brengla.com

(go) read message

(go) write message

First draft – August 2015

Brengla is a website that allows RSA encrypted communication for its users. The server is based in Iceland, which is the only country in the world which does not have laws concerning encryption. (This means the authorities has no legal right to demand ones password for the sake of decryption.)

Brengla is a website written in PHP programming language. The asymmetric/symmetric encryption is done with the help of PHP’s OPENSSL function (RSA2048/AES256), the hash value is produced with the help of PHP’s password_hash/password_verify functions, using them in their default setting (BLOWFISH, hash cost 10millisec.).

The model of usage is the following:
The user produce RSA keys through the website, both keys (public and secret) is stored on the Brengla servers – the secret key is stored in encrypted form (AES256), encrypted with the help of a password given by the user. Thereafter, the first quarter of the password, and the (full) name of the public key, and a randomly generated salt value, is used to produce a cryptologically secure hash value, this hash value becomes the name for a file where the secret key will be stored.

Criticism - It is argued that one should always store ones secret RSA key in a private secure location, and not to rely on the password it has been encrypted with, this because, in majority of cases the password used to encrypt the message is weaker that the cryptology algorithm itself. GNUPG has this approach.

We at Brengla view this topic the following way:
On Brengla your secret key has two level of security: one, it has been encrypted with the help of AES256, as in GNUPG: but further, the secret key has also been stored under a file name that has been produced with the help of a hash algorithm that uses a random salt value. In this environment, a malicious service provider, or whoever, who supposedly would have the ability to hack the AES256 algorithm, do not know the name of the file which holds the secret key, therefore the hacking process of finding the key, which after hacking AES256 encryption in itself, should be considered as a mathematically impossible task.

In short, your secret key hides in the flock of others alike


Have a nice day :)




(go) delete keys

(go) delete message

(go) produce encryption keys


copyright, website designed by .......