How is apicrypt working

Introduction

Apicrypt is a cryptography solution that allows health professionals in France to exchange sensitive medical information by email. The official website of apicrypt claims that it uses a one-time pad encryption technique, but it does not say much more about the algorithm it uses.

Thankfully, there are some command line linux executable files available online that can be used to encrypt or decrypt text messages for apicrypt. Let's have a look at the file called apicrypt, the execution of which yields :

Apicrypt : cryptage de documents texte pour transit en corps d'email
(c)2005 APICEM v1.0
usage : apicrypt -s fichiersource -o fichierarrivee -u utilisateur 
                [-k cheminclefs] -d destinataires

Which tells us that this program can encrypt text document for transmitting in email body

Noteworthy, this file still contains some debugging symbols, which helps a lot when trying to understand how it works. The command objdump -C -t apicrypt outputs among others :

apicrypt:     format de fichier elf32-i386

SYMBOL TABLE:
...
0804efa4 g     F .text  000000b6              TypCrypto::Crypt(unsigned char *, unsigned long, unsigned char **, unsigned long *, TypFileRef *)
08048e70 g     F .text  0000002d              crypter(char *, char *, char *, char *, char *)
0804f0e4 g     F .text  000001de              TypCrypto::UnCrypt(unsigned char *, unsigned long, unsigned char **, unsigned long *)
0804f2c4 g     F .text  000002e7              TypCrypto::GetLinearKey(unsigned char *, unsigned long, TypFileRef *, unsigned long, long)
...

This file contains the encryption and decryption algorithms !

Cipher algorithm

The analysis of the apicrypt program shows that the algorithm used to encrypt data is a stream cipher. The original message undergoes the following operations :

After these two operations, the binary encrypted message is converted to printable ASCII characters with a base64-like coding using a non-standard alphabet.

The message is then sent to the apicrypt server, there it is decrypted it with the user personal key, encrypted with the recipient personal key and emailed to the recipient.

During the encryption step with either the master or personal key, the program prepends to the message the header of the key used to encrypt it. This header contains the information needed by the recipient (or the apicrypt server) to know which portion of the key was used to encrypt the message.

Apicrypt keys

The encryption keys are distributed to the users of apicrypt at the beginning of each year. They receive a cdrom containing the key files which they have to install to be able to receive new messages.

A key file (master or personal) is composed of a header with the following structure :

typedef struct{
    u_int32_t version;      // Apicrypt version
    u_int32_t annee;        // Year of the key
    u_int32_t nombre2;      // size of the following string
    u_int8_t data2[32];     // "1000" ?
    u_int32_t utilStrSize;  // size of the user name string 
    u_int8_t utilStr[40];   // user name
    u_int32_t indexMax;     // size of the key
    u_int32_t indexCourant; // current offset in the key
    u_int32_t nbCrypt;      // number of encrypted messages
    u_int8_t data3[124];    // no idea...
} KeyHeaderStruct;
Simulated encryption key.

The data contained in data3 do not seem to be used during the encryption of a message and are not necessary for its decryption.

The header is followed by a series of random bytes used to produce the encryption keys. The size of the key files is of the order of 20 Mb.

Encryption and key generation programs

To check the encryption system used by apicrypt, I created a piece of software which allows to encrypt a text message and another one which generates encryption keys. The messages encrypted with this program are successfully decrypted by the official executable apiuncrypt available here. The source code of these programs is available on github

Warning ! These program should not be used as-is to encrypt and send real apicrypt messages, they are not safe and use the same key to encrypt every message which is a major risk for the confidentiality of the message sent. (see next part)

Possible security issues

one-time pad encryption technique is proved to be absolutely secure provided that the three following conditions are fulfilled :

In order to check that the keys provided by apicrypt are perfectly random, one could either do a fine statistical analysis on them or know the method used to produce them. Apicrypt tells us nothing about the later.

We saw that the encryption keys are provided every year and have a size of approximately 20 Mb (at least the keys I saw). This implies that, in order to ensure a perfect confidentiality, the size of the message sent or received must be smaller than 20Mb. In real life this is usually not a very strong constraint as long as the message contains only text and no attachment.

The last point is the most problematic because each message emitted (or received) progressively consumes the keys received in the beginning of the year. The official encryption program shows that when a key has been completely used, it is reset and starts back as if it was a new one. The consequence is that if the total size of the messages received or sent during a year is larger than the size of the key, the same part of the key will be used to encrypt two different messages which may allow some cryptanalysis

Some interresting comment can be read on reddit here and here. They lead to a possible attack against the apicrypt system. A person A encrypts his emails to prevent a person B spying on his communications to have access to their content. If B has an apicrypt account, he may send to A an encrypted message longer than the length of A's personal key. If B can intercept the encrypted message when it arrives at A's, knowing the original message and the version encrypted with A's personal key, he can figure out the entire personal key of A ! The fact that the message is also encrypted with the master key changes nothing as B has the same master key as A.

Conclusion

It seems that the apicrypt encryption algorithm contains certain flaws. But not being a cryptography specialist (at all), the conclusion about this point should be drawn by more competent people.

Noteworthy, the apicrypt server has access to all the messages exchanged in plain text which is not the best idea ever. In fact, the confidentiality of all the apicrypt communications depends on the security of this server.

It is however regretful that the algorithms used by apicrypt are not public. And rather than giving the source code to a solicitor (point 6), it would be much more useful to put it in the public domain.

interesting links