/
index.html
459 lines (421 loc) · 38.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
<!DOCTYPE html>
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" manifest="ursa.appcache">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>URSA Privacy</title>
<meta name="Keywords" content="passlok, URSA, browser, encryption, decryption, symmetric, public key, signature, AES, ECDH, Diffie, Hellman, elliptic curve, advanced, javascript, PGP, PRISM">
<meta name="Description" content="URSA encryption">
<meta name="author" content="F. Ruiz">
<meta name="robots" content="index">
<meta name="viewport" content="width=device-width, minimum-scale=1, maximum-scale=1, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<link rel="apple-touch-icon" href="ursa-touch-icon.png">
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
<!--Note to those wishing to read the JavaScript code: the code is divided into blocks, each one within its own script tag. You will read it more easily if you use an editor capable of folding code blocks-->
<!--CSS stylesheet containing the Light color scheme-->
<link rel="stylesheet" href="style.css">
<!--License notice and SSL force-->
<script src="js-head/license.js"></script>
<!--Tweet NaCl crypto library 1.0.3 by Dmitry Chestnykh. https://github.com/dchest/tweetnacl-js-->
<script src="js-opensrc/nacl-fast.js"></script>
<!--scrypt-async-js KDF 2.0.1 by Dmitry Chestnykh. https://github.com/dchest/scrypt-async-js-->
<script src="js-opensrc/scrypt-async.js"></script>
<!--lz-string compression algorithm 1.4.4. https://github.com/pieroxy/lz-string-->
<script src="js-opensrc/lz-string.js"></script>
<!--DOMPurify, used to sanitize decrypted material before putting in DOM v3.0.1. https://github.com/cure53/DOMPurify-->
<script src="js-opensrc/purify.js"></script>
<!--jpeg image steganography by Owen Campbell-Moore and others. https://github.com/owencm/js-steg. First jsstegencoder-1.0.js-->
<script src="js-opensrc/jsstegencoder-1.0.js"></script>
<!--jsstegdecoder-1.0.js. One edit to display warning on error-->
<script src="js-opensrc/jsstegdecoder-1.0.js"></script>
<!--jssteg-1.0.js-->
<script src="js-opensrc/jssteg-1.0.js"></script>
<!--isaac seedable PRNG by Yves-Marie Rinquin. https://github.com/rubycon/isaac.js/blob/master/isaac.js-->
<script src="js-opensrc/isaac.js"></script>
<!--this used to be in TweetNaCl, but they dropped it-->
<script src="js-opensrc/nacl-util.js"></script>
<!--ORIGINAL URSA code, LARGELY DERIVED FROM PASSLOK-->
<!--this only loads the blacklist regular expression and its length-->
<script src="js-head/wordlist.js"></script>
<!--Key and Lock functions-->
<script src="js-head/keylock.js"></script>
<!--cryptographic functions-->
<script src="js-head/crypto.js"></script>
<!--extra functions for mail, etc.-->
<script src="js-head/mail&chat.js"></script>
<!--functions for switching screens, etc.-->
<script src="js-head/screens.js"></script>
<!--text steganography-->
<script src="js-head/textstego.js"></script>
<!--image steganography-->
<script src="js-head/imagestego.js"></script>
<!--image steganography, extra functions-->
<script src="js-head/imageextra.js"></script>
</head>
<body>
<!--Main screen-->
<div id="mainScr">
<div class="centered"> <br>
<!--message area and local directory box, plus buttons-->
<div id="mainMsg" class="message"><span id="JSmsg">JAVASCRIPT OFF, PASSLOK CANNOT RUN</span></div>
<br>
<br>
<table>
<tr>
<td width="100%">
<input type="password" class="cssbox left" id="pwd" name="text" placeholder=""/>
</td>
<td width="0%">
<img id='showKey' class="field-icon" src="" title="click this to see/hide the Key">
</td>
</tr>
</table>
<br>
<button class="cssbutton" id="swapBtn" value="Swap" title="swap contents with main box">Swap</button><!--
--><button class="cssbutton" id="suggestKeyBtn" value="Suggest" title="suggest a Key made of five common words">5 Words</button><!--
--><button class="cssbutton" id="randomBtn" value="Random" title="display a random Key">Random</button><!--
--><button class="cssbutton" id="clearKeyBtn" value="Clear" title="clear the Key">Clear</button>
<br>
<br>
<!--buttons above the main box-->
<div id="mainBtnsTop">
<button class="cssbutton" id="decryptBtn" value="Encrypt/Decrypt" title="encrypt plain text in the box, decrypt encrypted text (alt-E)" accesskey="e">Encrypt</button><!--
--><label for="imageFile"><span class="cssbutton" id="imageBtn" title="encrypt or decrypt to image">Decrypt Img</span></label><!--
--><input type='file' id="imageFile"/><!--
--><button class="cssbutton" id="hideBtn" value="Hide" title="hide encrypted message as regular text (alt-T)" accesskey="t">Text hide</button><!--
--><button class="cssbutton" id="helpBtn" value="Help" title="get help on using URSA (alt-H)" accesskey="h">Help</button>
<input type="checkbox" id="fileMode" title="output is turned into files" accesskey=""/>
to File
<span id="fileOptions">
<input type="radio" name="fileModes" id="binaryMode" title="output file is binary" checked/>
Binary
<input type="radio" name="fileModes" id="textMode" title="output file is text" />
Text
</span>
</div>
</div>
<!--toolbar for rich text editing; this first section contains lists for style, fonts, etc.-->
<div id="toolBar1">
<select id="formatBlock" title="headings, etc.">
<option selected>- formatting -</option>
<option value="h1">Title 1 <h1></option>
<option value="h2">Title 2 <h2></option>
<option value="h3">Title 3 <h3></option>
<option value="h4">Title 4 <h4></option>
<option value="h5">Title 5 <h5></option>
<option value="h6">Subtitle <h6></option>
<option value="p">Paragraph <p></option>
<option value="pre">Preformatted <pre></option>
</select>
<select id="fontName" title="font type">
<option class="heading" selected>- font -</option>
<option>Arial</option>
<option>Arial Black</option>
<option>Courier New</option>
<option>Times New Roman</option>
<option>Verdana</option>
<option>Comic Sans MS</option>
<option>Impact</option>
<option>Trebuchet MS</option>
<option>Symbol</option>
</select>
<select id="fontSize" title="font size">
<option class="heading" selected>- size -</option>
<option value="1">Very small</option>
<option value="2">A bit small</option>
<option value="3">Normal</option>
<option value="4">Medium-large</option>
<option value="5">Big</option>
<option value="6">Very big</option>
<option value="7">Maximum</option>
</select>
<select id="foreColor" title="text color">
<option class="heading" selected>- color -</option>
<option value="brown">Brown</option>
<option value="red">Red</option>
<option value="orange">Orange</option>
<option value="green">Green</option>
<option value="blue">Blue</option>
<option value="purple">Violet</option>
<option value="violet">Pink</option>
<option value="yellow">Yellow</option>
<option value="cyan">Cyan</option>
<option value="white">White</option>
<option value="gray">Gray</option>
<option value="black">Black</option>
</select>
<select id="backColor" title="color behind the text">
<option class="heading" selected>- back color -</option>
<option value="brown">Brown</option>
<option value="red">Red</option>
<option value="orange">Orange</option>
<option value="green">Green</option>
<option value="blue">Blue</option>
<option value="purple">Violet</option>
<option value="violet">Pink</option>
<option value="yellow">Yellow</option>
<option value="cyan">Cyan</option>
<option value="white">White</option>
<option value="gray">Gray</option>
<option value="black">Black</option>
</select>
<!--rich text editing buttons; images are loaded as data-->
<div id="toolBar2"> <img class="intLink" title="Bold" src="data:image/gif;base64,R0lGODlhFgAWAID/AMDAwAAAACH5BAEAAAAALAAAAAAWABYAQAInhI+pa+H9mJy0LhdgtrxzDG5WGFVk6aXqyk6Y9kXvKKNuLbb6zgMFADs=" /> <img class="intLink" title="Italic" src="data:image/gif;base64,R0lGODlhFgAWAKEDAAAAAF9vj5WIbf///yH5BAEAAAMALAAAAAAWABYAAAIjnI+py+0Po5x0gXvruEKHrF2BB1YiCWgbMFIYpsbyTNd2UwAAOw==" /> <img class="intLink" title="Underline" src="data:image/gif;base64,R0lGODlhFgAWAKECAAAAAF9vj////////yH5BAEAAAIALAAAAAAWABYAAAIrlI+py+0Po5zUgAsEzvEeL4Ea15EiJJ5PSqJmuwKBEKgxVuXWtun+DwxCCgA7" /> <img class="intLink" title="Strikethrough" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWBAMAAAA2mnEIAAAAGFBMVEUAAABGRkZxcXGrq6uOjo7CwsINDQ3p6emLJhauAAAAAXRSTlMAQObYZgAAAEVJREFUGNNjoCYoDjaBs1UZDGFMVmUGJhibXcidFa7GUVAVygpSUlJMS0uBqmFgFhSA6TVgYIOxmcUZ2BxgbEFnF2o6HQD3yAWvJ+vXvwAAAABJRU5ErkJggg==" /> <img class="intLink" title="Subscript" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWBAMAAAA2mnEIAAAAGFBMVEUAAACCgoJISEh0pePr7/WgssrS0tLH1vP156UFAAAAAXRSTlMAQObYZgAAAElJREFUGNNjoB5gDBQRFICy2YQCAhNgEomqAghFSg5wNosSkniQGktwAURYlFEp2d0AIiyYpKTGbICwJBihnd2kBM5mNjagzPEAztoHvc+7u1sAAAAASUVORK5CYII=" /> <img class="intLink" title="Superscript" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWBAMAAAA2mnEIAAAAGFBMVEUAAACCgoJISEigssrr7/V0pePS0tLH1vPtoVcWAAAAAXRSTlMAQObYZgAAAEpJREFUGNNjoC5gCTaAs5ndAxASrBA2o6GIoICpA5jNJmhg6B5SApFPUhZgDQ2AalRyQBioJABnMxqpwYWFGZUMYMKCSUpqlDocAJ7SBzNIUMnCAAAAAElFTkSuQmCC" /> <img class="intLink" title="Left align" src="data:image/gif;base64,R0lGODlhFgAWAID/AMDAwAAAACH5BAEAAAAALAAAAAAWABYAQAIghI+py+0Po5y02ouz3jL4D4JMGELkGYxo+qzl4nKyXAAAOw==" /> <img class="intLink" title="Center align" src="data:image/gif;base64,R0lGODlhFgAWAID/AMDAwAAAACH5BAEAAAAALAAAAAAWABYAQAIfhI+py+0Po5y02ouz3jL4D4JOGI7kaZ5Bqn4sycVbAQA7" /> <img class="intLink" title="Right align" src="data:image/gif;base64,R0lGODlhFgAWAID/AMDAwAAAACH5BAEAAAAALAAAAAAWABYAQAIghI+py+0Po5y02ouz3jL4D4JQGDLkGYxouqzl43JyVgAAOw==" /> <img class="intLink" title="Justify" src="data:image/gif;base64,R0lGODlhFgAWAIAAAMDAwAAAACH5BAEAAAAALAAAAAAWABYAAAIghI+py+0Po2yh2nvnxNxq2XVfFHIjVGLnk2brC8fyXAAAOw==" /> <img class="intLink" title="Numbered list" src="data:image/gif;base64,R0lGODlhFgAWAMIGAAAAADljwliE35GjuaezxtHa7P///////yH5BAEAAAcALAAAAAAWABYAAAM2eLrc/jDKSespwjoRFvggCBUBoTFBeq6QIAysQnRHaEOzyaZ07Lu9lUBnC0UGQU1K52s6n5oEADs=" /> <img class="intLink" title="Dotted list" src="data:image/gif;base64,R0lGODlhFgAWAMIGAAAAAB1ChF9vj1iE33mOrqezxv///////yH5BAEAAAcALAAAAAAWABYAAAMyeLrc/jDKSesppNhGRlBAKIZRERBbqm6YtnbfMY7lud64UwiuKnigGQliQuWOyKQykgAAOw==" /> <img class="intLink" title="Quote" src="data:image/gif;base64,R0lGODlhFgAWAIQXAC1NqjFRjkBgmT9nqUJnsk9xrFJ7u2R9qmKBt1iGzHmOrm6Sz4OXw3Odz4Cl2ZSnw6KxyqO306K63bG70bTB0rDI3bvI4P///////////////////////////////////yH5BAEKAB8ALAAAAAAWABYAAAVP4CeOZGmeaKqubEs2CekkErvEI1zZuOgYFlakECEZFi0GgTGKEBATFmJAVXweVOoKEQgABB9IQDCmrLpjETrQQlhHjINrTq/b7/i8fp8PAQA7" /> <img class="intLink" title="Delete indentation" src="data:image/gif;base64,R0lGODlhFgAWAMIHAAAAADljwliE35GjuaezxtDV3NHa7P///yH5BAEAAAcALAAAAAAWABYAAAM2eLrc/jDKCQG9F2i7u8agQgyK1z2EIBil+TWqEMxhMczsYVJ3e4ahk+sFnAgtxSQDqWw6n5cEADs=" /> <img class="intLink" title="Add indentation" src="data:image/gif;base64,R0lGODlhFgAWAOMIAAAAADljwl9vj1iE35GjuaezxtDV3NHa7P///////////////////////////////yH5BAEAAAgALAAAAAAWABYAAAQ7EMlJq704650B/x8gemMpgugwHJNZXodKsO5oqUOgo5KhBwWESyMQsCRDHu9VOyk5TM9zSpFSr9gsJwIAOw==" /> <img class="intLink" title="Horizontal rule" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWBAMAAAA2mnEIAAAAGFBMVEUAAADIyMimpqbp6enz8/P8/PzZ2dldXV27aT9/AAAAAXRSTlMAQObYZgAAAD5JREFUGNNjoBg4GSDYSgpYFCQKgkECiC0aGuLi7GwsAGILKYGBABYt5QUwVoiZuJhJAITN6mxs7Apk0wIAACMpB/oWEo0pAAAAAElFTkSuQmCC" /> <img class="intLink" title="Hyperlink" src="data:image/gif;base64,R0lGODlhFgAWAOMKAB1ChDRLY19vj3mOrpGjuaezxrCztb/I19Ha7Pv8/f///////////////////////yH5BAEKAA8ALAAAAAAWABYAAARY8MlJq7046827/2BYIQVhHg9pEgVGIklyDEUBy/RlE4FQF4dCj2AQXAiJQDCWQCAEBwIioEMQBgSAFhDAGghGi9XgHAhMNoSZgJkJei33UESv2+/4vD4TAQA7" /> <img class="intLink" title="Remove hyperlink" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWBAMAAAA2mnEIAAAAGFBMVEUAAAD08fHXzcxjY2OMhoafn5+uLyrktrTVXxhsAAAAAXRSTlMAQObYZgAAAGxJREFUGNNjwAAFMAZjEkMCYyKUU6aQoAaTYU90TIcrFwBCCFANDWIKDVUAMZkcBUVZBQWDQGwWERcnJhcXETBbBUEyKzubsjobK4PYrEZCwsxCQqZgc4KNTVmMjQOQzIfbW5jOgOYehDspAwBt9Q/S3exo3wAAAABJRU5ErkJggg==" /> <img class="intLink" title="Remove formatting" src="data:image/gif;base64,R0lGODlhFgAWAIQbAD04KTRLYzFRjlldZl9vj1dusY14WYODhpWIbbSVFY6O7IOXw5qbms+wUbCztca0ccS4kdDQjdTLtMrL1O3YitHa7OPcsd/f4PfvrvDv8Pv5xv///////////////////yH5BAEKAB8ALAAAAAAWABYAAAV84CeOZGmeaKqubMteyzK547QoBcFWTm/jgsHq4rhMLoxFIehQQSAWR+Z4IAyaJ0kEgtFoLIzLwRE4oCQWrxoTOTAIhMCZ0tVgMBQKZHAYyFEWEV14eQ8IflhnEHmFDQkAiSkQCI2PDC4QBg+OAJc0ewadNCOgo6anqKkoIQA7" /> <img class="intLink" title="Undo" src="data:image/gif;base64,R0lGODlhFgAWAOMKADljwliE33mOrpGjuYKl8aezxqPD+7/I19DV3NHa7P///////////////////////yH5BAEKAA8ALAAAAAAWABYAAARR8MlJq7046807TkaYeJJBnES4EeUJvIGapWYAC0CsocQ7SDlWJkAkCA6ToMYWIARGQF3mRQVIEjkkSVLIbSfEwhdRIH4fh/DZMICe3/C4nBQBADs=" /> <img class="intLink" title="Redo" src="data:image/gif;base64,R0lGODlhFgAWAMIHAB1ChDljwl9vj1iE34Kl8aPD+7/I1////yH5BAEKAAcALAAAAAAWABYAAANKeLrc/jDKSesyphi7SiEgsVXZEATDICqBVJjpqWZt9NaEDNbQK1wCQsxlYnxMAImhyDoFAElJasRRvAZVRqqQXUy7Cgx4TC6bswkAOw==" />
<label for="imgFile">
<img class="intLink" title="Insert image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAMAAABhEH5lAAAAbFBMVEUAAAAAAAAmJibm5uaJiYnZ2dnn5+e5ubmBgYHNzc3z8/Pr6+vW1ta2trZ/f3/y8vLQ0NDPz8/Dw8OgoKCOjo54eHgcHBwGBgb+/v7T09PIyMi+vr6srKyEhIRqampiYmJbW1tPT08qKioRERGLOctyAAAAAXRSTlMAQObYZgAAAHJJREFUGNOtzkkShCAQRNFKbLsVsZ3nWe9/R8EAYeHSv6u3qEh6qo0/TkUiKULNbCglfZGSjf0vCvWZLTmxwBBXVGG1NO2D+hoIQ6IHmrKrciJDfgxIBGbPId12E//pUjOiyHydCGtFyQG3kWTcc4ro1U7vPAUU4TAxJQAAAABJRU5ErkJggg==" />
</label>
<input type="file" id="imgFile"/>
<label for="mainFile">
<img class="intLink" title="Load a file" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAMAAABhEH5lAAAATlBMVEUAAAAAAAD19fVcXFwbGxsTExP8/PzT09NxcXFaWlo4ODg1NTUEBAT5+fnw8PDr6+vU1NTIyMi+vr6Xl5dsbGxnZ2dXV1dISEghISEMDAw0f0rSAAAAAXRSTlMAQObYZgAAAFBJREFUGNO9yEkOgCAQBMBmUxDc9/9/VJ2EjgkHb9axcJuceqQRtMq4aAdWkDr6xtW5jJRFx2MBu23fdS7eG6Vz0U8VytrKmhMnVoDQlOfbBQLIAl4FF2fyAAAAAElFTkSuQmCC" />
</label>
<input type="file" id="mainFile"/>
<img class="intLink" title="Download files" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWCAMAAADzapwJAAAAdVBMVEUAAAAfHx9GRkYAAAAPDw9aWlr+/v739/fHx8dpaWkEBAT7+/v29vby8vLu7u7Z2dm1tbWysrKtra2qqqqMjIxWVlZJSUk1NTUUFBQJCQnz8/Pq6uri4uLMzMzKysq+vr69vb2NjY16enpvb29hYWE9PT0rKytDpsqlAAAAAXRSTlMAQObYZgAAAHdJREFUGNO1zscOgCAMgGG0iIp77z3e/xEV05CoJJ78D9B86aHkO6bUuXBUnFWuig1q/sTs5PclyR7YpZ+vD+4rrSg3mJ7rFgWA9EZhcPmlbuyh1mCLr0vEO0CI7HPB2AgRTh43mORYMstBk3HaEqxZdFlmkZ87AICHBL2TAUCPAAAAAElFTkSuQmCC" />
</div>
</div>
<div id="mainBox" contenteditable="true" class="cssbox" accesskey=";" placeholder="Enter your message here and the shared Key in the top box, then click Encrypt. You can also enter images and files after you click the Rich button."></div>
<div class="centered">
<!--buttons below the main box-->
<div id="mainbuttonsbot">
<button class="cssbutton" id="niceEditBtn" value="Rich" title="toggle rich text editor (alt-R)" accesskey="r">Rich</button><!--
--><button class="cssbutton" id="selectMainBtn" value="Select" title="select the text in the box and copy it to clipboard">Copy</button><!--
--><button class="cssbutton" id="clearMainBtn" value="Clear" title="clear the text in the box">Clear</button><!--
--><button class="cssbutton" id="chatBtn" value="Chat" title="make a chat invitation or open it (alt-C)" accesskey="c">Chat</button><!--
--><button class="cssbutton" id="sendSMSBtn" value="SMS" title="mobile: open the default Texting app">SMS</button>
</div>
</div>
</div>
<!--Help screen-->
<div id="helpScr">
<h2 id="helpWelcome">Welcome to URSA</h2>
<button class="cssbutton" id="help2mainBtnTop" value="< Back" title="return to main screen (alt-M)" accesskey='m'>◄ Back</button>
<br>
<span id='helpmsg' class="message">For help on how to do things, click on each title.</span><br>
<br>
<hr>
<div class="helpHeading">
<h3>What is URSA?</h3>
</div>
<div class="helpText">
<p>URSA makes your favorite email private by encrypting it with a shared Key so only the intended recipients can see it. You don't need to make an account anywhere, but you need to get the shared Key to the recipients by some secure means (unencrypted email or texting won't do). Once this Key is forgotten by all participants the content remains encrypted forever.</p>
<p>In other apps "forever" means a really, really long time, because of the computational difficulty of recovering a high-entropy encryption Key. In URSA, it really means forever, whenever the Key is longer than the message being encrypted.</p>
<p>You can also use URSA to set up real-time secure chat sessions involving text, files, audio, or even video. The connection is direct between participants, with a server getting involved only at the start so you can find each other.</p>
<p>URSA runs on a browser and is platform-independent. The chat component, however, does not yet run on IE or Safari, or under iOS.</p>
<p>URSA is <em>still in experimental phase</em>, as it has not yet been duly vetted by experts. Bear this in mind before entrusting sensitive information to it.</p>
<p>If you want more capability, you may want to try SeeOnce, from <a href="https://passlok.com/seeonce" target="_blank">https://passlok.com/seeonce</a>, or PassLok, from <a href="https://passlok.com/app" target="_blank">https://passlok.com/app</a>. In addition to read-once encryption and Letters encoding for a single recipient, PassLok implements three more encryption and five more steganography modes, plus signatures and secret splitting. PassLok can also encrypt for several recipients at once. SeeOnce encrypts for only one person at a time, but it does so in such a way that messages can only be decrypted once. URSA is fully compatible with PassLok, but not with SeeOnce.</p>
</div>
<hr>
<div class="helpHeading">
<h3>How do I use URSA?</h3>
</div>
<div class="helpText">
<p>Just type the shared Key in the top box and the plain message in the bottom box. As you type the Key in, it is evaluated for strength, and a message above it tells you how good it is. If you click the eye icon, you'll also see a mnemonic "hashili" word based on the Key, to reassure you that you typed it correctly. Clicking the eye icon again reveals the whole Key.</p>
<p>If you paste the plain message in, it will be encrypted automatically, otherwise click <strong>Encrypt</strong>. If then you click the <strong>Email</strong> button, it will be forwarded to your default email so you can send it out. The recipients only need to click on a link on the email and supply the shared Key.</p>
<p>If you want to disguise the result as apparently normal text, click the <strong>Text hide</strong> button. You will be prompted for a cover text and directed to complete the result.</p>
<p>To decrypt a message, enter the shared Key on the top box and then paste the message in the bottom box (it is fine if it is disguised as normal text). The message will unhide and then decrypt automatically. Otherwise, click the <strong>Decrypt</strong> button.</p>
<p>You can also embed the encrypted message inside an image so that its presence cannot be detected. Start the process with the <strong>Encr. to Img</strong> button if you are encrypting, <strong>Decrypt Img</strong> if decrypting, with the main box empty. When encrypting, you can choose the image format to be PNG or JPG.</p>
<p>When encrypting to image, you can embed a second message in addition to the main message, by writing the following in the Key box before clicking the button: main Key,followed by a vertical bar "|", Key for the second message, another vertical bar, second message. To extract the hidden message, the Key box should contain the following before clicking the button: main Key, vertical bar, Key for the second message.<p>
<p>URSA will run from a saved file, so you don't have to be online in order to use it.</p>
</div>
<hr>
<div class="helpHeading">
<h3>How do I get quantum-resistant encryption?</h3>
</div>
<div class="helpText">
<p>As of 2019, reversing the encryption done with a symmetric Key having 256 bits of entropy still takes gazillions of years of computing time, but future quantum computers promise to shorten this (although not as much as they would for asymmetric encryption). URSA has a special "Pad mode" that not even quantum computers will be able to crack.</p>
<p>URSA shifts into Pad mode whenever you supply a shared Key that is <em>longer than the plain message</em> being encrypted (the Key must be at least 43 characters long). Then press <strong>Encrypt</strong> normally.</p>
<p>A pop-up will ask you for the start position, which must be a number in the range given by the pop-up. After you enter this, the encryption proceeds. To decrypt, the recipient must supply the same long shared Key and the same start position. Since security comes mostly from using a long Key, it may be okay to transmit the starting position in plaintext, if you have to.</p>
<p>You can disguise the result as apparently normal text as for the normal mode, by clicking the <strong>Text hide</strong> button.</p>
<p>Typically, the long Key will be copied from a text file or online document, and then pasted in the top box. You can also load a local file into the lower box using the File load icon, and then click the <b>Swap</b> button to move the text to the top box.</p>
<p>Pad mode encryption is slower than regular encryption, especially if the text to be encrypted is also long (the length of the Key text doesn't matter so much), but the result is mathematically impossible to decrypt without the Key.</p>
</div>
<hr>
<div class="helpHeading">
<h3>How do I use Human mode?</h3>
</div>
<div class="helpText">
<p>If you or your friends don't have access to a computer that hasn't been compromised, you can still communicate in Human mode, which can be performed simply with paper and pencil. This mode is explained in detail in this page, which also does encryption and decryption for you: <a href="https://passlok.com/human" target="_blank">https://passlok.com/human</a>.</p>
<p>URSA shifts into Human mode whenever you supply a shared Key that consists of <em>three strings separated by tildes</em> "~" (or two tildes after a single string). Type your message in Latin characters, then press <strong>Encrypt</strong> normally. Bear in mind that all punctuation will be represented as periods upon decryption.</p>
<p>You can disguise the result as apparently normal text as for the normal mode, by clicking the <strong>Text hide</strong> button.</p>
<p>If the appropriate key is loaded, decryption happens automatically as soon as you paste in the encrypted message. Otherwise, click the <strong>Decrypt</strong> button. Unlike in other modes, you won't get a message telling you whether or not the decryption has been successful.</p>
<p>Messages encrypted by URSA in Human mode can be decrypted in PassLok, and vice-versa, plus the page linked above.</p>
</div>
<hr>
<div class="helpHeading">
<h3>How does Chat work?</h3>
</div>
<div class="helpText">
<p>If you click the <strong>Chat</strong> button, a dialog asks you what kind of real-time chat you want to set up. There are four choices: text and files, this plus audio, and all this plus video, and Jitsi, which is more full-featured (except for file exchange). You can also add a short message, such as a date and time for the chat session.</p>
<p>After you click <strong>OK</strong>, URSA makes a chat invite exactly as when encrypting a message. You then send it to the other participants, keeping a copy for yourself. When the time for the chat comes, decrypt the chat invite and then you'll be able to join the chat session like everybody else.</p>
<p>When the recipients get your chat invite, they will decrypt it like any other URSA message and then a new tab for the chat will open and ask for an alias. When they supply this, they'll be connected directly to each of the participants already in the session. They may be asked to grant permission to feed audio or video when the connection takes place.</p>
<p>If you get disconnected, reload the chat tab and type your alias again. You can change the chat type at this point.</p>
</div>
<hr>
<div class="helpHeading">
<h3>Can I encrypt files and images?</h3>
</div>
<div class="helpText">
<p>Chat has its own secure file-sending process, so we refer here to encrypting files using the main encryption process. You have two choices:</p>
<p>1. Encrypt the files using AES with a utility such as <a href="http://www.7-zip.org/" target="_blank">7-zip</a> (Windows), <a href="http://www.kekaosx.com/" target="_blank">Keka</a> (OSX), or p7zip (Linux), then encrypt the encryption password inside a URSA-encrypted message, and attach the encrypted archive to your email.</p>
<p>2. You can also load files using the button near the right end of the rich text toolbar (which you display with the <strong>Rich</strong> button, if it is not displayed already), which will load each file as a link, and then encrypt them as a regular message. After decryption, the recipient can save the files contained in the main box by clicking the Save button below the box or the rightmost button on the toolbar.</p>
<p>Images can be loaded as described above or directly as image, by clicking the image icon on the rich text toolbar and are encrypted just like text.</p>
<p>If the file loaded is text, it will load as text rather than as a link. You can also load text into the Key box. Just load it first into the main box, and then click the <b>Swap</b> button.</p>
<p>Finally, you can save an encrypted message as a file, by checking the <strong>to File</strong> box and selecting the type (Binary or Text) before encrypting. You save the resulting file to disk by right-clicking as described above.</p>
<p>If you include files, which tend to contain a lot more bytes than text, you may want to encrypt to file rather than text in order to speed up the process as described in the next item, especially if you want to send the encrypted output by email.</p>
</div>
<hr>
<div class="helpHeading">
<h3>Can I encrypt large stuff?</h3>
</div>
<div class="helpText">
<p>Sometimes the text, images, or files you wish to encrypt contain a lot of bytes, which would fill many screenfuls with gibberish text. Email programs won't take large text without clipping it, thus making it impossible to decrypt it. The solution is to output to a file rather than text, by checking the <strong>to File</strong> box and the type of file to make (Binary or text) before clicking <strong>Encrypt</strong>.</p>
<p>After encryption, you will see a link on the main box, which you can download by clicking the Save button below the box. Then you can send it as an email attachment, for instance.</p>
<p>To decrypt the file, load it as described in the item above, and then decrypt it with the shared Key just like something encrypted to text.</p>
</div>
<hr>
<div class="helpHeading">
<h3>Are there any potential insecurities?</h3>
</div>
<div class="helpText">
<p>We have tried to make URSA extremely easy to use without impacting security, but tradeoffs do exist. There are two issues that you must be aware of:</p>
<p>1. <strong>How to get the shared Key to the recipients.</strong> Just encrypting it with a previously shared Key before sending is not secure enough, since compromising the previous Key will immediately compromise the new Key. Most likely, you are going to have to meet in person, or exchange Keys using an asymmetric encryption program such as <a href="https://passlok.com/seeonce" target="_blank">SeeOnce</a> or <a href="https://passlok.com/app" target="_blank">PassLok</a>.</p>
<p>2. <strong>Hackers could change the code</strong> at the web server, and therefore destroy all security without users realizing it. The native app versions of URSA are code-signed by the respective app stores so this is not a problem with those, but if you are concerned about the authenticity of the web app, you can verify it by following the instructions below.</p>
<div class="helpHeading2">
<p><em>Click here for instructions to verify the URSA code.</em></p>
</div>
<div class="helpText">
<p>Warning: following the links in these instructions may give away your location; proceed with caution.</p>
<p>1. Head to Online-convert.com <a href="http://hash.online-convert.com/sha256-generator" target="_blank">http://hash.online-convert.com/sha256-generator</a> and write https://passlok.com/ursa in the second box from the top, then type Enter or click "Convert File". This will instruct this website to fetch the URSA code from its server and perform a SHA256 operation on it.</p>
<p>2. A new screen should appear, displaying the SHA256 string in several formats. Now you want to compare this with the published value, which is available at different places. If both strings are the same, the code is tamper-free. Here are a few locations where this string in published (more to be added):</p>
<ul>
<li>URSA information page: <a href="http://ursa-app.weebly.com" target="_blank">http://ursa-app.weebly.com</a></li>
<li>PR Gomez.com (author's blog): <a href="http://prgomez.com/current-version-of-ursa/" target="_blank">http://prgomez.com/current-version-of-ursa/</a></li>
</ul>
<p>3. Hackers may also be able to change the published SHA256 string, so this is why a video of F. Ruiz, the URSA developer, reading the string aloud with background music always accompanies the string. Watch it to make double sure the code is authentic.</p>
</div>
</div>
<hr>
<div class="helpHeading">
<h3>What's underneath URSA?</h3>
</div>
<div class="helpText">
<p>URSA is a very simplified sibling of PassLok Privacy (<a href="https://passlok.com/app" target="_blank">https://passlok.com/app</a>), from which it takes its symmetric encryption mode, which is based on the XSalsa20 stream cipher, plus the WiseHash key-stretching algorithm to increase security with weak Keys.</p>
<p> PassLok can decrypt URSA-encrypted messages, and encrypt short messages that URSA can decrypt. It also includes a complete directory management system for Keys shared with other users, so you only need to select the correspondent's name from a list on the Main screen.</p>
<p>The quantum-resistant mode is not based on XSalsa20, but rather on repeatedly taking the SHA512 hash of a shared Key longer than the message itself, and using the random-looking result as a keystream to encrypt the message.</p>
<p>You can get full details on URSA's cryptography and the Chat function from the <a href="http://www.weebly.com/uploads/2/4/1/8/24187628/passlok_technical_document.pdf" target="_blank">PassLok technical document.</a>.</p>
</div>
<hr>
<div class="helpHeading">
<h3>Keyboard shortcuts</h3>
</div>
<div class="helpText">
<p>The main functions in URSA can be accessed directly from the keyboard. The button tooltips tell you what the shortcut is for each button that has a shortcut, but below is a list just in case:</p>
<ul>
<p>Alt-L: <strong>L</strong>ock </p>
<p>Alt-H: <strong>H</strong>elp and back</p>
<p>Alt-R: <strong>R</strong>ich text editing toggle </p>
<p>Alt-C: <strong>C</strong>hat function</p>
</ul>
</div>
<hr>
<div class="helpHeading">
<h3>Privacy Statement and Warrant Canary</h3>
</div>
<div class="helpText">
<p>URSA is a self-contained piece of code that does not rely on servers to do its job. Therefore:</p>
<p><strong>1. We cannot give your Keys to anyone</strong> (not even yourself) because we don't have them.</p>
<p><strong>2. We cannot give your private data to anyone</strong> because URSA does not send anything out of your device, either. When you download the app from the web server, you get only the code, without any cookies, plugins, or anything of that sort.</p>
<p><strong>3. We cannot eavesdrop on your chat sessions, or enable anyone to do so.</strong> Establishing a chat session does involve contacting a signaling server (Firebase) and giving it your IP address and a disposable chatroom name so that others can contact you; the signaling server never sees the content of your chat, which is between participants only. The URSA web server doesn't even see the connection data.</p>
<p><strong>4. We will never weaken the cryptography methods contained within URSA at the request of a third party, private or public.</strong> This also means no backdoors will ever be added. We would rather shut down URSA than be forced to do this, which would betray the very essence of our efforts. If we learn that a counterfeit version of URSA is circulating, whether placed by hackers or government agencies, we will make the fact known to users.</p>
<p><strong>Notice:</strong> Since URSA is distributed as a piece of human-readable code, we consider it an expression of free speech protected by the laws of many countries. Putting into circulation tampered versions of URSA, whether by individuals or public entities, violates free speech and copyright protection laws.</p>
<p>URSA contains strong cryptographic methods, which may be illegal to use in some countries. Please check the local laws before using URSA.</p>
<div id="canary"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8BAMAAADI0sRBAAAAGFBMVEUAAAAAAAD///91XhdgYGCcnJzMzMzUqipkv+fEAAAAAXRSTlMAQObYZgAAAYFJREFUOMt1lLGOgzAQREEUaVkHkhpEUkOVmvsDIt31IF1PdP8vnWwzHtaGKRDmsbO7eHGm9Cfyys4km/ojmEvQ/ZBS10N6Gl+I18/v6G/KtCrTOnVuscbWSwsxPYPBwEsGw1nxgEGpxoUzuI00MjuDqWdwvyD4e88nuOdbMFOge3j79V3liHAjL7np4kt4u5V2fwS8bGbbHd3hjZ0wyt1hZAzuxL3FZoffqrUSlaG4qqU2HFbMfoplj68pNqr0T4xF4SFUMyJcY+EqxVgTS4QlwkZjrAXSubFRsw4H5p5BxLlIgwfTIW6DoXafPcYkqN74zRf3uN7bf2HHChvnuMGX7WoRYD8tTN/4q2CS/YQ8tvY79GwsXjO3J6jq/Qz7Mds8ds5RSDypAmz4zSr1E/EfQ9MJHjDd5PSGu1Vt8Q3BOBrVDuNdnj0DB2RCvH0xPpnYHoLhXmluXdajU7E7ONOj+YyP5Fzx9MDHQHIkQGCv1WtcaFqSkKeUumjnVB80TP0D1fGXaRHBg/YAAAAASUVORK5CYII=">
<p>This paragraph and the canary logo above attest to the fact that, up until the release of version 4.2.13 (March 2023) we have not received any requests under gag order for user data or modifications of the code. This paragraph will be periodically updated as this situation continues.</p>
</div>
</div>
<hr>
<address>
URSA 4.2.13 © F. Ruiz 2023
</address>
<ul>
<li>engine: NaCl by D. Bernstein, W. Janssen, T. Lange, P. Schwabe, M. Dempsky, and A. Moon 2013</li>
<li>tweetNaCl JavaScript implementation by D. Chestnykh and D. Mandiri 2015</li>
<li>scrypt key stretching implementation by D. Chestnykh 2014</li>
<li>lz-string compression by pieroxy 2014</li>
<li>DOMPurify XSS sanitizer by cure53 2022</li>
<li>image steganography based on F5 by Andreas Westfeld 2001</li>
<li>jpeg image hiding libraries js-steg by Owen Campbell-Moore et al. 2014</li>
<li>isaac seedable PRNG by Yves-Marie Rinquin 2012</li>
<li>file In/Out based on an article from the This Could Be Better blog 2012</li>
<li>webRTC chat by Muaz Khan 2019</li>
<li>Jitsi chat by jitsi.org 2020</li>
<li>Letters encoding based on Advanced Unicode Stego by Adrian Crenshaw 2013</li>
</ul>
<address>
This document may be used, modified or redistributed under GNU GPL license, version 3.0 or higher.
</address>
<br>
<button class="cssbutton" id="help2mainBtnBottom" value="< Back" title="return to main screen (alt-M)">◄ Back</button>
</div>
<!--Chat dialog, to enter the chat type and date or other information-->
<div id="chatDialog" class="white_content"> <br>
<br>
<br>
<span id="chatmsg" class="message">Choose the type of chat, then write in the box the date and time</span><br>
<br>
<input type="radio" name="chatmodes" id="dataChat" title="chat with text messages and file exchange"/>
Text and files
<input type="radio" name="chatmodes" id="audioChat" title="like Text chat, plus audio"/>
Audio
<input type="radio" name="chatmodes" id="videoChat" title="like audio chat, plus video"/>
Video
<input type="radio" name="chatmodes" id="jitsiChat" title="full featured, on jit.si" checked/>
Jitsi
<br>
<br>
<textarea id="chatDate" class="cssbox" name="chatDate" rows="1" title="additional information" placeholder="Write here the date and time for the chat"></textarea>
<br>
<br>
<button class="cssbutton" id="cancelChatBtn" value="Cancel" title="cancel chat invitation">Cancel</button>
<button class="cssbutton" id="submitChatBtn" value="OK" title="make chat invitation">OK</button>
</div>
<!--Cover text entry dialog-->
<div id="coverScr" class="white_content">
<br>
<span id="coverMsg" class="message">Please enter the cover text for hiding and click <strong>OK</strong></span>
<br>
<br>
<div class="cssbox left" contenteditable="true" rows="5" autocomplete="off" id="coverBox" name="coverBox" placeholder="Enter the cover text here"></div>
<br>
<button class="cssbutton" id="cancelCoverBtn" value="cancel" title="close cover text dialog">Cancel</button>
<button class="cssbutton" id="acceptCoverBtn" value="OK" title="accept cover text">OK</button>
<br>
<br>
<input type="checkbox" id="rememberCoverCheck" title="remember the text for this session"> Remember
</div>
<!--Image hiding dialog-->
<div id='imageScr' class="white_content">
<button class="cssbutton" id="image2mainBtn" value="< Done" title="return to main screen (alt-I)" accesskey="i">◄ Done</button>
<span id="imgSpacer"><br>
<br>
<br>
</span>
<button class="cssbutton" id="encodePNGBtn" value="PNG Hide" title="hide main box contents into PNG image">Encrypt to PNG</button>
<button class="cssbutton" id="encodeJPGBtn" value="JPG Hide" title="hide main box contents into JPG image">Encrypt to JPG</button>
<br>
<br>
<div id="imageMsg" class="message"></div>
<br>
<img id="previewImg" src="" width="100%"/>
</div>
<!--Shadow backdrop-->
<div id="shadow" class="black_overlay"> </div>
<!--Body script: window reformatting, special functions-->
<script src="js-body/bodyscript.js"></script>
<!--initialization, button connections-->
<script src="js-body/initbuttons.js"></script>
</body>
</html>