This project is supported in two applications / programs that – united – make up a simple but effective personal protection system for our data.
We can use just one of them, but their joint use allows an absolute control of our data privacy .
The two parts of the project are summarised as follows:
Personal PNGSafeBox Project (I) – Windows Application
An application developed by us – for free – in VB.NET will allow us to obfuscate the graphic files that contain the information to be protected.
This application allows encryption and decryption of such images.
Personal PNGSafeBox Project (II) – Android Application
A Mobile App developed by us – for free – will allow us to transport mentioned images with confidential information in our terminal. This application can query these files (data) securely, decrypting them and show us the information we need on the terminal screen and, of course, will remain encrypted inside our mobile phone.
Even if we lose our mobile phone the files would be difficult to extract as they were natively packed within the application and, in the case of a “rooted” mobile, you would only get obfuscated graphic files that could not be seen unless you know exactly the obfuscation method used.
Part I Personal PNGSafeBox for Windows
The project is based on the modification of graphic files (PNG) and whose structure is “tunning” to be practically impregnable.
For example, if we want to encrypt an image (photo) that contains the data of our coordinate card, we will only have to convert the image to PNG graphic format and use the program discussed in this article.
The result will be a modified file so that it is not possible to be viewed until it is “reordered” again by the program.
Used encryption algorithm
We will use the typical structure of a PNG graphic file. This can be consulted on the official page of this graphic format , but it does not require detailed knowledge since our program is responsible of everything.
A PNG graphic file consists of a header followed by sections that are called “chunks”. The specification of each chunk is not the subject of this article, but enought to say that we will use part of the PNG header as well as non-essential part of the first chunk in it.
The algorithm to obfuscate the image – in PNG format – to protect it performs these steps:
1) It generates three random numbers of a specific range, N1, N2 and N3
2) Create a byte array with data from offset N1 to EOF-N1 from graphic file.
3) Transpose mentioned bytes and rewrite them back to the file.
4) Repeat twice similar procedure for numbers N2 and N3.
5) Create a string with the information structure /N1N2N3+
6) Cipher the string (triple DES) using our KEY and IV.
7) Write the encrypted string in PNG file header position
8) Make some modifications in the initial zone of the header of the file PNG.
Once these steps are done, the PNG file obtained is modified and its visualisation is impossible.
The only way to view the graphic file again is to use the encryption / decryption program to restore the PNG to its original format.
We can see in this graphic simulation how the bytes in the file are physically transposed. In the example shown (a file of minimum size) we have an image of 100×100 pixels – 476 bytes in the file. The numbers generated were: 25, 43 and 56, and the 3 transposition arrays (shown here by colors) will exchange positions with each other three consecutive times.
We must emphasize that the three arrays can occupy overlapping positions, which complicates even more the “re-ordering” of bytes without knowing the proper coordinates. In this example, we see graphically how, in fact, part of the transposed arays overlap.
Software used for the Project
To develop the program we have choose an excellent programming IDE tool that allows us to implement the project in VB.NET completely free of charge.
This is the Sharp Develop environment. In our case we have used version 3.2.1 software. This is not the last one, but is enough and probably will be much more compatible with Windows systems that are not 100% up-to-date.
The developed program is minimalist and only try to do what it does, that means, encrypt and decrypt PNG files.
We can download the VB.NET project from the link at the end of this article or from the Webtronika downloads section.
Notes on the program code
Although the program has been developed to be sufficiently self-explanatory (contains many comments) we prefer to explain here some of the its highlights.
The first routine that executes the program is “Initialize“, which – as its name indicates – will perform certain basic initialisation. Once this is done the control is focused on “Open File” button, which allows us to choose the file to be operate (encrypt or decrypt).
The action associated with the button will call a check routine – function IsCiphered () – for the selected file. By checking the first byte of this file the program will know if this is a standard PNG file or a file previously encrypted by our program. In case the first byte does not coincide with these two possibilities, file will be qualified as invalid to be processed by our program.
The coding routine – CodeFile () – will execute the obfuscating algorithm discussed in previous lines. It should be noted that the string to be encoded consists of the three positions to be saved (each of them forced to use two characters) and a pair of symbols (“/” and “+”) at the beginning and end of the same, that will help in later checks, and of course using Base64 encoding. This causes the final chain to be 8 characters.
For example, if the three randomly obtained positions were 3, 23 and 41 the string s0 to be encrypted will be / 032341 +
We can see that the decoding routine executes a similar process but when transposing the three file arrays it does – logically – in the opposite order.
In addition to this, the decryption routine executes the subroutine ChkDecodeString () which controls that the contents of the decrypted string meet the expected format, as already commented for s0. For this proposal it makes use of several tests:
* Length of string s0 is 8 characters.
* The characters in the s0 string belong to the base64 numeric base.
* The 6 middle characters are numeric type.
* The start and end characters are / and +.
The routine used to generate the three random numbers has been preset to a range that prevent that generated number(offset to be used later) will be greater than 15, theis way we avoid “touch” the he file header values , because will be where we will later save the encrypted information (using 3DES) for the three random positions.
It is noteworthy that the cyphering of value (string) containing information on the three random positions generated is performed by a triple DES encryption operated in CBC / non-Padding mode. For this we will need to use an encryption KEY (16 bytes) and an initialization vector (8 bytes). Due to the lengths of both strings we preferred to give the user the ability to modify from the front of the program only the prefixed value of the initialization vector (IV) due this is shorter length and it may be easier for the user to remember (as a “password”).
The value of the encryption KEY has been preset in the program (header), but can be modified as necessary. We only have to respect that the selected string uses only characters belonging to the Base64 encoding.
The used transpose routine – Transpose (F, P) – is used both in file coding and file decoding. The only difference is that it is called three times and these calls are made in reverse order in the decoding routine.
The ChkKey () routine verifies in real time that the manually selected initialization vector (I.V.) matches proper length and format. If so, text box IV is green coloured, and red if not.
Management of the program
The use of the program has no any secrets. It has been preset to run in a very narrow window and cantered on the screen.
To encrypt a file just select the file. Immediately the name of the file will appear on the front of the program and clicking on the padlock icon will encrypt / decrypt the chosen file.
When opening the file, a previous analysis of the file is executed and, as mentioned, depending on the files first byte value the padlock will give us the option to encrypt, decrypt or indicate that the selected file is not valid.
The byte 0 values that the routine can find are:
0x89 => Unencrypted file (standard PNG).
0x25 => PNG file encrypted by our program.
Other => Unrecognized format file.
Notes about using of downloaded Software
The ZIP file at download area includes both the complete Project (VB .NET for Sharp Develop) as well the executable file.
Keep in mind that executable file can be , let me say, “personalize” by selecting an specific IV value for to be used when the 3DES ciphering is done. In the other side, the complete Project let us to select a both 3DES parameters : KEY & IV.
First time we run the Project under Sharp Develop IDE we can open the solution and then select (press twice) over “MainForm.vb”
and then two windows will appear at developing area, first for code editing (Source) and second for Form design.
Notes about KEY & IV used
Internal variables uses a default values for KEY and Initialization Vector (I.V.) as follow:
- KEY = “TheKey1234567890”
- I.V. = “1234567+”
We can modify the I.V. value during program execution or, in case to need more security and privacy, we can edit at top of code the two variables that contains these values.
Program and Project Download PNGSafeBox
Document download (English) PNGSafeBox Document (English)
Descarga de documentación (Español) PNGSafeBox Documentación (Español)
New version 1.2
Program and Project Download (V. 1.2) PNGSafeBox for Windows v 1.2