SC4 now has a command-line version written in Python. If crypto in the browser make you queasy, this is for you. A PGP replacement in 700 LOC (plus TweetNaCl).
"Our verdict is that SC4 has developed from a proof-of-concept to an edgy and unconventional yet reliable crypto tool. If certain limitations and constraints are respected by its users, SC4 indeed fills a formerly unpopulated gap in the world of browser crypto."
SC4 - Secure Communications for Mere Mortals
SC4 is a web application that provides secure encrypted communications and secure digital signatures. It is intended to eventually be a replacement for PGP/GPG. The main advantages that SC4 claims over PGP are:
Smaller keys and signatures. SC4 uses elliptic curves (specifically Curve25519 and Ed25519). The keys for these algorithms are only 256 bits long, compared to 2048 bits (at least) for RSA keys with equivalent security.
Easier-to-generate keys. RSA keys require the generation of large prime numbers, which means you need both a trustworthy source of entropy and a trustworthy code base to convert that entropy into random primes. Elliptic curve keys do not require prime numbers. They can use essentially any random number as a key, so all that is required to generate a key is a trustworthy source of entropy. This elimintes an entire attack surface.
Because SC4 is a security application, there are some subtle issues that you need to be aware of before trying to run it yourself. If you don't want to be bothered, there is a live demo version of SC4 running at https://sc4.us/sc4. If you don't want to trust this server you can, of course, run SC4 yourself. See the following section for details on how to do this.
The first time you run SC4 it will ask for your email address. Note that this is only used as an identifier for your key. It is not shared with anyone until you share your public key. Once you have entered your email address, SC4 will automatically provision you with a set of random keys.
To encrypt or sign a file, simply drag-and-drop it into the application window, or you can type text content directly into the text area in the application window. Whether the content is encrypted or signed or both is controlled by the check boxes at the bottom of the window. The encrypted/signed content can be delivered either as a download file or directly to your native mail client.
To decrypt a file or verify a signature, simply paste the encrypted or signed content into the text area. SC4 will automatically regognize encrypted and signed content and do the Right Thing with it.
To share your public key, click on the "Connect with a new user" button. SC4 will automatically compose an email containing your public key to send to the person you want to share encrypted data with.
To install a public key that you receive from someone else, simply copy-and-paste the key (the text between the lines --- START KEY --- and --- END KEY ---) into the text box in the SC4 application.
SC4 has been tested in Safari, Firefox and Chrome, but not IE.
Running SC4 yourself
The solution to this problem is to generate a local copy of SC4 that has your keys embedded directly inside it. Doing this involves two steps:
Open this file (sc4z.html) in your browser. SC4 will automatically figure out that it is being run from a FILE: URL and will generate a copy of itself with embedded keys. The generated file will have a randomized file name as an extra measure of protection (because it turns out to be easy to steal files from your computer if the attacker knows the file name).
This is a bit cumbersome, but you only have to do it once. Needless to say, you should not share your copy of SC4 with anyone. (You can, however, safely share sc4z.html.)
If you want to run SC4 from a server, simply copy the contents of the git repository to the server. SC4 runs entirely in the browser. The only reason to have a server in the loop is to provide an origin so that keys can safely be stored in localStorage. Of course, this means that you MUST serve SC4 from an HTTPS URL, not an HTTP URL. But if you didn't already know that then you should probably just use the live demo and not try to run SC4 yourself.
Please send feedback, including bug reports, to email@example.com.
My public key is:
---START KEY--- X-sc4-content-type: public-key v0.2 From: firstname.lastname@example.org Timestamp: Wed, 22 Jul 2015 19:55:37 GMT C74bKoKVF7fU9YPg3T93KjayDgw1xBg4hiX8fgyKEyrP 2GzixEkG2rqAVeJiTQSbgPA7LiBPH2UcnruhGFBPMkK6 BpPtsVynbe7Ko2DicHPMNgPgSRkSPmh1qaCiUbZNepdk ---END KEY---