This topic contains 124 replies, has 2 voices, and was last updated by Jack C. 6 years, 1 month ago.
-
AuthorPosts
-
WilfredI did not say damaged. I said can no longer open with either version 1 or version 2.
In other words, it’s damaged. If it wasn’t then you’d be able to open the file.
I guess I should have backed up the file, but since version 1 was work so well, I just didn’t think I would have any problem.
If the file(s) are that important then you should always back them up, encrypted or not.
Why the 3-2-1 backup rule STILL makes sense
As for the “full” report, that seems a bit cumbersome to gather and not sure the necessary files are still there. And I am not happy to work via email for days to try to resolve this.
Unless you’re happy posting (potentially) confidential log files then nobody can help.
Disappointing to say the least.
I am merely a user but nobody can help you without the relevant information. Nobody else is experiencing these difficulties which suggest that you are doing something wrong.
If you provide Svante with the relevant information then he’ll be able to help you.
FormerAxCrypterNot being able to use different passwords for different files seems to fly in the face of good cryptographic practice so I’m not sure how you can justify it. I would like to say that I LOVED the original open-source Axcrypt and used it often. I understand and appreciate that the hard coding work of its author deserves some cash (I contributed voluntarily early on, though I know most probably did not), but a subscription model for encryption? That’s another head-scratcher! Paying a fair amount for a product with a decent life-span is one thing, but subscribing monthly for a service available on the Linux/Unix command line (I never used Axcrypt for anything but encrypting individual files or wiping them) seems like a step backwards to me. Honestly, how’s it working out? Am I off base on this?
Robert MFormerAxCrypter,
There are blog posts about the subscription model and the rationale for using a single, secure password.
https://forum.axcrypt.net/blog/use-of-different-passwords/
https://forum.axcrypt.net/blog/subscription-vs-license/
JustinGreetings FormerAxCrypter :)
Here’s a blog entry written by AxCrypt staff explaining why AxCrypt 2 doesn’t support multiple passwords any more. It makes sense and, even when using a password manager, it’s difficult to store multiple passwords especially if you’re encrypting in bulk. I guess people were encrypting with different passwords, forgetting them and then being unable to access their data.
You’re wrong in your assertion that “not being able to use different passwords for different files seems to fly in the face of good cryptographic practice”. Having multiple passwords doesn’t make you more secure. Keeping one password secure is far easier than keeping multiple passwords secure.
Still, I think it’d be a nice option to have multiple passwords.
AxCrypt 1.7 is still available and it continues to work. It’s not supported any more and no new features are being added. If you’re looking for something which functions like AxCrypt 1.7, is open source and still in development consider BCArchive or 7-Zip – for containers look at VeraCrypt.
AxCrypt 2 is freemium. That means you don’t have to pay a monthly subscription unless you want the additional features/higher level of encryption. If you use the free version then you can still benefit from AES-128 encryption (as used in AxCrypt 1.7) and there’s no associated monthly cost. It shouldn’t be a “head-scratcher”; the basic functionality is still available.
AxCrypt was never designed for the Linux/Unix command line therefore users of those OS wouldn’t be using AxCrypt. You’ve got decent alternatives like GPG and OpenSSL. For FDE you have LUKS etc.
KeithSvante,
I just tried version 2 and then switched back to version 1. Simply for your information, I thought I would tell you why.
Version 1 does exactly what I want. I can secure a few files. I don’t have many that are truly private. As soon as I close those files, they are no longer accessible without re-entering their passwords.
I don’t have a care whether they have separate passwords or not. I am not much concerned about someone getting access to my PC and installing a key logger or other sophisticated spyware. What I am concerned about is getting up to get a cup of coffee, not taking the time to log off, and having someone come by and being able to open one of my few confidential files. Encryption strength is much less an issue than protecting against personal oversight when in a hurry, which is a well-proven risk. With AxCrypt 1, I click the X and all is secure. With AxCrypt 2, it takes another step when I leave the PC.
I commend you for the great product you developed in AxCrypt 1.7. I am sure AxCrypt 2.x will be just a good for people who need the features, but right now that is not me.
Keith
Hello Keith,
Thanks for the feedback, and for your information, we will be introducing options for auto-sign out quite soon. However, we do this partially against our own advice. If you haven’t done so, I suggest you read my blog on this issue to understand why it really doesn’t make sense to feel safe with AxCrypt 1 behavior if you walk away and leave your computer fully open for anyone while getting a cup of coffe. https://forum.axcrypt.net/blog/leaving-computer-axcrypt/ .
Captain QuirkWith the utmost respect for you, Svante, and your team, I regret to say that I, too, am disappointed with the move to Version 2. Unlike many people, I don’t have a problem with the single password approach – I think that has a lot of merit, as you have previously explained. But the switchover has other shortcomings that have understandably upset a lot of people, including me.
Version 1 was a simple, basic tool that did what many people wanted – not only encrypt files on one’s computer, but also the ability to “shred” files and even allow files to be sent to another person who didn’t even have AxCrypt installed on their computer. Genius! And no need to set up and activate an account or enter your email address.
Version 2 requires me to set up and activate an account and enter my email address. And it may be simple to use in practice (I don’t know; I haven’t actually tried it yet), but it sure seems complicated. It leaves a lot of questions unanswered. How does Version 2 work? How does it do what it does? What information gets sent to (and from) your servers, and why? I’m not asking for a detailed explanation of all the underlying cryptography, which would be over my head anyway. Just a basic explanation of the general structure of how Version 2 works. I think the lack of that info is what makes many people (including me) feel uncomfortable. I don’t like the patronizing “Let us handle everything – you don’t need to know how it works” attitude that seems to pervade Version 2. I feel like I’m in the Matrix! :-)
I think I read somewhere (it’s not in your main AxCrypt site – maybe it’s in one of the blog posts or forum posts or something – I’m not going to go searching for it now) that it isn’t even necessary to be connected to the internet to use Version 2. (Which is as it should be.) Apparently there’s a setting that can be invoked to do that. But then, what do your servers do? Why is Version 2, in its normal operating mode, connected to your servers? Either it needs internet connectivity, or it doesn’t. You can see why potential users would find this all very confusing. Version 1 was simple, understandable software that basically just did a few things to files on your computer. Version 2 seems to be this strange organism that’s connected in mysterious ways to the outside world, for reasons that are not explained.
As you can see from the previous two paragraphs, I think a big part of the problem is simply the lack of info, the lack of good explanations, on your website.
But there are other, more practical problems as well. Version 1 had a convenient file shredder that you have deleted from the free version of Version 2. Version 1 enabled a person to send an encrypted file as a self-extracting .exe that a recipient could open (with the password, of course) without even having to have AxCrypt installed on his or her computer. You’ve deleted that as well. Your “replacement” of that feature in Ver$ion 2 (which, to my mind, isn’t a replacement at all) requires that the sender have a paid $ubscription, and requires the recipient to set up and activate an AxCrypt account as well as download and install the Version 2 software. That’s lot to ask of a recipient to whom you may only ever be sending one single encrypted file, and it’s a big step backwards from the simple functionality of Version 1.
And the very idea of having to pay an annual fee in perpetuity bothers many people (again, myself included). Yes, I have read your justification for that business model, but I don’t find it convincing. It’s great for you – what company wouldn’t want a guaranteed income, year after year after year? But it’s equally (reciprocally) bad for your customers, who don’t want another constant drain on their limited income, year after year after year. (Can you imagine going to IKEA to buy a table, and the salesman says “We won’t sell you a table, but we’ll rent one to you for a monthly fee for the rest of your life.”?)
Normally I would just go with Version 1, except that its hash algorithm, SHA-1, has been compromised and is no longer considered secure. So it looks like I’m going to have to stick with 7-zip, which is free, does most of what AxCrypt Version 1 does (and in at least one respect, more*), and does it with the more modern and secure SHA-256 hash function.
Sincerely,
“Captain Quirk”
________________________________
*(7-zip allows filenames to be encrypted, which Version 1 couldn’t do. Ver$ion 2 (pr€mium) allows this, but apparently only on a file-by-file basis, meaning that you have to individually decrypt each and every file whose real name you want to see, rather than just be able to decrypt one folder and see all the real filenames within.)
FormerAxCrypterJustin, we’ll just have to agree to disagree on the multiple password issue. Perhaps I’m misunderstanding. But a single point of failure for all your encrypted files can’t really be justified because it’s “easier” or because some users are lazy or careless about their multiple passwords. If that’s a problem for someone, let them use a single password. I would no more use a single password for all my files than I would use a single log-on password for all of my secure websites. I can’t complain too much though, Avante made the original AxCrypt available for free for a long time, and I certainly used it enough to justify making a donation. Lycka till, AxCrypt!
Captain QuirkFor what it’s worth, I think Simone’s analysis is right on the mark, in all respects.
WellingtonI don’t have time to explain all of the misconceptions in your post Captain Quirk as I’m an end-user of AxCrypt.
I’ll correct a few of your inaccuracies (there is proper documentation on this website);
- Email address and password is all that’s sent to the servers (you can even enter a fake email)
- Software can be used offline
- Connecting to the server is only required to seamlessly share files with other people
- The old self-extracting EXE files are now blocked by most mail clients.
- Self-extracting EXEs also blocked by default if you send it to a Windows 8, 8.1 or 10 user.
- SHA-1 isn’t broken in the context it’s used by AxCrypt. There’s different implementations.
- Want to crack a 7-Zip encrypted archive? This company will sel you software to.
FormerAxcrypter
There’s no single point of failure by using one password. If you’re using multiple passwords then where are you storing them? If you say “in my head” then they’re not secure – the best passwords are the ones you can’t remember.
Therefore a password manager or a piece of paper is your single point of failure.
Using the same password on a website is a bad idea because a website is easier to compromise than your computer. But if somebody compromises your system then you’ve lost your data and the bad guys had full access to your files, encrypted or not.
Thus a single password helps you choose one, really secure password that you can just about remember.
GerardVersion 1 was a simple, basic tool that did what many people wanted – not only encrypt files on one’s computer, but also the ability to “shred” files and even allow files to be sent to another person who didn’t even have AxCrypt installed on their computer. Genius! And no need to set up and activate an account or enter your email address.
AxCrypt 2 does all of this: encrypt files, “shred” files (shredding isn’t effective on modern hard drives) and you can send the files to friends and family.
AxCrypt 2 doesn’t need to be installed on the recipient’s computer as there’s a portable version available.
Axcrypt 2 doesn’t need you to make an account to encrypt files as it can be used permanently offline. If you install the software you’ll find there’s a menu option to enable this.
I updated to AxCrypt 2 because I could no longer share AxCrypt 1.7 files with friends. Gmail blocks all executable files by default, so does Outlook.
I’d all too that, as Wellington says, Windows has a feature (he didn’t mention the name: it’s called SmartScreen) which will stop you opening a .EXE file encrypted by AxCrypt 1.7 or any other software because of the inherent security dangers. Automatically extracting .EXE files have had their day and are no longer fit for purpose.
Something that Wellington could’ve added, although it may not affect him/her, is that antivirus software automatically deletes encrypted .EXE files because of the high potential for viruses.
AxCrypt 2 solves this by not using the old-fashioned .EXE format for encrypted files. Relying on their proprietary format .AXX solves this.
Apparently there’s a setting that can be invoked to do that. But then, what do your servers do? Why is Version 2, in its normal operating mode, connected to your servers? Either it needs internet connectivity, or it doesn’t.
You don’t need internet access. If you installed the software this would be apparent. I’m going to hazard a guess that you’re making assumptions about AxCrypt 2 without having installed it because, if you had, you’d know that the software can be used offline.
If you wanted you can type in anything that conforms to the email syntax <itsme@email.com> and you can use the software. It’s not a binary choice as you have said – it doesn’t require internet connectivity; it’s optional. It makes sharing files more convenient, it’s not a privacy invasive feature and if you don’t like the feature, you don’t have to use it – but you can still use AxCrypt 2 without that feature.
And the very idea of having to pay an annual fee in perpetuity bothers many people (again, myself included). Yes, I have read your justification for that business model, but I don’t find it convincing.
I don’t like the idea of paying a subscription but that’s how the software model has moved. Microsoft offer very few perpetual licenses any more because it’s not economic. People were complaining each time they offered an update and then made you pay £400-£500 for the update. A monthly subscription (as with Office 365) entitles users to free updates for the life of the subscription and use of the software.
Want a perpetual licence for encryption software? Jetico offer BestCrypt Container Encryption for 59,95 €. But every update you’ve got to pay for (I think they offer a discount).
Symantec also offer their File Share Encryption perpetually (updates are charged for) at a cost of 186.68 €.
Both are professionally maintained and have been audited. They’re nowhere near as simple to use as AxCrypt 2 but they’re an option.
You can get free, open source software (7-Zip is okay) but development is slow, you have bugs and the encryption isn’t perfect. There is a password breaker here for 7-Zip or you can get cloud cracking software for 7-Zip which vastly speeds up breaking the software.
7-Zip have also had severe vulnerabilities discovered in their software. Their unpaid developer doesn’t have the time to patch everything. That’s why a paid model is used by most software developers. Zip files have other vulnerabilities not adequately addressed in the format.
For an initial outlay of 40 € (cost of using Amazon’s cloud) I can break the majority of 7-Zip encrypted archives within 6 hours.
Robert MHello, Gerard.
I read your informative post with interest. I have a few questions.
1) Is your Zip cracking software likely to be effective against, say, a 32 character (pseudo) randomly generated password? I’m talking about current WinZip versions, using AES-256.
2) Weren’t the 7Zip vulnerabilities fixed with version 16? I ask because I honestly don’t know. The linked article suggests they were patched.
I’ve made a mental adjustment about the subscription model. I think it’s a pretty good deal when compared with other premium encryption products. Over the past 20+ years I’ve spent way too much on encryption software because I didn’t know any better. Trust is a big issue and I trust that Axcrypt is secure and that any discovered vulnerabilities will be fixed. I don’t want to worry about things like that. That’s worth something.
Gerard- Yes, it is effective against a completely random 32 character password however no home user is going to have a computer anywhere near fast enough (not even if augmented with GPUs) to crack a 7-Zip password which is why I suggested the Amazon Cloud. Google and Microsoft offer worthy alternatives. Because of the way 7-Zip implemented their encryption the hashing doesn’t slow down brute force sufficiently. 7-Zip is not recommended by NIST so U.S. agencies don’t use it for encryption purposes. The only approved encryption/compression software in the U.S. is PKWARE’s SecureZIP – large federal agencies use it; e.g. the DoJ, FAA, HHS.
- Some of the vulnerabilities in 7-Zip were fixed but the developer only has a finite amount of time on his hands. He’s not getting paid to develop it and there are doubtless other vulnerabilities still undiscovered.
- Without prejudice to those vulnerabilities which have been fixed there are still known vulnerabilities which weaken the encryption which is why the attack I described earlier is feasible and works in the real world.
- The Zip format was never designed with security in mind. It’s difficult to go back and retrospectively secure software particularly now the compression format has become a de facto standard. There are many research papers out there about the weakness of the format in general. It works very well at what it was designed for: data compression. But there are all sorts of attacks against pieces of software like that which can assist in decryption
- To make a similar attack against even AxCrypt 1.7’s encryption would take hundreds of millions (if not billions) of years because of the cryptographic library implemented by AxCrypt. Meanwhile an equivalent attack in the Zip format would take hours, if not minutes, depending upon the format used.
Robert MWow! I’m amazed to learn that encrypted ZIP’s are so easily broken. That is scary! I’ve never used WinZip or 7Zip as primary encryption solutions, but I’ve recommended them to others. I figured if they used AES they should be fine. Obviously I would starve as a cryptographer. Live and learn.
GerardWow! I’m amazed to learn that encrypted ZIP’s are so easily broken. That is scary! I’ve never used WinZip or 7Zip as primary encryption solutions, but I’ve recommended them to others.
Please don’t let what I’ve said deter you from recommending ZIP files to other people because they do provide a good degree of security for the average person.
Assume Bob wants to send his cousin Eve his holiday photographs. Bob doesn’t have a fast upload speed (or he’s got limited data) and/or Eve has a slow download speed (or limited data). His collection averages at about 5GB so he decides to mail it on a DVD. Because 5GB is too big for the average DVD he makes a ZIP file and for privacy adds a password. The compressed size is 3.5 GB and the password is 16 characters long.
This scenario is a perfect example of where ZIP is the most appropriate format. Even if the disk got lost in the mail anybody finding it wouldn’t be able to open it. Whilst they might be nosy and try the DVD in their computer, they’re unlikely to:
- Upload the contents of the DVD to a distributed cloud service (time consuming and expensive)
- Have access to the relevant password cracking software and know how to use it and
- Be willing to pay for the server costs for running the password software until it breaks the encryption
It doesn’t make sense for them to do that; nobody is that nosy!
Now if Bob was the head of an international criminal gang then police may surreptitiously intercept the mail, copy the files, put the disk back into the postal system and then get busy cracking it. The difference is that he’d be worth the time and effort.
If you’re emailing files to somebody then a ZIP file (or AxCrypt file) make good sense. Most email servers now use TLS which encrypt the traffic to-from the mail services (e.g. Outlook to Gmail). Whilst an employee of either organization can read the contents of the emails it is quite a bit more difficult (but by no means impossible) to view the contents. Even if they managed to do so, providing you use a password protected ZIP, then they’re not going to be able to view the data without more expense (on top of the time/cost breaking the email TLS).
I figured if they used AES they should be fine. Obviously I would starve as a cryptographer. Live and learn.
There’s an old joke:
If You’re Typing the Letters A-E-S Into Your Code You’re Doing It Wrong
You can also mess things up if you use an insecure mode of operation like ECB; for many purposes I’d recommend GCM. If you’re interested in learning more about AES there’s an excellent lecture on YouTube but you need some understanding of mathematics.
The majority of programmers aren’t cryptographers, I think Svante is a programmer primarily, but he uses BouncyCastle which is a respected cryptographic library designed by professional cryptographers thus he can rely upon it being well-designed and secure.
From a very cursory glance at the various parts of AxCrypt’s source code it looks okay to me but only a detailed audit could confirm this.
Whilst AxCrypt has a freemium business model 7-Zip is free. The 7-Zip maintainer is less responsive than Svante and there are dozens of outstanding bugs in 7-Zip [1], [2], [3], [4], [5]. Bugs 3, 4 and 5 are potentially very dangerous. Those are a small selection; you can look up the others yourself.
I’m not blaming 7-Zip, I’m guessing their developer has no source of income from the software, but it goes to show you how easily catastrophic errors can be made in the programming and why relying on exclusively free software can be a bad idea.
Even if you manage to design a super secure encryption program with proper implementation of the cryptography you’ve then got to trust the operating system, the antivirus, other software on the system and the array of hardware in your system. It’s all about making your system as secure as possible and hoping that the hackers will go elsewhere. If you’re targeted there’s little you can do to protect yourself.
-
AuthorPosts