Thank you for choosing to use jveil for your lightweight encryption needs. [INITIAL DISCLAIMER] jveil is currently somewhere between alpha and beta stages; all the algorithms used, particularly in determining the iterations, salt, etc., are probably, but not yet definitely, final. Thus, if you don't plan on decrypting a file for a long period of time, be sure to hang on to this version just in case. [INTRODUCTION] Every now and then, you have to send a file over the internet to a friend. First, the file is going to go through the local network, if you have one. Do you trust your network administrator? Are you certain that he is not monitoring what is sent over the network, and that he is competent enough to prevent others from doing so? Or perhaps you are on a wireless network. It is trivial to view wireless traffic on an already unencrypted connection. After your file makes it through the local network, you have no idea who can see the information between you and the destination to which you are sending the file. I say destination, because perhaps you are sending it to an email account, rather than directly to a person. If it does go to an email account, it is once again trivial for the administrator of that system to look at people's inboxes. Or, what if it's going to a GMail account? I don't know about you, but I still am relatively clueless about GMail's privacy policies. Personally, if I were sending any file that I wouldn't post on a message board, I would want to take measures to ensure that people didn't see it. Ideally, said measures would involve using PGP or GPG (use Google for more information on those). But sometimes that PGP and GPG are not valid options, for one reason or another. Perhaps one person in the pair doesn't have internet access on his or her personal computer, and isn't allowed to (possibly doesn't want to) install software on a computer with internet access. Or, as is a slightly more common case in my opinion, sometimes one or both people don't feel capable of using a tool such as PGP or GPG, especially from the commandline. (Let's ignore the fact that jveil's graphical interface has not yet been written ;) ) [THOUGHTS ON USAGE] Now with jveil, you can encrypt a file with as little as a password, a file to encrypt, and an output file name. Simple and convenient, no? But if both parties are slightly more tech-savvy, it would probably be wise to choose your own salt and/or iteration count and/or protocol. Hypothetically, if someone monitoring your network connection saw that you had just downloaded jveil (or knew otherwise that you used jveil) and then captured the file that you sent, that person could conceivably use a wordlist to brute-force decrypt your file. If you don't change any of the defaults, that person already knows the correct salt and iteration count for each password. However, changing the salt, or choosing a nice, large iteration count makes cracking by brute-force extremely unlikely. [SECURITY] However, there is no need to brute-force if the password, etc. are already known. jveil does no good if you send an email with the password, salt, and iteration count with the encrypted file attached. Use common sense in this department. The lack of an ability to securely transfer key information is possibly jveil's largest security flaw. However, on this note, please do not overlook jveil's ability to use a file as a password: for example, you can send an innocuous image to your friend, and then use that image as the password. Also, I can make no guarantees as to the security of the encryption protocols. I specifically chose the 4 protocols included with Sun's encryption package, so that anyone with Java 1.5.0+ should be able to use jveil without any trouble. But, if any of those protocols are ever cracked, your data may be at jeopardy; you assume this risk when you use this software. Moreover, the encrypted files are only encrypted with intent to transfer over another medium. jveil would be terrible to use for encrypting a large group of files on your own computer, for your own use (for that, I also refer you to PGP or GPG, or perhaps consider using the cryptoloop architecture on the Linux kernel). Even if you do choose to encrypt a couple files on your computer, you would still be faced with the task of securely removing the original file. No matter what the file is before encryption, there is probably at least a 99% chance that the file after encryption will appear to be just seemingly random binary data. It is in this fact that jveil makes your data relatively (compared to sending it in its plain form) safe to send over a network. But, as always, I make no guarantees, and you are using jveil without a warranty. [SPECIAL THANKS] Nathan - thanks for coming up with the wonderful name jveil rather than the awful names I was coming up with (i.e. JASE for JAva Simple Encryption and JEM for Java Encryption Manager). [DEDICATION] jveil is dedicated to Elyse Holguin, one of the few girls who would actually appreciate having a program dedicated to her. [CONTACT] If you need to contact me for any reason, be it questions, comments, errors in my text or code, etc., please email me at . Also, currently, you can contact me on ICQ at 270897817. Or, if you just have a good story on how jveil helped you out, I'd absolutely love to hear that too! I doubt that anyone would ever actually feel the need to donate to me by any means, especially considering the fact that if you did decide to support open source that way, you would probably choose a larger, more worthwhile application to support. But if you did decide that you wanted to make a donation of any nature, please send me an email and we can discuss further arrangements. Personally, jveil was just one of my ways of giving back to the open source community. [END] If you've read this far, bravo! And thanks again for using jveil! Sincerely, Mark Rushakoff (pieoncar)