like pinkmuletibetdemand for the above. The encoded message includes random padding to hide the length of the message and it is still shorter than others. For comparison, gpg needs six lines instead of one and still ends up revealing the exact length of the message.

Try it!

Python pip will add covert on your system. Decrypt the above message to see what it says:

pip install covert
covert dec

File I/O speeds matching the fastest SSDs

Benchmark results. Covert up to 4 GB/s.

Covert is the fastest of all the popular tools in both encryption (blue) and decryption (red).

Program Lang Algorithms Operation
Covert Python chacha20‑poly1305 sha512‑ed25519 encrypt with auth and signature
Age Go chacha20-poly1305 encrypt with auth
Rage Rust chacha20-poly1305 encrypt with auth
OpenSSL C aes256-ctr (hw accelerated) encrypt only
GPG C aes128-cfb, deflate encrypt with auth and compression
Minisign C blake2b-512 ed25519 signature only (for reference)

A few interesting features

Files of any size may be attached to messages without the use of external tools, and without revealing any metadata such as modification times.

A completely different ciphertext is produced each time, usually of different size, even if the message and the key are exactly the same. Other crypto tools cannot do this.

Covert messages are much shorter than with other cryptosystems, accomplished by some ingenious engineering.

A key insight is that a receiver can blindly attempt to decrypt a file with many different keys and parameters until he finds a combination that authenticates successfully. This saves valuable space on short messages and improves security because no plain text headers are needed.

Screenshot

A secure desktop app

Covert comes with a graphical user interface built in. Unlike PGP GUIs, Covert does not use external CLI tools but instead does everything inside the app. Storing the plain text message on disk at any point exposes it to forensic researchers and hackers who might be scanning your drive for deleted files, and unfortunately there have been such leaks with popular PGP programs that use temporary files to communicate with external editors or with the gpg tool.

Additional reading

Covert is in an early development phase, so you are encouraged to try it but avoid using it on any valuable data just yet. We are looking for interested developers and the specification itself is still open to changes, no compatibility guarantees.

Comments
  • Implementation of signatures

    Implementation of signatures

    Our goal is to primarily use only X25519 keys (i.e. encryption keys, Montegomery Curve), and for signatures to convert them to corresponding Ed25519 keys (signing, Edwards Curve). Such a practice is commonplace and is considered safe in this scheme. The key conversion from Ed25519 to X25519 is implemented in libsodium and thus is commonly available. Covert already implements to opposite conversion, as specified by Whisper Systems / Signal in their XEd25519 (XEdDSA) scheme.

    The sign problem

    One problem with the opposite conversion is that X25519 keys lack a sign bit that is present on Ed keys, meaning that a single key can produce two different public keys, and thus incompatible signatures. Signal's specification suggests forcing the sign bit zero, and by modifying the secret key so that it matches. We believe that this approach is bad, and it would appear that Signal have also abandoned it for another approach that actually stores the sign bit in an unused bit within the signature itself.

    Rather than forcing or storing the sign, one can easily try verifying the signature with the bit flipped both ways. One will fail, but if the other passes, the signature is good. Therefore, this is not really an issue.

    The hashing problem

    In principle the secret keys of both schemes are identical, and only the public key needs conversion. However, it is a common practice to take sha512 of an Ed "secret key" (i.e. what is stored in the keyfile) to obtain the actual secret key used by the algorithms. Thus, a secret key converted back won't work, because this extra round of hashing breaks it. Unfortunately this hash operation is built deep inside libsodium/ref10, and cannot be disabled.

    X25519 operations do not use such hashing but instead use the given secret key directly. The libsodium ed25519_sk_to_curve25519 conversion function does just this hashing.

    Signal solves this by their own XEd25519 signing algorithm that omits the hashing. This is almost perfect for our intentions as well, except for the fact that there are no commonly available implementations of this signing algorithm, and maintaining our own Python implementation of it does not seem optimal. Also, the algorithm opts for simplicity and does not require the public keys to be entirely unique (fully reduced).

    Choices

    Thus, as for implementation, we have two main options:

    1. Signal's XEd25519, which allows us to use any Ed25519 or X25519 keys, and stores the sign bit in signatures
    2. Standard Ed25519 which can only work with Ed25519 keys

    Option 1 seems more sensible for the future, where XEdDSA is expected to be implemented in crypto libraries, and if so, it would simplify Covert implementation.

    Option 2 might be reasonable because nearly all keys that we might want to use come in Ed25519 format. SSH and minisign keys would work for encryption and signing but Age keys could only encrypt. We would need to handle keys differently depending on which format they were sourced from.

    Leaving the issue open for discussion.

    question 
    opened by covert-encryption 22
  • Implement ID store in a file

    Implement ID store in a file

    Covert needs persistent keystore to avoid always typing keys on command line and more importantly to enable forward secrecy in conversations (because temporary keys need to be stored somewhere).

    This is a draft implementation that still contains bugs ~~and does not implement anything but static keys.~~

    covert enc -I alice:bob -i ~/.ssh/id_ed25519 -R github:bob   # Encrypt a message, store keys in database
    covert enc -I alice:bob   # Encrypt another message using the stored keys
    

    If the sender profile (alice) does not exist, it will be created. If no -i is provided, a new keypair is created. Keys may be replaced later by providing another recipient or -i arguments. It is planned that bob won't need to add alice's key when replying. In near future this should also enable a conversation mode where replies have forward secrecy and post-breach secrecy. The profile names are strictly local and are never sent to peers.

    The ID store is protected by a longer than normal 5-word passphares, which is automatically created the first time the keystore is used. All profiles share the same master passphrase.

    Breaking change: Signatures of upcoming 0.7 will be incompatible with prior versions.

    TODO:

    • [x] Public ID key storage and automatic generation
    • [x] Use ID-based keys, display IDs in authentication and signatures instead of raw keys (CLI)
    • [x] ID management (key export, changing of passphrase etc) covert id subcommand
    • [ ] ID selection dropdowns and other functionality based on ID store (GUI)
    • [ ] Daemon (agent) that remembers the passphrase for a while
    • [ ] Time-based expiration of keys (locally, not planned to be included in messages)
    • [x] Code cleanup / refactoring & UX polish
    • [ ] Workflow to "reply" to messages in an easy way (CLI, GUI)
    • [x] Forward secrecy in conversations
    opened by covert-encryption 10
  • Dirty Elligator for better hiding of the ephemeral key

    Dirty Elligator for better hiding of the ephemeral key

    Three bits of information per file were still leaked in ephemeral keys, weakening the deniability property. This is fixed by implementing dirty keys that use all eight of Curve25519 subgroups rather than only the prime group.

    Also implements and uses Signal's XEdDSA (XEd25519) for signatures as is written in Covert specification. Previous versions used EdDSA instead, making it impossible to sign with Age and Wireguard keys. Now all key types are good for both signatures and encryption.

    Fixes #55 Fixes #2

    opened by covert-encryption 7
  • Added Montgomery module and minor changes in Elliptic module

    Added Montgomery module and minor changes in Elliptic module

    Improved low order point encoding that is now inconsistent with libsodium and monocypher but more logical and able to represent all low order points correctly. The point at infinity is encoded as u=-1 (mod p), which is not a curve point and has no birational mapping to Ed25519 anyway (division by zero), while everything else uses the standard mapping and encoding specified in RFCs. Similarly the Ed25519 neutral element (ZERO, equivalent to the point at infinity) cannot use birational equivalency as it too causes division by zero due to its y coordinate being 1.

    opened by covert-encryption 4
  • Indistinguishability flaw

    Indistinguishability flaw

    Hi,

    I’ve been pointed to your work, and I see you’re using my work for exactly what I wanted it to be used, that’s nice!

    I think I found a bug, that makes the encrypted archives easily distinguishable from random. It’s a subtle, easy to miss issue about Elligator2. Here’s the culprit: you’re taking a freshly generated public key from vanilla X25519. The error is using vanilla X25519.

    See, Curve25519 is not quite a prime order group. It has a non-trivial cofactor of 8. DJB got around the issue by inserting special precautions in the design of X25519. One of them was making sure all the generated points are in the prime order subgroup, which comprises only one eight of the curve. (He does this by clamping the scalar down to a multiple of 8).

    Elligator2 however operates over the whole curve, not just the prime order subgroup. So when an attacker sees the file and tries to unhash the key, they’ll notice that all the resulting points always happen to be on the prime order subgroup. (To verify which subgroup a key belongs to, you can just multiply it by its order L.) With truly random files this is supposed to happen only one time in 8.

    In other words, for each file you encrypt, you expose 3 bits of evidence to the attacker that this is an encrypted file, not a truly random one. (Now one might suspect things about random files, but those 3 bits can also leak part of the file format, and my guess is that you want to hide as much meta data as possible.)


    To correct the problem, you need to generate points on the whole curve, not just the prime order subgroup. You need a "dirty" X25519 key somehow, yet still retain full compatibility with vanilla X25519. You need Monocypher’s crypto_x25519_dirty_fast().

    Now I see you’re mainly using Libsodium, and only pulled my Python Elligator2 code (which by the way is not constant time, though it probably does not matter for offline uses). The problem is that Libsodium has no way that I know of to generate the dirty keys you need. (Last time I checked Frank Denis was explicitly not interested in supporting indistinguishability from random.)

    My recommended course of action is to use Monocypher’s high-level crypto_hidden_key_pair() function. The third party Pymonocypher bindings may help you there. It will fix both timings & indistinguishability issues.

    bug needs investigation 
    opened by LoupVaillant 4
  • Problem while trying to install latest versions.

    Problem while trying to install latest versions.

    Cool project first off all.

    Running pip install covert downloads version 0.2.1 which is weird. I thought maybe i have a cached old version of covert so i tried --no-cache-dir --force-reinstall commands. Same result, v 0.2.1)

    Running pip install covert==0.5.3 shows the following error :

    ERROR: Could not find a version that satisfies the requirement covert==0.5.3 (from versions: 0.2.0, 0.2.1)
    ERROR: No matching distribution found for covert==0.5.3
    

    This issue maybe is only on my computer but i thought maybe it's something worth checking.

    In the homepage i prefer if you change the pip install command to pip install "covert[gui]" (with double Quotation marks).

    In addition, writing a good Installation guide for covert must be done, and a guide on how to build/run the code from source, Dev environment, etc. This will save a lot of time for interested people to take a look at the project instead of spending some time and effort to figure how to run it. Good luck!

    Thanks!

    opened by sh-dv 4
  • Support editing archives, keeping encrypted notes

    Support editing archives, keeping encrypted notes

    Implements covert edit CLI command that extracts an existing archive, allows editing its text and then re-encrypts the data. Any attached files of the archive are kept without extracting them or the message to disk. The original file is overwritten.

    This function is intended to allow adding and removing attachments, as well as using public keys, but for now it is limited to message editing and passphrases. Also, all data must fit in RAM, as no streaming is yet implemented for this mode.

    Fixes #57

    opened by covert-encryption 3
  • qcovert will not decrypt simple password-protected files.

    qcovert will not decrypt simple password-protected files.

    This error occurs when I use qcovert and choose Open Covert File, an armored or unarmored passphrase-encrypted text file.

    The file can be decrypted at the command line.

    Traceback (most recent call last):
    File "/home/ap/.local/lib/python3.10/site-packages/covert/gui/app.py", line 104, in decrypt_file
    self.decrypt(data)
    File "/home/ap/.local/lib/python3.10/site-packages/covert/gui/app.py", line 109, in decrypt
    d = DecryptView(self, infile)
    File "/home/ap/.local/lib/python3.10/site-packages/covert/gui/decrypt.py", line 35, in __init__
    self.decrypt_attempt()
    File "/home/ap/.local/lib/python3.10/site-packages/covert/gui/decrypt.py", line 105, in decrypt_attempt
    if self.blockstream.header.key:
    AttributeError: 'BlockStream' object has no attribute 'header'
    

    From here, nothing happens - we are at the main screen.

    Example (armored) file --

    Password is oakpigartbecome

    Unz4TxF16QTcqbtEbpc56IgOm+gmaIbD+/dpcIVeTc1PH8b9DQevQ5SsMum99yhgRAByRKJ360tDCo8yLEogl3kGNCw3ISbH161ux7EVvQZCPJF6JfyVQ4Cq/6fCd1fBK2eOqKXf4w6atfIS+NCP8V2eBbfJrog0w73jVQ

    opened by apatheticposture 2
  • qcovert needs dependencies: PySide6 and showinfm

    qcovert needs dependencies: PySide6 and showinfm

    Installing covert from pip, a few dependencies weren't pulled into my system required for qcovert to run properly:

    • PySide6 (pip install pyside6)
    • showinfm (pip install show-in-file-manager)

    These don't appear to be part of any default install on my Kubuntu system, at least.

    opened by apatheticposture 2
  • Policy for reporting security vulnerabilities

    Policy for reporting security vulnerabilities

    Hi, what's the process for reporting security vulnerabilities?

    (FYI: GitHub automatically treats the file docs/Security.md as the project's security policy, but that file actually contains information about the encryption format rather than instructions for reporting security vulnerabilities.)

    opened by hddqsb 2
  • Implemented a thread for opening a file using mmap in the decrypt_fil…

    Implemented a thread for opening a file using mmap in the decrypt_fil…

    Implemented a thread for opening a file using mmap in the decrypt_file() function in /gui/app.py. It was listed as a TODO item to replace the with open() call.

    opened by technokowski 2
  • Key commitment to protect AEAD against malicious keys and ciphertexts

    Key commitment to protect AEAD against malicious keys and ciphertexts

    AEAD schemes are vulnerable to an invisible salamander attack where one ciphextext may decrypt to many different plaintexts depending on the key used. The process involves creating at least two different keys and manipulating the ciphertext blocks such that desirable decryption is obtained. There will be a lot of random noise in the messages but with a bit of brute forcing for suitable keys it is possible to find keystreams that produce for a few bytes two messages so that the garbage is ignored (the original paper demonstrated making the data seem either as JPEG or BMP, depending on a few header bytes that would skip the other image and the rest of the garbage). The attack applies to ChaCha20-Poly1305 which is employed by Covert, as well as to AES-GCM and other AEAD constructs.

    Covert should probably implement a key commitment header that contains a 12-byte hash of the file key. This avoids the aforementioned exploit (that does affect all other kryptographic software based on AEAD where keys may be chosen maliciously), and it could also make testing for recipient keys a bit easier, not having to brute force block0 location and size, as is currently done. Only after a matching key is found, does one need to go looking for block0. Adding this would be a breaking change to all existing users. We can implement legacy mode to also support the old format for now, but that would be removed prior to 1.0 release.

    Normally the recipient controls the keys, so this is not an issue, but there are a number of cases where it can be.

    enhancement 
    opened by covert-encryption 0
  • Signature scheme is broken

    Signature scheme is broken

    The signature scheme (which is based on signing the Poly1305 tags) is broken: When a file has multiple recipients, one recipient can carefully edit the blocks in a way that leaves the Poly1305 tags unchanged. Other recipients will not be able to detect the modification.

    This is because Poly1305 is not a cryptographic hash function. Knowledge of the key allows an attacker to construct almost-arbitrary plaintexts that have a desired Poly1305 tag.

    I don't have a proof-of-concept, but I think this is apparent from the definition of Poly1305. I can probably construct an example if requested.

    Suggestion: Compute a cryptographic hash of the plaintext data, then sign that hash (and encrypt the signature). Some suggestions for hash functions:

    • SHA-512 (which is also used internally by Ed25519)
    • BLAKE2 (which may be faster than SHA-512).

    It will probably be a little slower than Poly1305, but that can't be helped.


    Also, the scheme used to encrypt the signature is very suspect. It uses filehash[:32] as the encryption key and hash(filehash + recipient_public_key)[:12] as the nonce. But filehash is public (it is a SHA-512 hash of the Poly1305 tags, which are appended to the ciphertext and are therefore public). So if an attacker knows the recipient's public key, the attacker can decrypt the signature block. And if the attacker doesn't know who the recipient is, they can use the signature block to test known public keys and determine if they are the recipient.

    Suggestion: Encrypt the signature using a secret key.


    Finally, a minor comment (which may soon be irrelevant): The scheme for calculating filehash repeatedly calls sha512, but there is no apparent reason for doing so. It would be faster to just compute the SHA-512 of the concatenation of all the values to be hashed.

    bug enhancement 
    opened by hddqsb 2
  • Switch to deterministic signatures

    Switch to deterministic signatures

    XEdDSA requires a 64-byte nonce as additional security against such a case where the same message was signed many times and a computational error or a side channel leak could then reveal the secret key. Such additional security is not of any use in the case of Covert where the message itself is always different, and would not be necessary in any case if an implementation was free of side channel leaks and the CPU was not broken. There is discussion of this trade off in the Signal XEdDSA specification and in RFC 6979 as well as in Bernstein's Ed25519 paper.

    The message being signed in Covert is the file hash which should already be unique for each file, even if everything else stays the same, because it depends on the file nonce which is randomised. This patch removes the unnecessary use of additional random bytes on signatures and instead implements deterministic XEdDSA by using the file hash as both the message and the nonce (staying compatible with XEdDSA which requires a 64-byte nonce, rather than omitting the nonce from SHA-512 hashing).

    The choice of nonce in signatures does not affect signature verification, and thus each implementation is free to do this whichever way they prefer without compatibility concerns. The nonce only affects the secret random commitment r, whose corresponding public key R is published as part of the signature.

    opened by covert-encryption 2
  • Passphrase wordlists in native languages

    Passphrase wordlists in native languages

    It would be good to have wordlists for languages other than English. We intend to create our own, following the principle of unique 3-prefixes as with English (for easy autocompletion and avoiding prefix word issues). Further, it would be ideal to avoid accented characters and pick words that only use ASCII in all languages where that is feasible (Spanish, German etc). Each language should have its own list of 1024 words, which is a low enough number so that common words and names can easily fill the list (and adding more doesn't make passwords much more secure).

    Chinese and other Asian languages are a whole different ordeal. They may require other arrangements as well and probably cannot have autocompletion. If any native speaker of such languages is reading, would you consider a minimum password length of 8-10 randomly picked characters (pictograms) too long or too complicated? Which characters or words should be used on the list of autogeneration?

    Help is wanted: anyone speaking a language other than English is invited to comment on this, so that we could find an ideal solution for everybody.

    We also need large wordlists of many thousands of words as input. The lists should contain some information on which words are more common (either contain only common words or rank the words by how common they are), and ideally should contain well known names as well (many dictionaries don't and lose a good opportunity). The largest lists or text corpus don't need to be cleaned of punctuation and other garbage. We cross-reference several lists and apply automatic cleanup and filtering to find candidates for the 1024 words to include in our wordlists. Please post links to any usable lists here.

    help wanted 
    opened by covert-encryption 0
  • Public/Secret key decoding and error handling tests

    Public/Secret key decoding and error handling tests

    Decoding of keys, in particular of encrypted minisign and ssh secret keys, is not tested adequately. A single unit test for each of those using the keys within tests/keys/ should be added, and ideally also the various error checks should be tried. The ssh password is password while the test key for Minisign has an empty password.

    These use cryptographic functions not used by any other parts of Covert, so having them tested is not only about our code quality but also to avoid regressions if we switch cryptographic libraries.

    Both have a lot of error checking and special conditions that are never hit in normal operation, thus needing specialised tests that hit every line of code there, to avoid otherwise hard to find bugs. As an added difficulty, Minisign password hashing is so slow that we want to avoid doing more than one true run of that in automated tests. Other cases (such as incorrect password entry) need to be tested by mocking those functions to go faster. Not a particularly easy task to do, but someone with advanced coding skills would be welcome to pick up on this, despite not knowing the cryptography very intimately.

    help wanted 
    opened by covert-encryption 0
  • Refactor askpass to return the password only

    Refactor askpass to return the password only

    Currently it returns a tuple (password, ~~valid~~ visible), which is not meaningful for non-Covert passwords. Should refactor this utility function ~~not to return validity but rather handle that via a separate function call if needed.~~

    enhancement help wanted 
    opened by covert-encryption 3
Releases(v0.7.0)
  • v0.7.0(Mar 8, 2022)

    Major new features are included in this release:

    • Forward Secrecy in conversations, making Covert the first offline messaging tool to implement that and the only one that conceals both the sender and the recipient, leaking no metadata.
    • ID store for keeping permanent public keys and Forward Secrecy temporary keys.
      • Avoids having to enter keys on command line, where identities stored on disk may be used by name
      • Signature verification shows ID names for known keys
      • Storage is protected by a Master ID passphrase that by default is 5 random words but can be changed
      • See covert id --help
    • Greatly improved CLI command help including colour and sub command help.
    • Changes in signatures breaking compatibility with versions prior to 0.7.0. The current implementation is intended to be stable.
    • Large number of bug and usability fixes, other improvements, increased test coverage, refactoring and more typing.

    The main purpose of this release is for developers to start testing forward secrecy and ID store in actual use. Although their implementation is not stable, we need real world testing to guide further development. Please report anything that you find unclear or buggy, as well as ideas for improvement especially on user interface.

    Both parties of a conversation need to have ID stores enabled to initiate a conversation with Forward Secrecy. The initial message sent uses standard public key cryptography, and unless the peer has ID store enabled, any replies to it are also not secured against key breaches. The protocol used is based on Signal's Double Ratchet with header encryption.

    The GUI does not yet support the use of ID store, planned to be included in later versions once the system stabilises. Due to lacking agent support Covert will ask for ID store passphrase on each run but this is also subject to change such that the ID store may stay unlocked for a while and avoid frequent passphrase prompting.

    We also like to thank our two new developers who have done valuable maintenance work and contributed to improved CLI help.

    What's Changed

    • Added Montgomery module and minor changes in Elliptic module by @covert-encryption in https://github.com/covert-encryption/covert/pull/67
    • Minor fixes on key parsing, typing and additional tests by @covert-encryption in https://github.com/covert-encryption/covert/pull/76
    • Fix blockstream decryption bug causing signature verification failures by @covert-encryption in https://github.com/covert-encryption/covert/pull/80
    • Add some tests by @MarionetteAccount in https://github.com/covert-encryption/covert/pull/83
    • Upgrade dependencies to avoid a problem with GUI not starting by @covert-encryption in https://github.com/covert-encryption/covert/pull/84
    • List supported key formats and examples in usage by @heikkiorsila in https://github.com/covert-encryption/covert/pull/78
    • Implement ID store in a file by @covert-encryption in https://github.com/covert-encryption/covert/pull/81
    • Add more typing by @MarionetteAccount in https://github.com/covert-encryption/covert/pull/86
    • Refactor CLI as a submodule with cli.py broken into smaller modules by @covert-encryption in https://github.com/covert-encryption/covert/pull/87
    • Improve covert dec UX with passphrases and ID store by @covert-encryption in https://github.com/covert-encryption/covert/pull/88
    • Second phase of ID store implementation by @covert-encryption in https://github.com/covert-encryption/covert/pull/89
    • Passphrase wordlist word "joint" replaced by "joe" to avoid confusion with some combinations like "jointrace" and "jointramp"

    New Contributors

    • @MarionetteAccount made their first contribution in https://github.com/covert-encryption/covert/pull/83
    • @heikkiorsila made their first contribution in https://github.com/covert-encryption/covert/pull/78

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.6.0...v0.7.0

    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Jan 5, 2022)

    It has been a few weeks since our last release but despite the holiday season we have been working and are proud to publish another big "minor" update in the form of 0.6 (with further patch releases expected in rapid succession). This is a breaking change for everything related to public keys.

    This release implements Dirty Elligator 2, which is a system of ephemeral key creation and hiding. Covert had previously implemented the Elligator 2 algorithm in an effort to avoid any distinguishability from random data. Well, it turned out to be trickier than expected, as there still was a leakage of 3 bits in the form of Elliptic Curve subgroup selection. Actually, anyone who cares for that much technical detail should check out the issue and PR related to that, as there is plenty of highly educational discussion there. It should be noted that 0.6.0 uses our custom Python implementation of Ed25519 due to libsodium's shortcomings but that we are already working on making it instead use the excellent Monocypher library for such calculations (obviously also for better security).

    Signatures have also been finally implemented using Signal's XEdDSA protocol (like Dirty Elligator, for now implemented in plain Python in the covert.elliptic submodule). This enables all types of 25519 keys to be used for both signing and encryption.

    Other than cryptography, the GUI has also been largely rewritten, although bugs are still to be expected and will be fixed in shortly upcoming patch releases. The rewrite adds further functionality than before but more importantly makes future development much easier.

    CLI has gained a new feature that had been requested by a couple of users: editing of files without extracting the plain text in between. This can be useful for keeping notes in an encrypted archive without ever exposing the contents to the hard drive. Use covert edit to edit any password-encrypted archive.

    Automated testing and coverage CI has been in use for about a month now and we are steadily increasing coverage and making Covert more reliable by thoroughly testing all code.

    What's Changed

    • Changes for armor_max_size and tty_max_size. by @rocketdey in https://github.com/covert-encryption/covert/pull/59
    • Minor cleanup of CLI main by @covert-encryption in https://github.com/covert-encryption/covert/pull/62
    • Dirty Elligator for better hiding of the ephemeral key by @covert-encryption in https://github.com/covert-encryption/covert/pull/61
    • Improve CLI error messages and testing by @covert-encryption in https://github.com/covert-encryption/covert/pull/64
    • Support editing archives, keeping encrypted notes by @covert-encryption in https://github.com/covert-encryption/covert/pull/65
    • Added tests to test_cli by @rocketdey in https://github.com/covert-encryption/covert/pull/69
    • GUI improvements by @covert-encryption in https://github.com/covert-encryption/covert/pull/68

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.5.4...v0.6.0

    A special THANK YOU

    The Monocypher author @LoupVaillant reported elligator's dirty secret to us and has been far more than just helpful in getting the issue fixed and the fix thoroughly reviewed, and has given valuable feedback on signatures and other design details as well. We salute you!

    It is no small feat that he apparently wrote the first and only implementation of what we have now dubbed the Dirty Elligator 2, using bits and pieces of information that hardly anyone in the world knows, filling in the blanks himself. Yes, the theory of Ed25519 was well known, and the Elligator 2 paper is known by people familiar with cryptography but the devil is in those dirty details!

    Source code(tar.gz)
    Source code(zip)
  • v0.5.4(Dec 16, 2021)

    What's Changed

    • Upgraded zxcvbn to avoid a crash on startup on Python 3.9.2 (Debian 11)
    • Increased precision of random padding calculation by @covert-encryption in https://github.com/covert-encryption/covert/pull/58

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.5.3...v0.5.4

    Source code(tar.gz)
    Source code(zip)
  • v0.5.3(Dec 8, 2021)

    What's Changed

    • Fix signature implementation broken by earlier blockstream refactoring. by @covert-encryption in https://github.com/covert-encryption/covert/pull/51
    • Additional e2e test on CLI for more coverage by @covert-encryption in https://github.com/covert-encryption/covert/pull/52

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.5.1...v0.5.3

    Source code(tar.gz)
    Source code(zip)
  • v0.5.1(Dec 8, 2021)

    What's Changed

    • Do not print speech bubble on decoded message in GUI by @covert-encryption in https://github.com/covert-encryption/covert/pull/46
    • Allow mode selecting within combined short arguments. by @rocketdey in https://github.com/covert-encryption/covert/pull/45
    • Parser for SSH secret keys with support for passwords by @covert-encryption in https://github.com/covert-encryption/covert/pull/47
    • Adding tests for covert.passphrase by @covert-encryption in https://github.com/covert-encryption/covert/pull/48
    • Fix benchmark mode and add tests using it by @covert-encryption in https://github.com/covert-encryption/covert/pull/50
    • Run a full encryption/decryption test cycle over CLI by @covert-encryption in https://github.com/covert-encryption/covert/pull/49

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.5.0...v0.5.1

    Source code(tar.gz)
    Source code(zip)
  • v0.5.0(Dec 4, 2021)

    Our biggest release so far. A lot of changes, most notably a GUI in addition to CLI version. The file format of 0.5 is incompatible with earlier versions due to various changes made to it. Due to the sheer number of changes we except there to be bugs that should be ironed out in upcoming releases. Please report any issues encountered, so that we can fix them.

    What's Changed

    • Elligator2 hashing to scramble the ephemeral key header field. by @covert-encryption in https://github.com/covert-encryption/covert/pull/24
    • New password hashing spec and implementation, and related cleanup. by @covert-encryption in https://github.com/covert-encryption/covert/pull/27
    • Refactor armor functions to use str and removing any > quotes. by @covert-encryption in https://github.com/covert-encryption/covert/pull/28
    • Implementing graphical user interface by @covert-encryption in https://github.com/covert-encryption/covert/pull/23
    • Refactor file records as lists to save a few bytes and simplify code. by @covert-encryption in https://github.com/covert-encryption/covert/pull/29
    • Remove BOMs of input strings by @covert-encryption in https://github.com/covert-encryption/covert/pull/30
    • Compatibility with legacy Windows terminals by @covert-encryption in https://github.com/covert-encryption/covert/pull/31
    • Allow combining short CLI arguments by @rocketdey in https://github.com/covert-encryption/covert/pull/32
    • Better error message when using -r on keyfile by @covert-encryption in https://github.com/covert-encryption/covert/pull/34
    • Simplified decrypt auth handling (refactoring) by @covert-encryption in https://github.com/covert-encryption/covert/pull/36
    • Update unit tests with recent API and format changes. by @covert-encryption in https://github.com/covert-encryption/covert/pull/40
    • Add tox for automated testing, coverage etc. by @covert-encryption in https://github.com/covert-encryption/covert/pull/41
    • Increase padding on short messages for stronger protection by @covert-encryption in https://github.com/covert-encryption/covert/pull/42
    • Big refactoring of decryption functions, allowing for easier GUI implementation by @covert-encryption in https://github.com/covert-encryption/covert/pull/43

    New Contributors

    • @rocketdey made their first contribution in https://github.com/covert-encryption/covert/pull/32

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.4.1...v0.5.0

    Source code(tar.gz)
    Source code(zip)
  • v0.4.1(Nov 17, 2021)

  • v0.4.0(Nov 17, 2021)

    What's Changed

    • Implemented a slightly better message editor. by @covert-encryption in https://github.com/covert-encryption/covert/pull/18
    • Automatic copy&paste support by -A by @covert-encryption in https://github.com/covert-encryption/covert/pull/20
    • Depend on our own zxcvbn fork that fixes bugs the upstream is ignoring. by @covert-encryption in https://github.com/covert-encryption/covert/pull/19
    • File signing and signature verification. by @covert-encryption in https://github.com/covert-encryption/covert/pull/21
    • CLI help text clarified
    • Arrow keys now function correctly in Windows Terminal which uses different escapes than other terminals on Windows that we were testing on before

    Expect this version to be a bumpy ride, as many new and quite experimental features as well as new dependencies have been added. The signature implementation is not final but it works. The sender needs to use -i to specify on or more identities to sign with, and then the receiver will automatically verify them. Public keys are embedded in signed files, so the receiver does not have to have those.

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.3.3...v0.4.0

    Source code(tar.gz)
    Source code(zip)
  • v0.3.3(Nov 15, 2021)

    • Encrypted message input no longer echoes to screen
    • MiniSign keyfile decryption is attempted with empty password automatically
    • Various small fixes and removed a dependency that prevented running the program on Windows

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.3.1...v0.3.3

    Source code(tar.gz)
    Source code(zip)
  • v0.3.1(Nov 15, 2021)

  • v0.3.0(Nov 14, 2021)

    What's Changed

    • Implement smarter adaptive padding to better hide data of any length
    • Updated and simplified wordlist, albeit slightly longer words
    • CLI and public key refactoring for better usability and much better code
    • Improved archive file handling and improvements on stdin/stdout pipes
    • Archive files recursively when a folder is given on command line
    • List of files shown during encryption
    • Decryption no longer extracts attached files unless -o PATH is specified
    • Many other small fixes and improvements

    Currently broken

    • Signatures are disabled in this release

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.2.1...v0.3.0

    Source code(tar.gz)
    Source code(zip)
  • v0.2.1(Nov 13, 2021)

    What's Changed

    • MiniSign key support added
    • ASCII armoring changed to use standard Base64 to make detection harder and to avoid formatting issues
    • The armored output has triple backticks (code block tags) printed around it on console (which are not part of the message and are ignored if still pasted back)
    • Auth token scheme redesigned to be simpler and shorter (only 32 bytes header per recipient, keeping the old 12 byte short mode for single password and wide-open). The maximum number of recipients increased to 20.
    • Ensure that all authentication tokens are unique, also for repeated public keys
    • Documentation updates, added a page on security
    • Fix tests

    Full Changelog: https://github.com/covert-encryption/covert/compare/v0.2.0...v0.2.1

    Source code(tar.gz)
    Source code(zip)
  • v0.2.0(Nov 11, 2021)

    Project renamed to Covert Encryption

    • Password dialog redesigned with real-time feedback
    • Password generation uses an improved wordlist that produces easier passwords
    • Header format redesigned to be even smaller than before (the first token is omitted and public keys only take 32 bytes each)
    • Various bugfixes with streaming files and elsewhere
    • Added configurable padding, removed the raw-internal debugging format
    • More tests
    Source code(tar.gz)
    Source code(zip)
Pythonic Smart Contract Language for the EVM

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Vyper 4.4k Dec 30, 2022
Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

29.5k Dec 31, 2022
Generate a 2FA Code out of an 2FA Secret(Time-based only!)

2FA-Generator Generate a 2FA Code out of an 2FA Secret(Time-based only!) ❗ Pleas don't share this secrets/generated codes with someone. If someone kno

TheDanniCraft 1 Nov 05, 2021
Arithmos Cipher is a simple Cryptography that I created myself in Python

Arithmos Cipher is a simple Cryptography that I created myself in Python

LyQuid :3 3 Oct 19, 2022
zhash is a simple Python tool which allows to create/crack hashes

zhash zhash is a simple python tool which allows you to crack/create hashes. Below are the list of supported algorithms that zhash can crack Supported

3 May 27, 2022
Amazing CryptoWAF was a CTF challenge for ALLES! CTF 2021

ctf-cryptowaf The AmazingCryptoWAF ™️ is used by the "noter" web app, to offer automagically military encryption for any user data. Even if an attacke

32 Jan 02, 2023
A simple web application with tools of cryptography, made with Flask and Cryptography.

Crypto Tools A web application made with Flask that allows the use of some cryptography tools like message digest, RSA key pair generation and a decip

Felipe Valentin 0 Jan 20, 2022
A lightweight encryption library in python.

XCrypt About This was initially a project to prove that I could make a strong encryption but I decided to publish it so that the internet peoples coul

Anonymous 8 Sep 10, 2022
A curated list of resources dedicated to reinforcement learning applied to cyber security.

Awesome Reinforcement Learning for Cyber Security A curated list of resources dedicated to reinforcement learning applied to cyber security. Note that

Kim Hammar 212 Jan 02, 2023
Simple encryption-at-rest with key rotation support for Python.

keyring Simple encryption-at-rest with key rotation support for Python. N.B.: keyring is not for encrypting passwords--for that, you should use someth

Dann Luciano 1 Dec 23, 2021
An extreme encryption for everyone, encrypt your text before sending to anyone.

An extreme encryption for everyone, encrypt your text before sending to anyone. Alphabets and numbers are going to be encrypted like a hell

Saad 6 Oct 28, 2022
Given a string or a text file with plain text , returns his encryption using SHA256 method

Encryption using SHA256 Given a string or a .txt file with plain text. Returns his encryption using SHA256 method Requirements : pip install pyperclip

yuno 3 Jan 24, 2022
A python script for AES Angecryption in Steganography

Angecryption is an encryption or an decryption result from a file to create an other file with the same / or not type.

ISIS 3 Jul 25, 2022
BTCRecover is an open source wallet password and seed recovery tool.

BTCRecover is an open source wallet password and seed recovery tool. For seed based recovery, this is primarily useful in situations where you have lost/forgotten parts of your mnemonic, or have made

2 Aug 18, 2022
Cryptocurrency Exchange Websocket Data Feed Handler

Cryptocurrency Exchange Websocket Data Feed Handler

Bryant Moscon 1.6k Dec 31, 2022
A python-jvm wrapper for interacting with the Ergo blockchain.

ergpy A python-jvm wrapper for interacting with the Ergo blockchain. Usage Requires Java 8 or higher to be installed on system pip install JPype1 pip

mgpai 16 Oct 05, 2022
The leading native Python SSHv2 protocol library.

Paramiko Paramiko: Python SSH module Copyright: Copyright (c) 2009 Robey Pointer 8.1k Jan 08, 2023

Gridlock - Encryption and decryption python project

Gridlock Encryption Encryption and decryption of plain text messages inspired by

Matthew 2 Mar 23, 2022
Marketplace but with cryptocurrencies only.

MoneroMarket Marketplace but with cryptocurrencies only. MoneroMarket was created as a way to be able to use cryptocurrencies as an actual currency to

Janoher 35 Jan 01, 2023
J. Brandon Walker 1 May 13, 2022