Security > Security and Encryption Algorithms

CryptoForge employs four strong cryptographic algorithms to protect data: Blowfish, AES (Advanced Encryption Standard), TripleDES and Gost. At present, there is no way to break any of these algorithms, except for trying all possible keys. If one billion computers were each searching one billion keys per second, it would take over 10^24 years to recover information encrypted with a 168-bit algorithm (in comparison, the age of the universe is 10^9 years). In addition, CryptoForge implements mechanisms against modifications in its code: when executed, it verifies the algorithms against test vectors provided by their designers.

The four encryption algorithms implemented in CryptoForge are Block Ciphers; they encrypt data in block units rather than a single bit at a time. The algorithms are employed in Cipher Block Chaining mode, in which the original data is XORed with the previous ciphertext before encryption. On the first encryption, a randomly-generated Initialization Vector is used as the ciphertext. CBC mode ensures that even if the data contains many identical blocks, they will each encrypt to a different ciphertext block.

Passphrases are processed according to the Cryptography Standard PKCS#5 v2.0.

Authentication is ensured by the use of a Hash Message Authentication Code (HMAC).

Even though CryptoForge allows encryption with more than one algorithm at the same time, for most users this could be considered excessive, because the level of protection provided by any of the encryption algorithms is (at least in the unclassified world) high enough. However, if information had to be protected for many years, multiple encryption would keep the information secure for a longer period of time. Moreover, since it is actually surprisingly difficult to determine just how good an encryption algorithm is, multiple encryption could protect information even if an unknown weakness existed in one of the encryption algorithms employed. The impact of multiple encryption on performance can be assessed on the Algorithms page. When encrypting with more than one encryption algorithm, changing the order in which they are used should add another problem to a hardware-based attack (i.e. an array of special chips trying trillions keys per second).

File shredding is accomplished by writing a pattern of all ones, zeros, and a stream of pseudo-random data, iterating the number of times specified by the user. The file name is overwritten as well. The length of the file is then truncated to zero, and finally the file is deleted.