I'm thinking of writing an app that will make it possible to send small text messages that is not possible to decrypt. Is this legal? I live in Sweden and plan to publish the app on Openrepos which I think is located in Russia.

Edit: I meant decrypt without the key, of course.

I'd say it is legal in the free world.

BTW, what are you going to use as cryptoengine, and how can users be sure it really does as you advertise?
(not that I'm suspicious or anything, but always when there is a word "crypto" associated with anything, I tend to question motives...)

Also, keep in mind that "unbreakable" and "not possible to decrypt" are snake oil terms. More responsible approach requires stating clearly what is covered by your security model, and what isn't (see many great documents on TrueCrypt pages). That not even mentioning side-channel attacks.

Personally, I don't see much sense in such program, as encrypting things via any trusted cipher (with or without frontends/bundles, like TrueCrypt) and sending them as attachments *or* encrypted plain text, achieves just that (as long as receiver know password and have keyfiles, obviously).

You might aim for making it easier to use (i.e. user write a message, click "send", and software does all encrypting/sending, leaving tedious manual work apart), but that would be better achieved via frontend using actually existing tools - like, existing and already installed cipher packages and mail client, just acting as a middle-man - instead of reinventing the wheel all over again.

Nevertheless, good luck with your idea
/Estel

I would also add that doing crypto "right" is deceiviously hard, and it's one of those fields where it may be beneficial to do it open-source because:
1) you win trust of your users (as they know what engine you are using)
2) you can get an expert opinion from crypto guys that you implemented things right

Many recent mishaps in security happened because s/w developers improvised themselves as crypto guys, or viceversa.

Frankly, I would *never* deliberately use a closed source cryptographic application for anything sensitive (or, anything at all). No much reason to trust it more than some simple character replacement or any other "security through obscurity" method. Both are only usable if plain-text eavesdroppers are all that you expect.

/Estel

Thanks for the answers guys. I'm going to use Vigenere cipher with random generated keys that are as long as the encoded message and this is to my knowledge unbreakable. You can send messages with sms and Twitter and not NSA or your wife would be able to crack it. The problem with this cipher is that you have to keep your keys secret though and deliver them to your friend in a safe way, basically hand to hand. RSA type cipher is good but it's not theoretically unbreakable like Vigenere is.

But Vigenere cipher being unbreakable could mean that it's not legal to do ... in some countrys. Sweden is basically a US state when it comes to legal matters and I don't want a swat team kicking in my door giving me a single trip ticket to Gitmo. And I'm no criminal or anything but this is something I've been thinking about doing for almost twenty years when I first heard of the Vigenere cipher. So basically I'm doing it just because I want to but if it means trouble, like ie FSB puts Custodian in a black hole and destroys Openrepos servers I better not.

I'm going to use Vigenere cipher with single use randomly generated keys that are as long as the message and this is afaik completely unbreakable, even in theory. It will of course be opensource otherwise I wouldn't dare to call it unbreakable.

IIRC, hasn't it already been cryptanalyzed and broken?

Personally, what I'd define as secure enough would be messages encrypted end-to-end with each message rekeyed via Diffie-Hellman key exchange.

That'd be really coo- oh wait, it exists, and is vetted by some serious names in the security industry.

Cyanogenmod already integrated secure messaging into the ROM, it'd be nice if Maemo/MeeGo users could join in the fun.

Well, you are basically proposing using a one-time pad (if each message has unique key as long as the message). If you make sure the key is truly random & is only used once, it is provably unbreakable, provided you don't make a mistake in the implementation.

Still, while one-time pads are proof even against quantum computers, this solution seems like quite a big overkill to me. I think something based on widely used open source encryption libraries would be better fit, as it helps to solve the real issues that often lead to compromising of the encrypted information:

• implementation errors - these libraries are opensource and widely used and by the many-eyes concept their source should be well audited for implementation errors by now
• key exchange and integrity - if you can't make sure only the two parties in the conversation and none else is in possession of the shared secret, any encryption is useless; securely sharing just the keys for a good symmetric of asymmetric cipher should much easier than sharing full message length entropy

Yeah as MartinK said, Vigenere cipher used right is unbreakable (quoting Wikipedia):

So what my app was going to do was only to encrypt the message and then you c&p to your messaging service of choice, that's it. But the Vigenere cipher used right being unbreakable could mean problems. But the TextSecure app Hurrian was talking about is probably good enough for most people.