This topic contains 124 replies, has 2 voices, and was last updated by Jack C. 6 years, 1 month ago.
-
AuthorPosts
-
Robert MAnother alternative is a program called AES Crypt. It’s free, open source and available for Windows, Mac and Linux. It allows you to use multiple passwords, if that is your preference. You can find it here —->> https://www.aescrypt.com/
Hello all,
Lots of good things said, and unfortunately some strong misconceptions about what we do, have and store.
Let’s start, briefly, with the hash issue. Yes, we use SHA-512. No, we don’t hash your password as such with it and store it anywhere. We use SHA-512 for two things – a HMAC, that’s a cryptographically strong checksum that ensures that we can be sure that nothing in the encrypted file has been changed. We also use it for password derivation – this is a process whereby we take a variable length typed password, and produce a fixed length (128 or 256-bit as the need be) value to use for the actual encryption algorithm. It’s essentially just another representation of the typed password, and we never store this anywhere.
What we *do* have on the server, is a private key encrypted with your password using… AxCrypt. Now, what’s the scenario AxCrypt is specifically made for, and actually deemed secure (provided the password is good enough) by all who have examined AxCrypt? It’s the case of an AxCrypt-encrypted file being accessed by an unauthorized individual. So, what can an attacker gain from the server? An AxCrypt-encrypted file, encrypted with your password. That’s exactly what you’re trying to protect in the first place. So either AxCrypt is strong enough to withstand the attack, in which case it doesn’t matter which file the attacker gets hold of – no go. Or, your password is weak, or AxCrypt is, in which case it doesn’t matter which file the attacker gets hold of – your data is not secure. The point being, what we keep on the server is no more sensitive than any other AxCrypt-encrypted file. And they are presumably not sensitive at all.
Hi Simone,
Thanks for your analysis. Your raise some interesting points. I think you’re right in that the changes are so great, that old users lack continuity, and thus risk feeling uncomfortable with it.
We’re working on this, but one fact is that new users are at least as happy with the new version, as old users are with the old – at least from comments and support questions we get. Almost all issues relate to old users upgrading. So, we really see signs that the new version is a good product, and that it in fact meets the same basic need. But old users have gotten so used to it, and habits are hard to change. If we had received any significant revenue earlier, it would have been a more gradual process of course but now the fact is that it was essentially unchanged for 15 years, now finally we’re actually doing something with the product, moving it forward. But the first step to upgrade, is perhaps a little more of a leap ;-)
MaxI used Axcrypt 1. lot of years. For me, Axcrypt 1 is almost perfect (except there is no Android Version)
I tried version 2.
I want to use different passwords for different files.
IT IS MY DECISION !!
Then I’m looking for a different encryption software. Have you an idea ?
Bye
Max
LudwigThere’s nothing to stop you from using AxCrypt 1.7 @Max except that it doesn’t support Android.
The only other (apart from AxCrypt 2) strong, and free, piece of encryption software which supports Windows and Android is GPG.
For Windows you can download it from here [GnuPG] and for Android you can download it from here [OpenKeychain].
It’s nowhere near as easy to use as AxCrypt but it’s the only free piece of software that meets your requirements unless you’re willing to pay for an ultra-strong cloud encryption service like Tresorit.
Joseph HamiltonI first used V1 for years, but switched. Cryptography is one of my strong points, and I can tell you that I would never develop an application which calls for incoming/outgoing traffic. The fact an e-mail is required, and yes i just installed latest update you released today (So I wouldn’t post incorrect info for an outdated release) it does require it upon first time installation is an issue. Say, if your website is down then I can’t decrypt my file’s? That is not right, a year license for stronger AES key length? aescrypt is a free open source project with higher security, and much easier and lightweight on resources. Open-Source is almost a requirement for good encryption software, how else would we know if there’s a backdoor, or if the encryption algorithm(s) are implemented correctly? I recently audited the code from an open-source encryption program, just to findout there was indeed a backdoor and that WAS open-source (Before the project was terminated). Imagine what closed-source software can do… There are way too many good/free/open-source encryption software out there I am surprised any company selling it is even in business anymore. Now, of course I wont be using AxCrypt anymore including V1, because if there no updates to it eventually it won’t be as secure due to new development in brute-force, and faster computing power etc.
Thank you for AxCrypt V1, wish you would of kept it alive :)
P.S. Maybe you would consider re-opening AxCrypt Project and just focusing on updating security over time? (By not devoting more than say, 10% of your time?).
IgorHi Joseph,
You say you that cryptography is one of “your strong points” yet you’ve got a number of misunderstandings.
AxCrypt 2 can be used without an email address as long as the input follows the correct syntax, e.g. user@gmail.com
The software can also be used in ‘permanently offline’ mode which simulates loss of network, unavailable servers, company closure etc.
Therefore it’s fundamentally wrong to suggest that if the “website is down” that you can’t decrypt your files.
Your other misunderstanding is that ACrypt isn’t open source. If you’d taken even a cursory look at the website you’d find it is and the source code is here.
It is generally unwise to use software that isn’t being developed, like v1, but there have been no recent developments in AES exhaustive key search attacks. If you’re aware of new “brute-force” methods then please share them with the academic community at large.
Anybody who knows anything about cryptography or engineering or physics or mathematics or computing will tell you that cracking AES-128 takes more than the power in the universe.
However as AxCrypt 2 is open source, under current development, offers a fully functional standard version and can decrypt your files whilst offline you should have no objection to updating.
Auditing cryptography is best left to the experts as it’s extremely difficult and one small mistake can be fatal. However if you still feel that you’re qualified to audit other people’s work then perhaps you’d like to fork AxCrypt v1 yourself for the benefit of the community?
I am a user, not a representative of AxCrypt, and I’m an academic specialising in cryptography.
JosephI had went to install AxCrypt V2 on one of my windows computers that cant connect to the internet, and when I entered my real email address it wouldn’t work. As many people do, I have my own concerns regarding cryptography. I dont use any such software that connects to the internet, i only use open source software, and I only use AES-256 & Twofish – 256 in XTS mode. Using very high iterations count and very strong random password. It is extremely difficult to find such software that has what I need.
I apologize for not realize it is open source, I couldn’t find the source or topics on it so i figured it must not be. Usually that is something developers love to brag about lol.
Also, like i said I wouldnt be using V1 unless the security was still maintained. If version 2 wouldnt suite me than i would switch to another project in active development.
IgorJoseph,
The best alternative for you is GnuPG or BCArchive.
http://www.jetico.com/products/free-security-tools/bcarchive
https://www.jetico.com/bcarchive.exe
https://www.gnupg.org/download/index.html
Both are free and open source.
Or, as I said earlier, you can use AxCrypt 2 in permanently offline mode. Turn off your network connection, enter a fake email and then activate permanently offline. Job done.
But you can’t use AES-256 in free AxCrypt and premium requires an initial network connection.
BCArchive is free and allows you to choose your cipher, hash and iteration count.
Robert M@Joseph, is BCArchive really open source? I don’t find that info at the site. Thanks.
Robert MMy bad, the above post was intended for Igor, not Joseph.
EdHello Svante,
I am new to Axcrypt, and I just downloaded the free standalone version for the purpose of encrypting my files in my portable hard drives. I cannot speak about your earlier versions, but so far, even with the limited features, I am quite satisfied with this version. For my intended purpose, it gives me a sense of security with the protection it provides for my files. I like the ease of use, nothing complicated.
I do have one question: if I want to share an encrypted file, can the recepient decrypt it if he/she only has the standalone version as well? I’ve read about the key sharing/exporting/importing feature, but is that only for the premium version or both?
Thanks in advance.
IgorRobert M, yes it is open source.
Ed, if you share a file then the recipient can have either version (the standalone or the installable).
To share a file you need premium.
To receive a file you can be a free or premium user.
Exporting keys is something totally different; it’s for backing up your key-pair. AxCrypt 2 does this automatically (by keeping a copy on their servers) so you don’t have to. The option is included just in case you wish to keep your own copy. If you don’t understand what the option does, don’t worry, you won’t need to use the feature.
Thanks Igor!
JeffMy biggest pet peeve about v2 is actually a simple functionality change you made earler that doesn’t seem to account for separate scenarios and thus confused me at first, and I assume would confuse other users as well.
I’m referring to an earlier post in this thread back in September, specifically:
– The main Window state is remembered, so if you minimize it it will usually stay minimized and never show unless you ask for it.
Here’s the scenario I encountered:
When I first installed/opened Axcrypt 2 I minimized it, which sent it to the notification icons on the taskbar. Then I went and double-clicked on a file encrypted with Axcrypt and entered the password to decrypt it. Then the interface just disappeared and gave me no visual indication it was decrypting a file, I first assumed that it had crashed, so I moused over the notification icon on the taskbar in the bottom right and it didn’t disappear, so I opened it. Even after manually opening Axcrypt to check what was going on, there was still no clear indication anything was being decrypted, there was just a loading bar on the bottom of Axcrypt with no description, and nothing in the main window of Axcrypt. While it turns out this was a bar for the decryption, to me this is a poor design choice for the user’s experience.
-
AuthorPosts