On Tue, Oct 15, 2019 at 05:07:33PM +0200, Ondřej Surý wrote:
First of all, all software in Debian must adhere to Debian Free Software Guidelines. And I can’t find the source code anywhere on your website. That said - who you seem to use a lot of buzz words and bold claims, but I would recommend the old wisdom: “don’t ever roll your own crypto”. I would recommend you to speak to an actual cryptographer before you do more harm to your users. I hope a cryptographic software based on hand-waving and no crypto audit would never be uploaded in Debian.
Source code seems to be at http://www.finalcrypt.org/downloads/other/finalcrypt_sourcecode.zip but otherwise I agree that using this versus a recognized encryption tools is a bad idea. The general mechanism seems to to generate a random string equal to the size of the input data, then perform some operation (presumably xor?) to generate ciphertext. The usual weak link from a theoretical standpoint is the strength of the pseudo random number generator. In this case it's using the java SecureRandom function, so it's as strong or weak as that. If you don't trust complicated mathematical functions to secure your data, I don't know why you'd trust SHA-256. The weak link from a practical standpoint is the need to securely store random pads equal in size to the data encrypted--if you can secure the one time pad, you could just as easily secure the data and not need the one time pad. Disclaimer: I only gave the source code a cursory glance so there may be additional elements of this implementation that I overlooked either for better or for worse.