UltraEdit uenc file encryption protocol

ucvctt · Post6:04 - Jan 07#12026-01-07T06:04+00:00

Good day all!

What scheme is used by UltraEdit to encrypt a file? Password kdf? Symmetric cipher, mode?

Is there any documentation on the uenc format?

(I haven't been able to find any of this info. Sorry if it's already documented somewhere.)

Thanks

Mofi · Post6:27 - Jan 07#22026-01-07T06:27+00:00

The help of UltraEdit for Windows has the help page Decrypt file command (Advanced tab/Encryption dropdown) with following information about the encryption:

UE help wrote:This command may be used to decrypt the content of the active file (or specified files) using the Advanced Encryption Standard (AES) algorithm.

Decrypt Files
When this option is selected, a dialog is displayed where the user is prompted to specify the file(s) to be decrypted and enter a passphrase to be used as the decryption key. The passphrase is case-sensitive and may be between 8 and 32 characters in length and may include any characters which may be typed.

A similar description exists on the UltraEdit for Windows help page Encrypt file command (Advanced tab/Encryption dropdown).

I am not sure but I think AES-256 is used for the encryption/decryption. I do not know which library is used by UltraEdit for Linux for encryption/decryption of files but I would not be surprised if there are used the OpenSSL libraries after searching for the string ssl in the file uex. An execution of ldd uex on Linux in a terminal window in directory of UEX should make it clear which libraries are used for encryption/decryption by UEX.

ucvctt · Post7:06 - Jan 07#32026-01-07T07:06+00:00

Thanks Mofi for your response, however, it doesn't really answer my question: maybe the developers would care to chime in?

Generally speaking, knowing the encryption library doesn't tell me what password-based key derivation function is in use, what the hardness parameters are, the symmetric cipher mode of operation, and whether an authentication tag is being applied. (The functional documentation provides none of this information.)

Anyway, I can see that libgcrypt.so is reported in the results of ldd … The fact that it's there implies its use, but this doesn't provide any of the required information: you can see here that this library supports many combinations to achieve symmetric encryption.

Mofi · Post18:09 - Jan 07#42026-01-07T18:09+00:00

I am quite sure that no user knows the deep information as you want to know about the encryption done by UltraEdit. I doubt further that you will ever get the encryption details you want to know from a developer of UltraEdit via the support of UltraEdit, Inc. The encryption of a file requires secrets about the encryption. The more secrets exist the more secure is the encryption.

ucvctt · Post3:13 - Jan 08#52026-01-08T03:13+00:00

The encryption of a file requires secrets about the encryption. The more secrets exist the more secure is the encryption.

I appreciate your response so far. However, with all due respect to your moderation efforts on this forum, this view about encryption is flawed and dangerous (ed: potentially dangerous if it's used to mask a weakness instead of fixing it).

As far as I recall the file encrypt mechanism has been in UltraEdit for a very long time, and in the absence of any information provided, how can I know whether insecure options are in use? I certainly can't say whether this function of the software meets minimum standards when checked against various infosec specifications.

(I.e. out of that list in my prior link, many of the combinations are no longer recommended due to significant weakness or having already been broken - how can we know whether one of these is in use? ... Ed: having said that, we've assumed here that a cryptography library reported by the ldd tool is even in use for the file encrypt function.)

UltraEdit should publish the details of the protocol in full, including the uenc format - there's no benefit to keeping this secret - the only secret relied upon should be the key (in this case: the input key material in the form of the user's secret password), and if the user willingly chooses a weak password then that is their own choice.

Every secure protocol that relies on modern cryptography also relies on this principle, having survived exposure to light of day, while countless others have perished or exist only on life-support (through mechanisms such as vpn or tunneling, wrapping, etc.)

Mofi · Post6:08 - Jan 08#62026-01-08T06:08+00:00

Well, I understand your point of view as described by you. But I have nevertheless a different opinion.

The vast majority does not have the necessary acknowledge to verify and validate the security of an encryption implementation even on all necessary details would be public available. How many people would know how to verify if the used encryption algorithm, the used cipher and the used options make the encryption secure? I am sure that this is a very small amount of people.

Users of applications using encryption technologies like UltraEdit or web browsers or web servers or compression tools with encryption support usually trust that the developers of the used software make their job as good as possible and have implemented the encryption in a very secure way and keep the implementation up-to-date if somebody detects a security issue.

Who are the people detecting security issues? A very small group of experts who have the necessary knowledge to check the code of an encryption implementation for potential security issues. If you want to be such a person who wants to verify and validate the encryption implementation of UltraEdit, you must contact support of UltraEdit, Inc. by email and ask for the necessary details respectively code used by UltraEdit on creation of a *.uenc file for verification and validation of the security of the encryption implementation.