SC4 FAQ for non-experts

(Draft - March 2015)

What is SC4?

SC4 is an application that allows you to securely encrypt and authenticate files so that they can only be read by their intended recipients. SC4 also allows you to generate secure digital signatures (not to be confused with electronic signatures, which are a completely different thing).

Why is it called SC4?

It was originally called SC4MM, which stood for Secure Communications (or Strong Cryptography) For Mere Mortals, but that looked too much like the word "scam" so we shortened it to SC4.

How do I use it?

Click here.

Note that SC4 is currently in beta-test so it still has a few rough edges.

If this is your first time using SC4 it will ask you for your email address. Don't worry, we won't abuse it. In fact, we won't even know what it is unless you choose to tell us later. (If you want to verify this, you can disconnect from the internet after going to the above URL and see that SC4 will continue to work. It is a completely standalone application.)

To send a secure message to someone you first need to connect with the person you want to correspond with. This is because in order to decrypt and verify secure messages you need a piece of data called a public key. To see your public key, click on the button marked "Connect with a new user." SC4 will compose an invitation message that includes your public key (it's the random looking jumble down at the bottom of the message). You simply mail that to the person you want to connect with. That person then repeats the same process to send you their public key.

When you receive a public key from someone, simply cut and paste it into the text box and click "Submit." NOTE: cut-and-paste the entire message, not just the part at the bottom. (Actually, the important part starts with the line "X-sc4-content-type: public-key". You must include this line and everything that comes after it. We are working on making this a little more seamless.)

Once you have imported someone's public key you will see their name and email address in your recipients menu. You can now send them a secure message by simply typing it in to the text box, or by dragging-and-dropping a file onto the SC4 window. You can choose to encrypt the message, or sign the message, or both. Signing a message means, "I endorse the content of this message." It's the same as signing a physical document, so be careful what you choose to sign.

To decrypt a secure message, just copy and paste it into the text window, or drag-and-drop it. SC4 will automatically figure out that it's a secure messagen and decrypt it (assuming you are the intended recipient, of course!)

What is under the hood?

SC4 is based on a core cryptographic library called TweetNaCl written by Daniel J. Bernstein. It implements state-of-the-art authenticated encryption and digital signatures based on a technology known as elliptic curve cryptography, or ECC.

What is so great about ECC?

Current mainstream cryptography is based on a technology called RSA, which uses large prime numbers as keys. This has two important negative consequences: first, keys are very large. Printing one out typically takes up an entire page. Second, they are hard to generate because you need a program that generates large random prime numbers. Moreover, you need a program that you can *trust* to generate large, random prime numbers. This is not nearly as easy as you might think, and there have been a number of cases where the programs people were using to generate their keys turned out to be broken, and the keys they generated turned out to be weak and easy to break.

ECC, by way of contrast, can use (just about) any random number as a key. It doesn't have to be prime. So generating ECC keys is much easier, and they are much smaller than RSA keys. This makes them easier to manage and more secure.

As a happy side-effect, the digital signatures generated by ECC are also much smaller than those generated by RSA while remaining equally secure.

Can I trust SC4?

Not yet. We believe the design and implementation are basically sound, but it has not yet been subject to peer review or a formal audit. We are in the process of doing that. For now, SC4 is probably better than nothing, but you should not trust it with anything you consider really critical.