chiffer.nu beta

About

This is a service that focuses on providing a secure-by-default way of sharing plain-text secrets (passwords, certificates, keys etc...) with a remote recipient.

The main goals with the service are:

• To provide an easy-to-use service that,
• are Secure By Default, and provides
• Technical Transparency / Open Source

Please note: This service is still in early beta and is being improved and worked on continously!

Start sharing!

GDPR

This service fully complies with the GDPR legislation. No personal information is ever asked for, or stored anywhere.

This service is hosted within the EU (Sweden) and the encrypted data is never stored elsewhere.

Technical details

Secret

A 20 character long secret is generated using the web-browsers built in crypto engine. This secret optimized to be easy to read and have therefore some ambigious characters removed ( l, I, O, 0 and 1) from the standard ASCII alphabet.

This means that the 20 character long secret is generated from a 57 character long alphabet, which gives it an exect search space of 1.31 x 10³⁵ possible combinations. 131068133085775282769190451412780001 combinations to be exact.

Even with a password cracking rig that can calculate and test 100 billion keys per second, it would still take 41561432358503070 (57²⁰) years to test the whole keyspace. 0.01% of that would take 4156 billion years to test.

Encryption

The clear text message is encrypted using symetric XSalsa20-Poly1305 authenticated encryption with an in-browser generated 256 bit encryption key.

The 256-bit key is derived from the secret using a key-stretching algorithm called PBKDF2-HMAC-SHA256 with an iteration count of 600001.

Storage

The encrypted contents (ciphertext) will be sent to the server where a random ID (UUIDv4 with 5.3×10³⁶ possible combination) will be generated for the encrypted contents. As soon as the recipient retrieves the encrypted contents from the server by presenting this random ID, the ciphertext will be permanently deleted from the server. (a.k.a self-destruct). At this stage the recipent will be able to decrypt the contents by entering the 20 character secret.

Cookies

This services does NOT store any cookies or other data in the web-browser and as such never asks for any cookie consent.