Deadlock: Dead simple encryption

Update: In addition to implementing miniLock in Python (below), I have since also implemented it in Go, the library and tool for which can be found in the go-minilock repository.

It’s been over a year! I have written the occasional blogpost on indiebiotech.com in that time, but even that blog suffers. If I’m honest, and to provide flavour for the rest of this article, every time I was sitting at my keyboard and might otherwise have been motivated to write a post on something, I wrote programs instead. Why? Because, as a friend cautioned me once, “programming is like crack to a problem-solving mind”. Writing can be powerful, or simply cathartic, but it’s thrilling to create something and see it work.

Most recently, I wrote a piece of software which implemented the protocol of minilock.io, a chrome plugin by the maker of Crypto.cat which provides secure file encryption for sending to others across the internet. I called my version deadlock, and it’s available here, here or by typing (in Linux with a recent version of Python installed) “sudo pip3 install deadlock”.

deadlock's icon

Why is something like this important? Allow me to frame it like this; if you want to send something privately, you could try making a zip-file with a password, sending the password to the recipient through a secure channel (what secure channel?) and then sending the file. But there are so many holes in that scheme; how do you get the passphrase to your friend securely, if you’re worried about sending files securely? Surely someone big enough to be listening on one channel (your internet connection) should be assumed to spy on the others (your phone)? Is it important that the file-list of encrypted zip-files is still visible to anyone?

Encryption of files to recipients in a secure way that does not rely on any trusted channels is actually a solved problem; so-called _asymmetric cryptog_raphy has been around for a long time, and free, trustworthy implementations of these systems are now decades old. The chief problem for the lay person is that such schemes have been implemented for technical users who understand the threats and the solutions they face at a deep level; when attempted by non-technical users, these systems frequently fail badly and leave users open to observation by dangerous adversaries (fascist governments, overweening employers, etc.).

This “user experience” (UX) problem has plagued well-known systems like PGP to the point that many privacy advocates, myself included, will not recommend the use of PGP to journalists, solicitors, whistleblowers or human rights advocates, let alone friends and family. Something designed for the non-technical which provides no-frills, sensible-defaults asymmetric encryption has been long in coming.

These days, post-Snowden etcetera, privacy is becoming chic at last. Sadly, most of the new privacy platforms emerging are complete snake-oil; they are usually closed-source (which means the programmer has something to hide from you, e.g. it is ineffective at best, outright spyware at worst), their protocol specifications are missing, poorly documented or open but worryingly ignorant, or they implicitly trust the programmers or providers to protect you (such as “private email servers” in nations that routinely imprison people for refusing to invade the rights of others).

There are a few good systems, and one of the ones I’ve taken an interest in is miniLock.io. miniLock is a plugin for Chrome written entirely in Javascript. When run, it prompts the user for an email address and a secure passphrase (it will helpfully suggest high-security passphrases if you lack inspiration), and uses these to generate a miniLock “ID”; a string of ~45 random-seeming characters which can be used by others to send securely encrypted files to you.

The magic of asymmetric encryption means that you can safely post your ID anywhere without fear; the ID is only useful for encrypting files to you, and cannot be used to decrypt files. Only you, with your secure passphrase, can decrypt files send to your ID.

And, after generating this ID, miniLock offers a friendly interface to do just that; to encrypt files to others, and to decrypt files sent to you. You can encrypt to more than one person at once, so multi-party communication and file-sharing is practical using miniLock.

However, as impressive as miniLock is, its indelible tie to Chrome was too limiting for me. For starters, I don’t use Chrome or recommend it to others; the default settings amount to spyware anyway (everything you visit or see is sent to Google), so basing security software on top seems counterproductive. Also, as a plugin, miniLock has a great interface but is poorly accessible to other software, so it can’t easily be used to extend other parts of my computer experience. I think miniLock could be interesting as a preprocessor for sending and receiving email, or as a way to secure stuff shared through “cloud” folders like Dropbox (sorry, Condoleeza Rice!), but miniLock can’t be those things as a Chrome plugin.

So, I decided to write a new client for miniLock, in my favourite language; Python! Python 3 is a modern, cross-platform, flexible, rapid-to-write and easy to maintain language with huge library support. It’s perfect for applications like this, and it can be written into a text-only application (easily looped into email or dropbox, for example) or as a graphical user interface like the chrome plugin provides.

I won’t bore the reader with the intricate details of the process. Suffice to say that, because Python is a well-established and well-loved language, there were already implementations of the component algorithms and functions I needed; BLAKE2, Scrypt and NaCl. There was a Python 2 version of the password-assessment routine used in miniLock, too, so I decided to port it to modern Python and include it, too. Combining these into what would become deadlock, my Python implementation of miniLock, then took only a few days of off-and-on work.

The result is deadlock, and is considerably less user-friendly than miniLock. User-friendliness is already serviced quite well at this point by miniLock, my immediate goal was instead to create a Python module and terminal application that I and others could experiment with easily. deadlock can be installed on any system with a modern distribution of Python (that is, version 3.2 or greater, with the pip package manager) which has a C compiler for the core algorithms, by simply issuing (on a Debian-like flavour of Linux) sudo pip3 install deadlock.

Once installed, deadlock is available as a Python module (though bear in mind the API is not frozen and I may change public functions at this point without warning) and a terminal script by the same name. The script allows you to encrypt and decrypt files, prompting you for an email and passphrase each time and encrypting to you plus an arbitrary number of recipients.

For example, to encrypt a file to the user ID “JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM” (that’s me!), you would type:

deadlock encrypt “sillycatpicture.jpg” JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM

This will prompt you for your email and passphrase, use them to generate your ID on-the-fly (it is not stored in normal usage, as with miniLock), and encrypt the file to you and I as a new file with a random filename ending in “.minilock”.

Either of us (by default you are also a recipient on stuff you encrypt, you see) can later decrypt the file by issuing (assuming the random name is “66fc4601b498.minilock”):

deadlock decrypt 66fc4601b498.minilock

..which will again prompt you for an email and password, and will decrypt the file and save it to “sillycatpicture.jpg”. Note that thanks to the way miniLock’s protocol is written, even the filename is not possible to obtain unless the file is encrypted to you, so nobody knows you’re only sending me silly cat pictures!

deadlock includes a few features missing (in some cases by design) from miniLock, including a local address-store which would, for example, allow you to substitute “cathal” for “JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM”, a private-ID store which, though lacking entirely in any measure of security, allows trivial encryption and decryption without re-entering passphrases, and auto-zipping of directories when encrypting, allowing you to encrypt a folder without preparation.

Depending on your needs, this is useful or superfluous. Right now, if you want user-friendly encryption, use minilock.io. However, I have high hopes that I and others can use deadlock to integrate this type of encryption into other sorts of activity, like aforementioned dropbox preprocessing, email sending and receiving, etcetera; so hopefully deadlock will be of use to you someday soon, as part of something more user-friendly. If you’re a hacker or a technical user, I think deadlock will speak for itself as a terminal application and Python module.

Enjoy!