ATBASH.TXT -- DOCUMENTATION FOR ATBASH.EXE

WHAT IS THIS, ANYWAY?

This is a simple, efficient file encryption program that can also be used to
convert any binary file to a format that can be transmitted by Morse Code or
other similar techniques.

Features:

+ Can encrypt any text or binary file (without loss of data).

+ Ciphertext can be transmitted through various archaic channels, such as
  Morse Code or reading letters and numbers over a telephone.

+ Very small executable fits on a floppy disk with lots of room left over.

+ Very fast encryption, especially considering the strong security provided.

+ Encryption that is very difficult to break, even for professional
  cryptanalysts.

+ There are no intentional "back doors" or "weak links" to enable some
  criminal to pilfer your private files.

+ Can be used without encryption just to convert to an ASCII format and back
  (for uses where encryption is not allowed, like ham radio).

+ Uses the Sapphire Stream Cipher for excellent security with good speed.

+ Ciphertext can be transmitted via email.

+ Simple key management (memorized pass phrase).

Limitations:

- Ciphertext is always longer than the plain text file (about double the
  size, for most files).

- If you forget your pass phrase, your data is lost.  I can't get it back for
  you.

- There is no provision for law enforcement access to encrypted files, since
  any such scheme could be perverted by criminals (including some very
  expensive ideas being promoted by certain government agencies), and most
  people who would use this are basically honest, anyway.

- Does not overwrite and delete the plain text after encryption.  You need a
  separate utility to do that, like my DELETE in DEL104.ZIP or Norton's
  WIPEINFO.

- Only gives two options for entering the pass phrase (interactive prompt and
  on the command line).

- The Sapphire Stream Cipher is new, and although it looks good so far, it
  has not been reviewed extensively by others, and might possibly have a
  weakness in it somewhere.

- Does not automatically detect wrong pass phrases (produces garbage file,
  instead).


QUICK START

Syntax:
D:\MPJ\ATBASH\ATBASH.EXE [/d] inname outname [pass phrase]

/d means decrypt, default is encrypt.

inname is the name of the file to encrypt or decrypt.

outname is the name of the output file.  The output file may not already
exist, because ATBASH will not overwrite.

Entering the pass phrase at the prompt instead of the command line is more
secure, and some characters cannot be entered at the command line.

outname will be garbage if the pass phrase is wrong, but you will get no
warning message about this.  You have to check it yourself.


INSTALLATION

1.  Decompress the distribution archive.  

2.  You may wish to place ATBASH.EXE someplace in your DOS path.

3.  Read this file.


TO ENCRYPT A FILE

Simply run ATBASH with the input and output file names on the command line
(in that order).  You will be prompted for a pass phrase.  Type carefully,
since you must type EXACTLY the same pass phrase to decrypt your file.  Pass
phrases are case sensitive (Secret is not the same as sECRET, which is not
the same as sEcRet).

If you plan to delete the plain text file, and the data is important, then I
strongly recommend that you try decrypting the file first, and comparing the
results with the original file.  That way you know that you typed the pass
phrase correctly and that your copy of ATBASH is working correctly.  After
this test, you can then overwrite and delete the plain text without fear of
losing your data (unless you forget your pass phrase).

For example:
ATBASH DIARY.DOC DIARY.ENC

If you want to put the pass phrase on the command line, enter it after the
file names.  Note that some characters cannot be used on the command line
that can be used when entering a pass phrase at the prompt, like Esc and
|.  Also note that entering a pass phrase on the command line is not as
secure, since someone else with access to the same machine might be able to
recall that same command line (an easy task if DOSKEY is loaded) and learn
your pass phrase.


TO DECRYPT A FILE

Simply run ATBASH with /D (or /d) and the input and output file names on the
command line.  When prompted, enter the proper pass phrase.  If you entered
the right pass phrase, the decrypted file will contain the same data as the
one that was encrypted.  If you get the pass phrase wrong by even one letter,
the output will be total binary garbage.  You must manually check the output
to see if it makes sense, depending on what kind of file you encrypted.  If
you want a program that automatically detects mistyped pass phrases, I
recommend my QUICRYPT program or Philip Zimmermann's PGP instead of this one.

For example:
ATBASH /D DIARY.ENC DIARY.DOC

You may optionally enter the pass phrase on the command line after the output
file name if the pass phrase doesn't contain characters that the DOS Command
interpreter cannot pass through (like Esc, <, >, |, Ctrl-P, Ctrl-C, etc.).


TO ASCII ARMOR WITHOUT ENCRYPTING

This is the same as encrypting and decrypting, except that you just press
"Enter" when prompted for a pass phrase.


PICKING A GOOD PASS PHRASE

Obviously, if someone can guess your pass phrase, they can read your private
data.  One way to pick a good pass phrase that is hard to guess is to include
at least two unrelated words, mix upper and lower case, and include some
punctuation and numbers somewhere in the middle of the words.  Picking a
single word or common name (in any language) is a bad idea, even if you do
something like spelling it backwards or adding a punctuation mark at the end,
because there are password cracker programs that can check all of these in a
matter of hours on a fast enough set of computers.  Try for the longest, most
complex pass phrase that you can memorize reliably.  The maximum pass phrase
size is 254 characters.  When you enter a pass phrase at the keyboard prompt,
almost anything you can enter from the keyboard can be used as part of the
pass phrase, except for Enter, which indicates the end of the pass phrase.


TRANSMISSION OF CIPHERTEXT

The easiest way, of course, to get an encrypted message to someone is to
transfer it with a modem, on a disk, or by electronic mail.  If you want to
send a short encrypted message from your cellular telephone or a pay phone
somewhere, you can just read the ciphertext to someone.  When doing that, a
good way to prevent errors is to read the letters of the alphabet using
phonetics, or words beginning with the letter of the alphabet you are
reading.  One standard phonetic alphabet you can use is:

    Alpha
    Bravo
    Charlie
    Delta
    Echo
    Foxtrot
    Golf
    Hotel
    India
    Juliett
    Kilo
    Lima
    Mike
    November
    Oscar
    Papa
    Quebec
    Romeo
    Sierra
    Tango
    Uniform
    Victor
    Whiskey
    X-ray
    Yankee
    Zulu

ATBASH doesn't care if the letters are typed in as upper or lower case.  Note
that the numerals 0 and 1 don't occur in the ciphertext, so there is no
guessing if a character is the numeral 0 or the letter O, or if a character
is the numeral 1 or the letter I or l.  Since the output is all upper case,
the letters I and L should look different in almost any font.

The ciphertext is arranged as 13 five-character groups per line. if there is
an error in one of the characters, ATBASH will attempt to guess which line
the first error was in to help you find the error and correct it.


OTHER ENCRYPTION PRODUCTS

Some other encryption programs that you may wish to consider are available on
the Colorado Catacombs BBS (303-772-1062) and many other locations.  These
include DLOCK, PGP, CRYPTE, QUICRYPT, SFS, SECDRV, SECDEV.

PGP      is the best full-featured electronic mail encryption and signature
         program available.  Uses RSA and IDEA encryption algorithms.  There
         is a freeware version (with use restrictions) and a commercial
         version.

DLOCK    is one of the strongest single-key encryption programs available,
         and it comes with complete source code.  Uses the Diamond encryption
         algorithm.

CRYPTE   is good for encrypting and decrypting large numbers of files at a
         time.  Uses a proprietary cipher.

QUICRYPT is one of the most user friendly and easy to use file encryption
         programs available, but this one is "crippleware" in the sense that
         it was designed to be legally exportable (meaning that the NSA can
         read any message encrypted with QUICRYPT).  The non-exportable
         registered version, called QCRYPT, does not have this weakness
         designed into it, and offers an excellent combination of strength
	 and speed.  Even if you like ATBASH's ASCII output, you might like
         to use QCRYPT for encryption and ATBASH just for ASCII armoring.
	 Uses the Sapphire Stream Cipher.

SFS, SECDRV, and SECDEV all do on-the-fly disk encryption.


WHY THE NAME ATBASH?

Why not?  Atbash is the name of a simple substitution cipher over the Hebrew
alphabet that was used thousands of years ago.  Thanks to Rabbi Bryan for
this information.  The cipher used in this program is considerably more
complex than its namesake, but the name is a reminder that people have valued
privacy for a long time.


HOW DOES THE SAPPHIRE STREAM CIPHER WORK?

Very well, thank you.

Seriously, the Sapphire Stream Cipher works by modifying a permutation vector
with a feedback function that depends on the data being encrypted as well as
a set of five index variables.  Each byte output depends on eight bytes in
the permutation vector. The positions of five of the bytes in the permutation
vector get moved with each byte encrypted.  Obviously, this isn't a complete
description of the algorithm, but should be enough to let those who study
such things know that this isn't just one of the really weak ciphers that are
floating around.  The source code for the Sapphire Stream Cipher is included
in an encrypted (with ATBASH) .ZIP file (in SAPPHIRE.ENC) in the distribution
archive for ATBASH.  The pass phrase to unlock this file is available on
request to registered users in the USA and Canada who are U. S. or Canadian
citizens or permanent residents of the USA.

The Sapphire Stream Cipher is my own invention.  I've been trying to break and
make ciphers for over ten years, and studying all I can in the field.  My
master's thesis was in the area of cryptography.  This doesn't mean that this
cipher can't have a weakness in it that I don't know about, but at least I'm
not likely to make certain obvious mistakes.

The security of the Sapphire Stream Cipher is in the cryptographic key, which
is your pass phrase, so it is OK if people learn how the algorithm itself
works.  This is the case for any good encryption algorithm.


LEGAL NOTICES

ATBASH cipher program and documentation version 1.00 Copyright (C) 1994
Michael Paul Johnson. All rights reserved. This program comes with no
warranty, expressed or implied. It is your responsibility to determine if
this software is suitable and safe for your use before you use it. The nature
of encryption software is that data loss may be the result if you lose,
mistype, or forget your pass phrase. Although this may change after I write
this (and I hope it does), strong encryption software that cannot be easily
broken by the U. S. Department of Defense (like ATBASH) is considered a
munition (like nuclear bombs, fighter jets, missiles, bazookas, guns,
ammunition, and warships) by the U. S.  Department of State.  Therefore, I
will not export this program (except to Canada, which is subject to an
exemption in the regulations and which has similar export restrictions). I
advise you not to transmit this program to any location outside of the United
States of America and Canada without proper legal authorization.


REGISTRATION

This is shareware.  That means you can make copies and distribute it freely
(within the limits of other possibly applicable law), and try this program
for up to 60 days for free. If you continue to use this program after 60
days, you are required to register it. To register, send $49.00 for
registration with disks and printed documentation or $20.00 for registration
only, and the name of this program (ATBASH) to:

     Mike Johnson
     PO BOX 1151
     LONGMONT CO 80502-1151
     USA
     
Look for updates on the Colorado Catacombs BBS, 303-772-1062 (or in Denver,
Colorado, area, only, 303-938-9654).  The author can also be reached via the
Internet at m.p.johnson@ieee.org or on CompuServe at 71331,2332. 
Registration entitles you to mail or email support and notification of major
upgrades.


REGISTRATION & INVOICE

Note that the ATBASH software has been delivered and accepted by the
customer.  Upon receipt of this paid invoice, the printed documentation and
disks paid for (if any) will be sent.  Disks and manuals can only be sent to
U. S. or Canadian destinations.

Remit to:                       Ship to:

Mike Johnson                    ________________________________

PO Box 1151                     ________________________________

Longmont CO 80502-1151          ________________________________

USA                             ________________________________

                                                Contact person:

                                ________________________________

                                ________________________________

Quantity   Description                             Unit Price  Total

________   ATBASH registration with disk & manual.   $49.00  ______

________   ATBASH single copy registration only.     $20.00  ______

________   Site license for unlimited use of ATBASH
           at one corporation (includes one disk &
	   one manual).                             $295.00  ______

           Sales tax (if you are in Colorado)                ______

           Shipping and handling if a disk and manual
           has been ordered.                          $5.00  ______

                                                    Total    ______

Please check all that apply to you (and only those that apply to you):

__ I am a citizen of the United States of America or Canada.
__ I am not a citizen of the USA, but I am a permanent resident 
   (with a "green card").
__ I promise not to export ATBASH without proper legal authority and without
   registering every copy in use.
__ I promise not to give ATBASH to anyone who would export it without legal
   authority or use it without registering it.
__ I prefer 3.5" disks.
__ I prefer 5.25" disks.


_____________________________________________    _______________
Signature                                        Date                           



