Quantum safe cryptography for file encryption

Basic description of strong and secure file encryption

Information encryption solution CRYPTOOL512 v1.2 is an application which, together with the CBA v3.4 Central Security Authority cryptographic protection tool, forms a system designed for very strong and secure file encryption. The CRYPTOOL512 system is built on the basis of quantum secure cryptography. It thus ranks among the means of post-quantum cryptography, which is a term for cryptography that is resistant to quantum computing.

It is a system of files data protection stored on storage media intended for storing files, or in devices with a file system accessible after their connection to the Windows operating system. Protection is performed by encryption using a very strong encryption algorithm and other cryptographic functions designed for post-quantum cryptography.
The use of the CRYPTOOL512 system assumes the use of well-secured technical means, specifically computers for CBA, as well as the installation of the CRYPTOOL512 v1.2 application for file encryption. It is also necessary to use devices for storing encryption keys and initialization-activation sequence for the encryption algorithm SEA512 used in the application. USB GNT tokens with a cryptoprocessor are used for this purpose.
The CRYPTOOL512 system allows you to securely encrypt even very large files, as it uses a 512-bit encryption key. The encrypted text in the target files that is the result of the encryption process does not contain any side information, nor traces of periodicity and other traces of encryption that would help in the quantum calculations of the implemented encryption attack.

CRYPTOOL512 system description

The CRYPTOOL 512 system consists of two means of cryptographic information protection:

  • Central Security Authority v3.4, shortly CBA
  • User application CRYPTOOL512 v1.2
The CBA is installed on a computer which, as a special technical device, is modified so that it is separated from the network, is equipped with an additional PCI card CODESTAR 4 DSP and has installed security settings issued by the NSA SR. The CBA software itself is installed in the “CRYPTSRV” directory, where the CBA system files are located. In addition, drivers are installed in the PC to support the PCI card, cryptomodule, USB GNT tokens and ISO 7816 chip card emulation. The CBA PC must never be connected to the network and the Internet. Updates are not necessary and undesirable for security reasons. In addition to the CBA software, it is not desirable to install additional software on the PC. These are security requirements. The network card on the PC main board must be hardware blocked in the BIOS.

The CRYPTOOL512 v1.2 user application is installed in the hardware of the computer hardware of the computer on which the encryption or decryption of the files is performed. The application is developed with security in mind.

Operation of the CRYPTOOL512 application is simple and the application of statements leads the user to achieve the result of the selected function. During the execution of the application functions, an audit record is also performed in the event log, which is encrypted. Lateral information about the processed files is stored in a database, which is used automatically and in the background for decryption. All side information thus remains in the client’s PC. The resulting contents of the encrypted file do not contain any side information. This is important in terms of post-quantum cryptography requirements. Encrypted text is not structured as it is with other applications.

Brief description of CRYPTOOL512 system features for Windows 7 to Windows 11 x64 processor family:

  • CRYPTOOL512 client software is designed for 64-bit NT (New Technology) operating systems, such as Windows 7 to Windows 11 for 64-bit processor architecture,
  • CBA software is designed for 64-bit Windows 11 operating systems,

files‘contents are encrypted without side information,

  • encryption is enabled only after successful authentication with the used GNT token and entering the number of the used encryption key and subsequent either automatic or manual initialization of the encryption context
  • encryption with high-quality and strong encryption algorithm SEA512 with a key stored outside the PC (with the CRYPTOOL512 system installed) will ensure a high degree of information protection stored in encrypted files,
  • is encrypted by an algorithm implemented according to BS,
  • the encryption system uses a software-implemented SEA512 algorithm with a 512-bit key for encryption,
  • CRYPTOOL512 system is enabled via the icon on the desktop, or via “Start” in the program list, or from the command line with the command “CRYPTOOL512”,
  • performed activities and events in the CRYPTOOL512 client software are recorded in the Security audit event log, which is encrypted,
  • The system is fully compatible with the key management provided by KRYPTOSERVIS software for the Central Security Authority (CBA).

User authentication passwords with a USB token have a maximum length of 8 characters. PIN codes with a length of 4 to 8 digits can also be used instead of passwords.

   Entire CBA CRYPTOOL512 security is built into the Windows 11 kernel. CRYPTOOL512 client functions are implemented using native Windows kernel functions for security reasons and to avoid buffering and caching of processed files.

Philosophy of the need to use new encryption algorithm

Symmetric encryption algorithms currently used, such as AES and SEA64 (a full-fledged non-degraded predecessor of GOST), use encryption keys with a maximum length of 256 bits (32 bytes). Nowadays, when the computing power of computers is constantly increasing and supercomputers and quantum computers are also mentioned, there is also a demand for the development of stronger encryption algorithms, which should form the basis of the so-called post-quantum cryptography. In the context of post-quantum cryptography, it is assumed that the encryption algorithm should work with at least a 512-bit encryption key. It is not a problem to use a key with a longer length, but the longer the key, the more time it takes for the processor to process the algorithm. From the cryptographic point of view, it is advantageous to use the Feistel scheme to implement the algorithm for several reasons, which are described in professional publications. A good compromise between algorithm processing speed and key length is to use a key with a length of 512 bits.

The use of a high-quality encryption algorithm is a necessary condition, but far from sufficient. To ensure the security criteria for encryption, set by globally recognized standards, it is necessary to provide several factors in the design and development of both a stand-alone algorithm, as well as in the implementation of the algorithm in the application environment and especially in the implementation of key economy. The strength of the encryption depends not only on the quality of the algorithm but also on the quality of the generated keys. Quality keys must be generated by a hardware-based nondeterministic generator. An important factor is the use of the Central Security Authority (CBA), which generates keys, oversees the quality of the key generator, performs statistical tests of the generated sequence according to standards (NIST 800-22) and FIPS, manages work with hardware security devices (tokens) and distributes keys to resources with encryption software installed.

The systems designed in such a way can then be used for individual classification levels. For the first level of classification “V” it is sufficient to use the implementation of the encryption algorithm in software form. However, for the second level of classification “D” and higher levels, the implementation of an encryption algorithm in a hardware device, for example in a PCI add-on card with a signal processor, is required.

SEA512 Encryption algorithm characteristics and its implementation

  1. SEA512 algorithm is implemented on the basis of Feistel scheme,
  2. The length of the processed key is 512 bits,
  3. The key is processed sequentially in 32 bits in 16 rounds,
  4. SEA512 is implemented in the ECB (Electronic Code Book),
  5. The ECB consists of so-called by simple exchange encryption using 16-tic rounds,
  6. Rounds are processed in ascending and descending order,
  7. 4 16-bit, 3 up and 1 down are used for single exchange encryption (SJZ),
  8. 4 16-tuples are used for decryption by simple exchange in the reverse order,
  9. 2 SJZ encryption or decryption operations are performed on the ECB with a block of 16 bytes,
  10. SEA512 uses large S-boxes (substitution boxes) with a size of 2 kilobytes,
  11. The structure of S-boxes is 2 * 4 * 256 bytes, which are 2 blocks of 4 permutation tables,
  12. S-boxes also form a long-term key and the characteristics of the ECB algorithm depend on them,
  13. S-boxes were generated by specially authorized software for the given purpose,
  14. 16 * 4 * 2 = 128 rounds are processed over the ECB with a block of 16 bytes,
  15. Processing of 64 rounds takes place over the ECB with a block of 8 bytes,
  16. The algorithm is implemented in a highly optimized form in assembler,
  17. An assembler of Intel and Amd processors is used,
  18. Optimization increased its processing speed about 3 times compared to the model in “C”,
  19. ECB SEA512 is used for 2 types of interfaces and encryption modes,
  20. One interface is compatible with the AES algorithm and has the same encryption modes,
  21. The second interface is compatible with the SEA64 algorithm and has the same encryption modes,
  22. CRYPTOOL512 uses GAMMA encryption as the main encryption mode,
  23. Thanks to the use of an encryption key with a length of 512 bits and 2 Kilobytes of S-boxes, the possibility of periodicity in the stream of gamma cipher blocks is highly suppressed, unlike other algorithms such as GOST, which has a key length of only 256 bits with S-boxes. only 128 bytes