Provided by: codecrypt_1.8-1build2_amd64 
NAME
ccr - The post-quantum cryptography encryption and signing tool
SYNOPSIS
ccr [OPTION]...
DESCRIPTION
ccr (short of Codecrypt) is a general purpose encryption/decryption signing/verification
tool that uses only quantum-computer-resistant algorithms.
General options:
-h, --help
Show a simple help with option listing.
-V, --version
Display only version information.
-T, --test
This option exists as a convenience for hackers - in this case, ccr initializes
itself, calls a test() function from source file src/main.cpp (that is meant to be
filled by testing stuff beforehand) and terminates. In distribution packages, it
will probably do nothing.
-R, --in <file>
Redirect standard input to be read from file instead from stdin. You can still
specify "-" to force reading from stdin.
-o, --out <file>
Redirect standard output to be written to file. You can specify "-" to force
writing to stdout.
-E, --err <file>
Redirect the standard error output to file. You can specify "-" to force writing to
stderr. Error output does not carry any data, but provides useful error messages
and metadata about what is happening, e.g. the identity of message signer or
details about why decryption or verification fails.
-a, --armor
Where expecting input or output of data in codecrypt communication format, use
ascii-armoring.
Codecrypt otherwise usually generates raw binary data, that are very hard to pass
through e-mail or similar text communication channels.
-y, --yes
Assume the user knows what he is doing, and answer "yes" to all questions.
Actions:
-s, --sign
Produce a signed message from input.
-v, --verify
Take a signed message from input, verify whether the signature is valid, and output
message content if the verification succeeded.
-e, --encrypt
Produce an encrypted message from input.
-d, --decrypt
Decrypt the message from input.
Note that the actions for signature/encryption and decryption/verification can be easily
combined into one command, simply by specifying both options usually as "-se" or "-dv".
Action options:
-r, --recipient <keyspec>
Specify that the message for encryption should be encrypted so that only the owner
of a private key paired with public key specified by keyspec can decrypt it.
-u, --user <keyspec>
Specify a private key to use for signing the message. If this option is empty, it
is defaulted from CCR_USER environment variable.
-C, --cleartext
When working with signatures, produce/expect a cleartext signature. The basic
property of cleartext signature is that the message it contains is easily readable
by users, therefore it is a very popular method to e.g. sign e-mails.
-b, --detach-sign <file>
On signing, produce a detached signature and save it to file. When verifying, read
the detached signature from file. Note that files that is being signed or verified
must be put into program's input (potentially using "-R" option.
-S, --symmetric <file>
Use symmetric cryptography.
When doing "sign" or "verify" operation, do not sign asymmetrically, but instead
generate file with cryptographic hashes that can later be used to verify if the
contents of input was changed.
When doing "generate", "encrypt" or "decrypt" operation, do not encrypt
asymmetrically, but instead generate or use a file with a key for specified
symmetric cipher. Use "-g help" to see available symmetric primitives. For
symmetric encryption to work, at least one stream cipher (marked with C) and at
least one hash function (marked with H, used to protect against malleability)
separated by comma need to be selected. Additionally, user can specify "longblock"
or "shortblock" keyword to manipulate size of internal encryption block structure
(longer blocks consume more RAM, but the ciphertext doesn't grow very much); or the
"longkey" flag which creates larger symmetric key to provide more key material to
the ciphers (which can help to protect against low-quality random numbers, but is
generally unnecessary and even considered to be a bad practice). It is also
possible to combine more stream ciphers and hash functions.
Purpose of the --symmetric option is that symmetric cryptography is a lot faster
than asymmetric, and symmetric primitives usually work also on very large files and
data streams, as they don't need to be fully copied into allocated memory for this
purpose. Thus, if working with a large file, process it symmetrically first, then
sign/encrypt the (tiny) symmetric file asymmetrically and send it along with the
(possibly encrypted) large file.
Key management:
In Codecrypt, each public key has a KeyID, which is basically a hash of its representation
that is used to identify the key globally. Each public key is stored along with a key
name, which is a convenience tool for users who can store arbitrary information about e.g.
what is the key meant for or who it belongs to. Public keys also have an algorithm
identifier to specify how to work with them, and sometimes also attached a private key to
form a secret "keypair".
Keys can be specified using several methods:
Using KeyID -- the key specification starts with @ and continues with several first
characters of the KeyID that identify a single key with that prefix.
Using a name -- key specification consists of a string, a key is then matched if its name
contains the specified string. Matching is case-insensitive.
-g, --gen-key <algorithm>
Generate a keypair for usage with specified algorithm. Use "-g help" to get list of
all algorithms available. Listing also contains flags "S" and "E", meaning that
algorithm can be used for signatures or encryption, or "H" and "C" for usage with
symmetric hashes and ciphers. In asymmetric case (where the algorithm names are
long) the supplied algorithm name does not need to be a full name, but must match
only one available algorithm.
-N, --name <keyname>
Specify that affected keys (those being imported, generated, exported or renamed)
should be newly renamed to keyname.
-F, --filter <keyspec>
When listing, importing or exporting keys, only process keys that match keyspec.
-k, --list
List available public keys.
-K, --list-secret
List available private keys (in keypairs).
-i, --import
Import public keys.
-I, --import-secret
Import private keypairs.
-n, --no-action
On import, do not really import the keys, but only print what keys and names will
be imported. This is useful for preventing accepting unwanted private or public
keys.
-f, --fingerprint
When printing keys, format full KeyIDs. Note that full KeyIDs can be used in
similar way as fingerprints known from other crypto tools.
-p, --export
Export public keys in keyring format.
-P, --export-secret
Export private keys. (Do this carefully!)
-x, --delete <keyspec>
Remove matching keys from public keyring.
-X, --delete-secret <keyspec>
Remove matching keys from private keypairs.
-m, --rename <keyspec>
Rename matching public keys. Use "-N" to specify a new name.
-M, --rename-secret <keyspec>
Rename matching private keys.
-w, --with-lock <file>
When loading the secret part of the keyring, decrypt the file using the specified
shared key. If that file looks encrypted and -w is not specified, asking for the
password interactively (i.e. "-w @") will be assumed.
FILES
Codecrypt stores user data in a directory specified by environment variable CCR_DIR, which
defaults to "$HOME/.ccr". It contains the files "pubkeys" and "secrets" which are sencode
keyring representations of user's public and private keyring.
Backups of user data (i.e. for each file the last state that was loaded successfully) are,
on each change, written to files "pubkeys~" and "secrets~".
When Codecrypt is running, it locks the ".ccr" directory using a lockfile "lock" and
applying flock(2) to it.
For seeding the random number generator, Codecrypt uses data from "/dev/random" for
generating keys and "/dev/urandom" for everything else, e.g. nonces or envelopes. Both
cases can be overridden at once by specifying some other filename in environment variable
CCR_RANDOM_SEED.
RETURN VALUE
ccr returns exit status 0 if there was no error and all cryptography went fine, or 1 on
generic errors. If the error was that a missing hash algorithm or a public or private key
was needed to complete the operation, 2 is returned. If signature or hash verification
fails (e.g. the signature is bad or likely forged), the program returns 3.
ALGORITHMS
Program offers several "algorithms" that can be used for signatures and encryption. Use
"ccr -g help" to get a list of supported algorithms.
FMTSeq-named schemes are the Merkle-tree signature algorithms. The name FMTSEQxxx-
HASH1-HASH2 means, that the scheme provides attack complexity ("bit security") around
2^xxx, HASH1 is used as a message digest algorithm, and HASH2 is used for construction of
Merkle tree.
McEliece-based encryption schemes are formed from McEliece trapdoor running on quasi-
dyadic Goppa codes (the MCEQD- algorithms) and on quasi-cyclis medium-density parity-check
(QCMDPC- ones) with Fujisaki-Okamoto encryption padding for CCA2. Algorithm name
MCEQDxxxFO-HASH-CIPHER means that the trapdoor is designed to provide attack complexity
around 2^xxx, and HASH and CIPHER are the hash and symmetric cipher functions that are
used in Fujisaki-Okamoto padding scheme.
As of November 2015, users are advised to deploy the 2^128-secure variants of the
algorithms -- running 2^128 operations would require around 10^22 years of CPU time (of a
pretty fast CPU), which is considered more than sufficient for any reasonable setup and
using stronger algorithms seems just completely unnecessary.
Note that using stronger algorithm variants does not come with any serious performance
drawback and protects the user from non-fatal attacks that decrease the security of the
scheme only by a small amount -- compare getting an attack speedup of 2^20 on a scheme
with 2^80 bit security (which is fatal) with getting the same speedup on a scheme with
2^128 security (where the resulting 2^108 is still strong).
For comparison with existing schemes, 2^128 security level is very roughly equivalent to
that of classical RSA with 3072bit modulus (which is, accordingly to the best results
available in June 2013 for general public, reported to provide roughly 2^112 attack
complexity).
For another comparison, a very good idea about the unbelievably insane amount of energy
that is actually needed for brute-forcing 2^256 operations can be obtained from Wikipedia,
which estimates the size of whole observable universe (!) to around 2^270 atoms.
All algorithms are believed to be resistant to quantum-computer-specific attacks, except
for the generic case of Grover search which (in a very idealized case and very roughly)
halves the bit security (although the attack remains exponential). Users who are aware of
large quantum computers being built are advised to use 2^192 or 2^256 bit security keys.
PASSWORD-DERIVED SYMMETRIC KEYS AND PASSWORD-PROTECTED SECRETS
Symmetric keys can be specified using a filename, or expanded from a password (which is
convenient e.g. for protecting private keys): If the filename for -S starts with "@",
program will first check the rest of the filename to find a symmetric cipher algorithm
specification, as in -g. If nothing is specified, it will check CCR_SYMMETRIC_ALGORITHM
environment variable, and if that is still unspecified, it will default to
"SYM,SHORTBLOCK". The reason for defaulting the short blocks is that the functionality
focuses on tiny keys.
After the symmetric algorithm is chosen, program will try to get the password from
environment variable CCR_SYMMETRIC_PASSWORD. If that variable is not set, it will ask the
user for the password interactively.
The password will be expanded to internally form a symmetric key for the specified
algorithm, which will in turn be used for the requested action.
Symmetric and private keys may be encrypted by a password or a symmetric key. Parameter
-w accepts the same arguments as -S, with the exception that the resulting loaded or
internally generated symmetric key will be used to encrypt or decrypt symmetric and
private keys when required:
Actions -L and -U can be used to lock, resp. unlock private keys (specific keys to be
modified can be selected using --filter) or symmetric keys (if used together with -S).
Action -g can be modified by -L in the same way.
The environment variables used for automatically-specifying the password in this case are
separate from the previous ones: CCR_KEYRING_PASSWORD and CCR_KEYRING_ALGORITHM for
locking/unlocking private keys, respectively CCR_SYMKEY_PASSWORD and CCR_SYMKEY_ALGORITHM
for specifying symmetric key used to unlock other symmetric keys (even the ones that are
themselves used for locking other keys).
WARNINGS AND CAVEATS
General advice
Codecrypt does not do much to prevent damage from mistakes of the user. Be especially
careful when managing your keyring, be aware that some operations can rename or delete
more keys at once. Used cryptography is relatively new, therefore be sure to verify
current state of cryptanalysis before you put your data at risk.
Current state of cryptanalysis
In a fashion similar to aforementioned `new cryptography', the original algebraic variant
of quasi-dyadic McEliece that is still in codecrypt (MCEQD* algorithms, kept for
compatibility purposes) has been broken by an algebraic attack. Security is greatly
reduced. Use the QC-MDPC variant which dodges similar attacks.
Large files
Codecrypt is not very good for working directly with large files. Because of the message
format and code clarity, whole input files and messages are usually loaded into memory
before getting signed/encrypted. Fixing the problem requires some deep structural changes
in Codecrypt that would break most of the achieved internal simplicity, therefore the fix
is probably not going to happen. You can easily workaround the whole problem using
symmetric ciphers (for encryption of large files) or hashfiles (for signatures of large
files). See the --symmetric option.
FMTSeq signatures
FMTSeq signatures are constructed from one-time signature scheme, for this reason the
private key changes after each signature, basically by increasing some counter. IF THE
PRIVATE KEY IS USED MORE THAN ONCE TO SIGN WITH THE SAME COUNTER AND THE SIGNATURES GET
PUBLISHED, SECURITY OF THE SCHEME IS SEVERELY DAMAGED. Never use the same key on two
places at once. If you backup the private keys, be sure to backup it everytime after a
signature is made.
If something goes wrong and you really need to use the key that has been, for example,
recovered from a backup, you can still "skip" the counter by producing and discarding some
dummy signatures (ccr -s </dev/null >/dev/null). If you plan to do that for some real
purpose, for your own safety be sure to understand inner workings of FMTSeq, especially
how the Diffie-Lamport signature scheme degrades after publishing more than one signature.
FMTSeq can only produce a limited amount of signatures (but still a pretty large number).
When the remaining signature count starts to get low, Codecrypt will print warning
messages. In that case, users are advised to generate and certify new keys.
Working with keys
Try to always use the "-n" option before you actually import keys -- blind import of keys
can bring serious inconsistencies into your key naming scheme.
In a distant universe after much computation, KeyIDs can collide. If you find someone who
has a colliding KeyID, kiss him and generate another key.
Own sources of random seed
Using CCR_RANDOM_SEED is slightly counterintuitive and dangerous, use it only for
debugging.
If your system does not have /dev/(u)random, make a port by choosing a safe value in the
source code instead of specifying the seed each time you invoke Codecrypt.
If the seed source of your system can not be trusted, fix the system instead.
Password-derived symmetric keys
Passwords are weak and, if times did not change and humanoids are still humanoids, you are
prone to $5 wrench attacks.
Combination of -L and -S options can be exploited to output a password-expanded key to a
file. Doing that for any real purpose is a bad idea.
Troubleshooting/FAQ
Q: I can't read/verify messages from versions 1.3.1 and older!
A: KeyID algorithm changed after that version. If you want, you can manually rewrite the
message sencode envelopes to contain new recipient/signer KeyIDs and new message
identificators, things should work perfectly after that.
Q: I can't read/verify messages from versions 1.7.4 and older!
A: There was a mistake with no security implications in Cubehash implementation. Same
advice as in previous case applies.
Q: Some signatures from version 1.5 and older fail to verify!
A: There was a slight mistake in padding of messages shorter than signature hash function
size (64 bytes in the 256-bit-secure signature types) with no security implications. It
was decided not to provide backward compatibility for this minor use-case. If you really
need to verify such signatures, edit the msg_pad function in src/algos_sig.h so that the
`load_key()' function is called on empty vector instead of `out'.
Q: My Cubehash-based FMTSeq key produces invalid signatures after version 1.7.5!
A: Cubehash was corrected to obey standards in 1.7.5. It is possible to generate a new
public key that would work with your private key, but the general advice is just to
generate a new key.
Q: I want to sign/encrypt a large file but it took all my RAM and takes ages!
A: Use --symmetric option. See the `CAVEATS' section for more details.
Q: How much `broken' is the original quasi-dyadic McEliece?
A: The private key of proposed dyadic variant by Misoczki and Barreto can be derived from
the public key with standard computer equipment pretty quickly.
EXAMPLE
Following commands roughly demonstrate command line usage of ccr:
ccr -g help
ccr -g sig --name "John Doe" # your signature key
ccr -g enc --name "John Doe" # your encryption key
ccr -K #watch the generated keys
ccr -k
ccr -p -a -o my_pubkeys.asc -F Doe # export your pubkeys for friends
#see what people sent us
ccr -ina < friends_pubkeys.asc
#import Frank's key and rename it
ccr -ia -R friends_pubkeys.asc --name "Friendly Frank"
#send a nice message to Frank (you can also specify him by @12345 keyid)
ccr -se -r Frank < Document.doc > Message_to_frank.ccr
#receive a reply
ccr -dv -o Decrypted_verified_reply.doc <Reply_from_frank.ccr
#rename other's keys
ccr -m Frank -N "Unfriendly Frank"
#and delete pukeys of everyone who's Unfriendly
ccr -x Unfri
#create hashfile from a large file
ccr -sS hashfile.ccr < big_data.iso
#verify the hashfile
ccr -vS hashfile.ccr < the_same_big_data.iso
#create (ascii-armored) symmetric key and encrypt a large file
ccr -g sha256,chacha20 -aS symkey.asc
ccr -eaS symkey.asc -R big_data.iso -o big_data_encrypted.iso
#decrypt a large file
ccr -daS symkey.asc <big_data_encrypted.iso >big_data.iso
#password-protect all your private keys
ccr -L
#protect a symmetric key using another symmetric key
ccr -L -S symkey1 -w symkey2
#password-protect symkey2 with a custom cipher
ccr -L -S symkey2 -w @xsynd,cube512
DISCLAIMER
Used cryptography is relatively new. For this reason, codecrypt eats data. Use it with
caution.
AUTHORS
Codecrypt was written by Mirek Kratochvil in 2013-2017.