Update
You can now encrypt plain text, so anything you want. With this, you can send sensitive information over insecure channels or share publicly with real plausible deniability. (below 2000 characters works without issue)
Changes
I rebuilt the system with a different encryption design, and address many of the flaws pointed out in V1.
I really wanted any password to always decrypt so you never know if you are right. I found the XOR algorithm that does this, but there is an entropy problem, where an incorrect password will almost always output non-common characters, I attempted to solve this at its core by diving into the math and some research papers but got nowhere, as it seemed to be almost impossible.
I tried finding an algorithm that would give me perfect plausible deniability, so if you shared a link X with a password you could use a different password and get Y, saying you never intended to share X. It doesn’t exist 😢 I came up with a workaround by adding decoys which are mutable XOR ciphers joined, it allows you to set what other data is included, so you can tailor your alibi.
Here is the demo link. There are three memes you can find
Password: test1, test2, test3
Safety
It should be safe to share data encrypted with this method, I did some basic brute force tests and did not find any shortcuts, I have a rough estimate of a billion years on a server farm for a 12digit password.
Considerations
@calcopiritus@lemmy.world said:
“There’s 2 secrets here: the link and the password. And to share it with someone you need to share 2 secrets: the locked link and the password.”
A strong password is almost impossible to crack, but you can use a popular text link tool like pastebin with expiry to mask the encrypted data. As for eliminating the password, I have considered using the site as the ‘shared secret’ so you share just the cipher, and if you know the URL you can paste it in, and it would be encrypted/decrypted with a derived key the site stored.
It’s XOR(key, block) with IV and chaining: https://github.com/RommieEcho/qrcatalyst-open/blob/main/src/routes/anon/XORCipher.js
Since it’s chained at the byte level, you can strip it out by just XORing each byte against all following bytes. Then the IV can be XORed out of the first block, at which point you have just a series of XOR(key, plaintext) blocks that can be attacked with conventional methods.
:(
tech noob here, why is what he did bad?
Cryptography is the practice of hiding and protecting information.
Modern cryptography is about computer algorithms.
These computer algorithms are notoriously hard to invent, and even just to implement.
Cryptography is a constant cat and mouse game. Some people will attempt to build new algorithms, and some people will be trying to break these algorithms. In some situations people are doing this benevolently, where researchers will look for weaknesses so they can be fixed. In other situations people are malicious and an looking for weaknesses to exploit them.
Inventing a new algorithm usually takes years, and then it’s researched for even more years to make sure there are no obvious weaknesses.
Then people implement these algorithms and these implementations are then again researched for long times to look for weaknesses.
Inventing a new algorithm is insanely hard, and only a rather small amount of people around the world has had decent success.
But even if you have a good algorithm that is theoretically secure, then when you try to implement it in actual code, it’s again incredibly easy to make mistakes that completely undermine the security.
What the OP did was to try to invent a new algorithm. OPs algorithm is very flawed and easily broken. Then OP wrapped it in a Web page that purported to allow you to securely encrypt something. And used words like “crazy strong encryption” which could lead others to think the service is safe and secure, and rely on it for something critical, only for their security to be utterly compromised.
The mantra in the security community is “Don’t roll your own crypt”, and OP rolled their own crypto, and failed, without giving a proper disclaimer.
Understood, and thank you very much for the summary