ATBASH2.TXT -- DOCUMENTATION FOR ATBASH2.EXE

WHAT IS THIS?

ATBASH2 is a simple, efficient file encryption program that can also be used
to convert any binary file to a format that can be transmitted by Morse Code
or other similar techniques.

Features:

+ Can encrypt any text or binary file (without loss of data).

+ Ciphertext can be transmitted through various archaic channels, such as
  Morse Code or reading letters and numbers over a telephone.

+ Very small executable fits on a floppy disk with lots of room left over.

+ Very fast encryption, especially considering the strong security provided.

+ Encryption that is very difficult to break, even for professional
  cryptanalysts.

+ There are no intentional "back doors" or "weak links" to enable some
  criminal to pilfer your private files.

+ Can be used without encryption just to convert to an ASCII format and back
  (for uses where encryption is not allowed, like ham radio).

+ Uses the Sapphire Stream Cipher for excellent security with good speed.

+ Ciphertext can be transmitted via email.

+ Simple key management (memorized pass phrase).

+ Adds no "known plain text" or other aids to brute force cracking
  operations.

Limitations:

- Cipher text is always longer than the plain text file (about double the
  size, for most files).  (Cipher text can be compressed to about half size
  with a good compression utility, if binary storage or transmission will be
  used).

- If you forget your pass phrase, your data is lost.  I can't get it back for
  you.

- There is no provision for law enforcement access to encrypted files, since
  any such scheme could be perverted by criminals (including some very
  expensive ideas being promoted by certain government agencies), and most
  people who would use this are basically honest, anyway.

- Does not overwrite and delete the plain text after encryption.  You need a
  separate utility to do that, like my DELETE in (DEL105.ZIP or a later
  version) or Norton's WIPEINFO.

- Only gives two options for entering the pass phrase (interactive prompt and
  on the command line).

- The Sapphire II Stream Cipher is new, and although it looks good so far, it
  has not been reviewed extensively by others, and might possibly have a
  weakness in it somewhere.

- Does not automatically detect wrong pass phrases (produces garbage file,
  instead).

- Does not compress files before encryption.  Use a separate utility (like
  ARJ, ZIP, LHA, or PKZIP before encryption to do that).

- Does nothing to randomize cipher text initialization vectors or session
  keys, so identical files encrypted with an identical pass phrase will
  produce identical output files.

- Does not pad the cipher text, so that the length of the plain text can be
  computed from the length of the cipher text.


QUICK START

Syntax:
ATBASH2 [/d] inname outname [pass phrase]

/d means decrypt, default is encrypt.

inname is the name of the file to encrypt or decrypt.

outname is the name of the output file.  The output file may not already
exist, because ATBASH2 will not overwrite.

Entering the pass phrase at the prompt instead of the command line is more
secure, and some characters cannot be entered at the command line.

outname will be garbage if the pass phrase is wrong, but you will get no
warning message about this.  You have to check it yourself.


INSTALLATION

1.  Decompress the distribution archive.

2.  You may wish to place ATBASH2.EXE someplace in your DOS path.

3.  Read this file.


TO ENCRYPT A FILE

Simply run ATBASH2 with the input and output file names on the command line
(in that order).  You will be prompted for a pass phrase.  Type carefully,
since you must type EXACTLY the same pass phrase to decrypt your file.  Pass
phrases are case sensitive (Secret is not the same as sECRET, which is not
the same as sEcRet).

If you plan to delete the plain text file, and the data is important, then I
strongly recommend that you try decrypting the file first, and comparing the
results with the original file.  That way you know that you typed the pass
phrase correctly and that your copy of ATBASH2 is working correctly.  After
this test, you can then overwrite and delete the plain text without fear of
losing your data (unless you forget your pass phrase).

For example:
ATBASH2 DIARY.DOC DIARY.ENC

If you want to put the pass phrase on the command line, enter it after the
file names.  Note that some characters cannot be used on the command line
that can be used when entering a pass phrase at the prompt, like Esc and
|.  Also note that entering a pass phrase on the command line is not as
secure, since someone else with access to the same machine might be able to
recall that same command line (an easy task if DOSKEY is loaded) and learn
your pass phrase.


TO DECRYPT A FILE

Simply run ATBASH2 with /D (or /d) and the input and output file names on the
command line.  When prompted, enter the proper pass phrase.  If you entered
the right pass phrase, the decrypted file will contain the same data as the
one that was encrypted.  If you get the pass phrase wrong by even one letter,
the output will be total binary garbage.  You must manually check the output
to see if it makes sense, depending on what kind of file you encrypted.  If
you want a program that automatically detects mistyped pass phrases, I
recommend my QUICRYPT program or Philip Zimmermann's PGP instead of this one.

For example:
ATBASH2 /D DIARY.ENC DIARY.DOC

You may optionally enter the pass phrase on the command line after the output
file name if the pass phrase doesn't contain characters that the DOS Command
interpreter cannot pass through (like Esc, <, >, |, Ctrl-P, Ctrl-C, etc.).


TO ASCII ARMOR WITHOUT ENCRYPTING

This is the same as encrypting and decrypting, except that you just press
"Enter" when prompted for a pass phrase.


PICKING A GOOD PASS PHRASE

Obviously, if someone can guess your pass phrase, they can read your private
data.  One way to pick a good pass phrase that is hard to guess is to include
at least two unrelated words, mix upper and lower case, and include some
punctuation and numbers somewhere in the middle of the words.  Picking a
single word or common name (in any language) is a bad idea, even if you do
something like spelling it backwards or adding a punctuation mark at the end,
because there are password cracker programs that can check all of these in a
matter of hours on a fast enough set of computers.  Try for the longest, most
complex pass phrase that you can memorize reliably.  The maximum pass phrase
size is 254 characters.  When you enter a pass phrase at the keyboard prompt,
almost anything you can enter from the keyboard can be used as part of the
pass phrase, except for Enter, which indicates the end of the pass phrase.


TRANSMISSION OF CIPHERTEXT

The easiest way, of course, to get an encrypted message to someone is to
transfer it with a modem, on a disk, or by electronic mail.  If you want to
send a short encrypted message from your cellular telephone or a pay phone
somewhere, you can just read the ciphertext to someone.  When doing that, a
good way to prevent errors is to read the letters of the alphabet using
phonetics, or words beginning with the letter of the alphabet you are
reading.  One standard phonetic alphabet you can use is:

    Alpha
    Bravo
    Charlie
    Delta
    Echo
    Foxtrot
    Golf
    Hotel
    India
    Juliett
    Kilo
    Lima
    Mike
    November
    Oscar
    Papa
    Quebec
    Romeo
    Sierra
    Tango
    Uniform
    Victor
    Whiskey
    X-ray
    Yankee
    Zulu

ATBASH2 doesn't care if the letters are typed in as upper or lower case.
Note that the numerals 0 and 1 don't occur in the ciphertext, so there is no
guessing if a character is the numeral 0 or the letter O, or if a character
is the numeral 1 or the letter I or l.  Since the output is all upper case,
the letters I and L should look different in almost any font.

The ciphertext is arranged as 13 five-character groups per line. if there is
an error in one of the characters, ATBASH2 will attempt to guess which line
the first error was in to help you find the error and correct it.


OTHER ENCRYPTION PRODUCTS

Some other encryption programs that you may wish to consider are available on
the Colorado Catacombs BBS (303-772-1062) and many other locations.  These
include DLOCK, PGP, CRYPTE, QUICRYPT, SFS, SECDRV, SECDEV.

CRYPTE   is good for encrypting and decrypting large numbers of files at a
         time.  Uses a proprietary cipher.

DLOCK    is one of the strongest single-key encryption programs available,
         and it comes with complete source code.  Uses the Diamond encryption
         algorithm.

PGP      is the best full-featured electronic mail encryption and signature
         program available.  Uses RSA and IDEA encryption algorithms.  There
         is a freeware version (with use restrictions) and a commercial
         version.

QUICRYPT is one of the most user friendly and easy to use file encryption
         programs available, but this one is "crippleware" in the sense that
         it was designed to be legally exportable (meaning that the NSA can
         read any message encrypted with QUICRYPT).  The non-exportable
         registered version, called QCRYPT, does not have this weakness
         designed into it, and offers an excellent combination of strength
         and speed.  Even if you like ATBASH2's ASCII output, you might like
         to use QCRYPT for encryption and ATBASH2 just for ASCII armoring.
         Uses the Sapphire Stream Cipher.  Look for QCRYPT10.ZIP (or a later
         version number).  The next revision of QUICRYPT will generate files
         encrypted with the Sapphire II Stream Cipher, but will be able to
         read old files, too.

SFS, SECDRV, and SECDEV all do on-the-fly disk encryption.


WHY THE NAME ATBASH2?

Why not?  Atbash is the name of a simple substitution cipher over the Hebrew
alphabet that was used thousands of years ago.  Thanks to Rabbi Bryan for
this information.  The cipher used in this program is considerably more
complex than its namesake, but the name is a reminder that people have valued
privacy for a long time.  The "2" indicates that this is version 2 of this
program, which is different from the first version in that it uses the
Sapphire II Stream Cipher instead of the Sapphire Stream Cipher.  Because of
this, files encrypted with ATBASH are not compatible with files encrypted
with ATBASH2.


HOW DOES THE SAPPHIRE II STREAM CIPHER WORK?

Very well, thank you.  See SAPPHIRE.TXT for details.


IS THE SOURCE CODE FOR ATBASH2 AVAILABLE?

Sure, IF you register your copy of ATBASH2 AND request the password to
decrypt the source code at the same time (promising not to reveal it to
others), you can decrypt SOURCE.ENC with ATBASH2 and the password I supply.
Unzip the resulting file to get the source code.  For example:

ATBASH2 /D SOURCE.ENC SOURCE.ZIP
PKUNZIP SOURCE.ZIP

Source code for the Sapphire II Stream Cipher is also available in
SAPPHIRE.TXT, and can be used in other applications if you wish.


LEGAL NOTICES

ATBASH2 cipher program and documentation version 2.00 Copyright (C) 1995
Michael Paul Johnson. All rights reserved. This program comes with no
warranty, expressed or implied. It is your responsibility to determine if
this software is suitable and safe for your use before you use it. The nature
of encryption software is that data loss may be the result if you lose,
mistype, or forget your pass phrase. Although this may change after I write
this (and I hope it does), strong encryption software that cannot be easily
broken by the U. S. Department of Defense (like ATBASH2) is considered a
munition (like nuclear bombs, fighter jets, missiles, bazookas, guns,
ammunition, and warships) by the U. S.  Department of State.  (No need to
tell me how silly or wrong it is to group privacy software in with things
that can kill people -- tell your senators and congressional representative,
instead).  Therefore, I will not export this program (except to Canada, which
is subject to an exemption in the regulations and which has similar export
restrictions). I advise you not to transmit this program to any location
outside of the United States of America and Canada without proper legal
authorization.


REGISTRATION

This is shareware.  That means you can make copies and distribute it freely
(within the limits of other possibly applicable law), and try this program
for up to 60 days for free. If you continue to use this program after 60
days, you are required to register it. To register, send $49.00 for
registration with disks and printed documentation or $20.00 for registration
only, and the name of this program (ATBASH2) to:

     Mike Johnson
     PO BOX 1151
     LONGMONT CO 80502-1151
     USA

Look for updates on the Colorado Catacombs BBS, 303-772-1062. The author can
also be reached via the Internet at m.p.johnson@ieee.org or on CompuServe at
71331,2332. Registration entitles you to mail or email support and
notification of major upgrades.


REGISTRATION & INVOICE

Note that the ATBASH2 software has been delivered and accepted by the
customer.  Upon receipt of this paid invoice, the printed documentation and
disks paid for (if any) will be sent.  Disks and manuals can only be sent to
U. S. or Canadian destinations.

Remit to:                       Ship to:

Mike Johnson                    ________________________________

PO Box 1151                     ________________________________

Longmont CO 80502-1151          ________________________________

USA                             ________________________________

                                                Contact person:

                                ________________________________

                                ________________________________

                                Email address:__________________

Quantity   Description                             Unit Price  Total

________   ATBASH2 registration with disk & manual.  $49.00  ______

________   ATBASH2 single copy registration only.    $20.00  ______

________   Site license for unlimited use of ATBASH2
           at one corporation (includes one disk &
           one manual).                             $295.00  ______

           Sales tax (if you are in Colorado)                ______

           Shipping and handling if a disk and manual
           has been ordered.                          $5.00  ______

                                                    Total    ______

Please check all that apply to you (and only those that apply to you):

__ I am a citizen of the United States of America or Canada.
__ I am not a citizen of the USA, but I am a permanent resident
   (with a "green card").
__ I promise not to export ATBASH2 without proper legal authority and without
   registering every copy in use.
__ I promise not to give ATBASH2 to anyone who would export it without legal
   authority or use it without registering it.
__ I prefer 3.5" disks.
__ I prefer 5.25" disks.
__ I want the source code password, and won't reveal either the source code
   or the password to others.


_____________________________________________    _______________
Signature                                        Date


