Migrating from Google Domains to CloudFlare. Also I'm going to Washington D.C. LOL.
PyQuCryptor is a modern, "post-quantum", open-source, encryption application. AES-256-CTR is the cipher used to encrypt the files. Then encryption keys are encrypted with AES-256-CTR again but this time with a key derived from the user generated password. This is a project for the Congressional App Challenge, but unlike most people with their apps for the challenge, I actually plan to support this for as long as possible. But keep in mind that the update frequency will be very random as I am lazy.
The program is licensed under the BSD-3 Clause No Nuclear 2014 license, which is a free and open source license. The program is purely written in Python and is made for Python 3.12 and 3.11 (3.12 came out during development and we just decided to port it over). PyQuCryptor has binaries for Windows and a MacOS port coming (if I ever got around to it).
- User enters a password.
- Program generates a random salt for the password.
- Program combines salt and password to generate an encryption user-key (256 bits) using PBKDFv2-SHA3-256 with 2^20 iterations.
- Program generates a random encryption key (256 bits) and a random nonce (11 bits*) used for the encryption of the file.
- Program encrypts the file using AES-256-CTR with the random key and nonce.
- The program would then hash the original file with SHA3-512.
- Program generates another random nonce (12 bits), or outer nonce.
- Program uses the outer nonce and the user-key to encrypt the random key, the random nonce, and the hash of the original file, this is called the encrypted header.
- This also gets hashed again with SHA3-512.
- The salt used to generate the encryption key, the outer nonce and the hash of the encrypted header gets written, then the encrypted file header, and finally the encrypted file.**
* AES-256-CTR with a 11-byte nonce is used due to the limitaion of a 12-byte nonce only allowing for the encryption of up to 64 GiBs of data, 11 bytes would allow for 16 TiBs of data.
** The encrypted file is 207 bytes longer than the original due to the addition of the file headers.
I wanted this app to provide quantum resistant encryption, and as such, I used AES-256-CTR. I chose a 11-byte nonce for the encryption of the file simply due to the need of large amount of encrypted data. 12 bytes would only allow for the encryption of 64 GiB (Gibibytes, 2^30 bytes). AES-GCM would be the better choice, but it has a file limit of 64 GiBs and I do not want to mess with padding for AES-CBC, plus AES-CTR is relatively easy to implement
I chose a 2 phase encryption setup due to the need of brute force protection and speed for determining that the entered password is wrong. If I chose to encrypt the entire file using the user-key then the program would have to wait until the entire file finishes decrypting. The extra time it would take to calculate the user-key, decrypt the internal header, and hash + verify it would take some extra time that is not noticeable to the average user but noticeable to anyone trying to brute force it.
The program limits users to passwords 12 letters and up and blocks them from using the same character 4 times in a row to allow for greater randomness in the user's password. The most easy way to break state-of-the-art encryption is to simply guess the password. But by forcing the user to use a strong password, this is relatively mitigated and teachs the user about strong password habbits.
The GUI for PyQuCryptor borrows from Mullvad VPN. Mullvad VPN features a quite frankly amazing GUI and I took design insipirations from it. Another person originally wrote the code for the GUI, but I have fixed it up a bit and improved it to fix the 2^256 global variables.
PyQuCryptor follows the KISS philosophy, Keep It Simple, (Because I'm) Stupid.
This information is provided to the best extent of my knowledge, there may be minor errors in the details. If you spot one, please open an issue on the GitHub repository here.