[this page is a mirror of this original]

Top Secret Crypto Gold

Review
by
Peter Gallivant

Top Secret Crypto Gold (TSCG), version 2.00 is an encryption utility aimed at the personal and business market; seemingly the same segment targeted by PGP. It is meant for email and computer file protection.

At first glance, TSCG does have some advantages over the well-entrenched PGP (and its derivatives and variants). Size is one: TSCG is a 1.77 MB download, while PGP is 7.72 MB. And with TSCG ranging in cost from US$35 (single user) to US$1000 (unlimited) versus PGP's current US$60 to US$2550, price is another.

TSCG also has a feature which PGP lacks; One Time Pad encryption. OTP is theoretically unbreakable, assuming the use of a truly random key larger than the encrypted data. TSCG even goes so far as to include printable files to allow you to use one time pads to manually encrypt - by hand, on paper! - nonelectronic messages. Since you need TSCG and your computer to print these in the first place, I suspect that you will encounter little need for the old-fashioned system in the real world. But it is amusing and informative.

Sadly, for those of us constantly in search of privacy tools, TSCG has shortcomings, too.

Seeing that TSCG utilizes RSA for its public key encryption option, I immediately wondered if it would be compatible with widely used PGP for Windows. Attempts to import and export keys, and to process files showed that TSCG and PGP cannot interoperate. Since commercial and freeware distributions of PGP (and derivations such as GPG and PGPi) are already in predominate use on the Internet, I believe this lack of compatibility is a serious deterrent to TSCG's use.

Installation

Downloading and installing TSCG was straightforward, until I reached the point where I had to select file installation options. The default install claimed that it required 2.3 MB of hard drive space. Making various selections showed a basic install that only required 1.6 MB. Quite properly for a product review, I chose the default full installation. Oddly enough, the folder - C:\Program Files\TAN$TAAFL\ - resulting from the installation was only 1.6 MB regardless of the installation choice (I installed various ways to test options). Where are the remaining 700 KB placed; DLLs in the Windows folder? This proved to be the first of several peculiarities encountered.

During installation and set up, TSCG makes several file associations for its extensions in the Windows registry. This is a normal procedure that allows you to automatically open and use an application when encountering specific file extensions. Yet TSCG only performs half the job. Double-clicking a TSCG file (such as "testfile.tsc", an encrypted file) only opens the TSCG program without beginning the - in this example - decryption process. You must manually conduct your operation, even manually selecting the file with which to work again. It is better than manually opening the program from the Start Menu each time, but not much.

TSCG is billed as an email encryption tool, as accomplished through Windows' MAPI interface. My usual email client does not employ MAPI, so to be fair in the review process, I obtained and installed a MAPI-compliant client. To no avail. Regardless whether a compliant (and operating; client tested in conjunction with other applications) email program was installed, I got the same System Error message. TSCG would not work directly with email messages.

I also found TSCG to be one of the least intuitive programs I've used outside of the military environment (more on that to follow). Unusual for me, I found it necessary to repeatedly fall back to the help documents in order to complete even basic functions.

Even then, the instructions often left something to be desired. I quickly realized that the public key and signing key selection dialogue windows will not auto-close when you've made your selection. Nor are there any "OK" or "Select" buttons to push that might indicate when something has happened. You must manually close each dialogue window, unprompted, to proceed. This apparently is not mentioned in the documentation.

Note: Closing the signing key window without selecting a key aborts the process. Not signing a document is not an option with TSCG. There are some occasions when I bloody well do not wish to sign my encrypted emails.

Key Generation

All this pre-supposes that you've created your keys. A tedious process in its own right. The cryptic displays, no doubt of great interest to cipherpunks, may confuse those simply interested in privacy. And key generation is slow. My Celeron 366 MHz system - admittedly puny by today's standards - is certainly better than the minimum Intel 80486 touted in the system requirements. Nevertheless, after sitting through an entire key generation session, I spent future sessions attending to basic dental hygiene, and polishing my boots. Each time, I returned to find the action to be incomplete. There is an option to give key generation high processor priority; I suggest that you use it.

Key generation also brings me to a subject that made me the slightest bit uncomfortable.

As is usual in encryption products, TSCG relies upon a random bits file when creating a key. PGP attempts to maximize randomness by requiring external irregular input from the user when doing this. Contrariwise, TSCG never does. It uses its own internal system of looking at various computer system clocking signals, which are naturally highly regular. TAN$TAAFL Software asserts that randomness is provided via the fact that the clock sampling routine only samples at irregular intervals as Windows gives it processor time. Unless this can be verified by someone with far greater mathematical and programming knowledge than myself, I have grave doubts whether this is sufficiently random for those in need of very strong encryption.

Regrettably, key generation is not the only slow function. TSCG is a "resource hog", seizing a great deal of processor time. When it is running, other applications slowed noticeably. This should be less of an issue for those with newer, more robust systems.

More happily, TSCG does allow you to generate quite large, up 16 KB, RSA keys.

Encryption Generalities

Encryption in TSCG is a two stage process in which the data is first compressed and then enciphered. This process demonstrates another of the program's peculiarities: The default setting leaves the intermediary "packed" file stored on your computer, unencrypted. As is the unencrypted source file. There are check boxes which allow you to delete these during the process, but you must re-check them with each and every encryption operation. This may not be a critical problem, but do make a habit of looking at those boxes.

Aside from the technical message that appear on your screen, and which must be manually closed just as the key selection screens - which I found annoying - RSA encryption will be familiar to those who have already used PGP.

One Time Pad encryption will be quite familiar, too. The encryption process differs from RSA in only one respect: the additional step of selecting a one time pad key. In fact, RSA signing and encryption are requisite steps in the OTP process as implemented in TSCG.

TSCG allows two sorts of one time pad keys. One, referred to as a key file is only some 5 KB in size. When encrypting with this sort, if your clear data exceeds that minuscule 5 KB, the key will "repeat", and you will lose the entire advantage of true one time pad encryption. This smaller key should be used only for small files and short email messages.

TSCG calls the other OTP key a "True One Time Pad". The minimum size of key which you may produce with this option is 1 MB. This is much more secure; but having a large number of such keys on your drive might be troublesome for those growing short of space. Choose, and use, your keys wisely.

TSCG likewise allows you to encrypt entire folders, or directories. You select a directory to be protected, make the proper selections of algorithms and keys, and TSCG processes all the files within the targeted folder. All the files will collected, packed, and encrypted into a single archive-type file. Decryption deciphers and extracts the individual files. I found this strongly reminiscent of PGPDisk, save that the process is manual in every step. Unlike PGPDisk, and I think an improvement, TSCG does not require you to pre-select a virtual "drive" of a specific size, which might prove to be smaller or larger than is eventually needed.

There is, however, no provision for batch processing of individual files. You shall either manually process each and every separate file, or you shall store them all in a single archive. Many times, I find it desirable to multiple files, yet not every one in a directory. Nor would I enjoy opening and closing a multimegabyte file every time I wished to see a small text file.

Clipboard

TSCG will encrypt and decrypt text on your Windows clipboard. This was the only way I could persuade TSCG to work "with" email. The process is essentially identical to file encryption, save that you select the clipboard instead of a file.

Source Code

This may be an issue for many people. TAN$TAAFL Software will not open source all of the TSCG code. Its implementation of RSA, asserted to be open source, is not included with the package as TAN$TAAFL maintains that RSA has been adequately publicized elsewhere. The One Time Pad code and key generation code is included. It is the application which ties all this together which TAN$TAAFL says is proprietary. While it is understandable that the company should wish to protect its code, many people distrust encryption tools which they cannot examine in full.

Conclusion

Top Secret Crypto Gold appears to serve a useful purpose, but its lack of compatibility with even freeware releases of the highly popular PGP make its use problematical. Those with whom I regularly correspond already possess PGP or compliant variants. I am not aware of any of them having TSCG. Nor are many of them likely to utilize the program until its odd little rough edges are smoothed out. And why choose to pay for something not open sourced when open source options are available for low or no cost? And for the truly paranoid, there is another issue. The TSCG website includes the personal snail mail address of the program author.

The address is that of an United States Naval facility. Possibly entirely innocent; but this seems to me a blunder in a market pandering to those fearful of government snooping.

I do not intend to use Top Secret Crypto Gold version 2.00, nor will I recommend it to anyone else.


Top Secret Crypto Gold, version 2.00
TAN$TAAFL Software Company
www.topsecretcrypto.com
Windows 95b, 98, Me, NT 4.0+, 2000, and XP
Intel 80486 processor, or better
1.77 MB D/L
Single User License is $34.95(US)
Unlimited Site License is $999.95(US).
accepts e-gold, a nice touch

________________________________

Comment on this article
View all comments on this article

________________________________

Did you like this article?
Please consider rewarding the author's
hard work with a donation.


Don't have PayPal yet?

Books on freedom

________________________________

Please rate this article! Knowing what you like will help us provide the content you want.

Bad Poor Average Good Excellent

If there's anything specific you'd like to say about this article, please do so here. Comments may be used in an upcoming Letters to the Editor.



Copyright © 2002 by Doing Freedom! magazine. All rights reserved.