Forum: War Ensemble BBS

My experimental HMAC cipher in C99, version 2...

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Thu Feb 12 21:40:32 2026

From Newsgroup: comp.lang.c

Well, I made some alterations to my old C version of my HMAC cipher. It
uses some non-portable API's in order to try to get a TRNG. It prints
out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks everybody!

The secret key is hardcoded to Password and SHA2-512:

____________________________________
/*
Chris M. Thomasson 6/4/2018
Experimental HMAC Cipher
C version with hardcoded secret key

FIXED VERSION: Now uses proper TRNG (/dev/urandom on Unix,
CryptGenRandom on Windows)

Using the following HMAC lib:
https://github.com/ogay/hmac

Here is some info on my cipher:
http://funwithfractals.atspace.cc/ct_cipher ________________________________________________________*/

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <string.h>

#ifdef _WIN32
#include <windows.h>
#include <wincrypt.h>
#else
#include <fcntl.h>
#include <unistd.h>
#endif

#include "hmac_sha2.h"

#define CT_HMAC_SZ 64

// Uncomment PYTHON_TEST_VECTOR to sync with the Python 3 test vector
// Python code: https://pastebin.com/raw/NAnsBJAZ
// plaintext 9 bytes at: "Plaintext"
// ciphertext bytes:
// 9a419a03ac79bfa74edbbdda778316f6840b1aac07910de758e03e35a0d8ff1d407d
// 757ed6b734de9f9ed339bedf73786c5130d2f1891813c179ca20b82e81375e7a64e2
// dddead403b8284b9b76d1e83eddb

//#define PYTHON_TEST_VECTOR

struct ct_secret_key
{
unsigned char* hmac_key;
size_t hmac_key_sz;
char* hmac_algo;
size_t rand_n;
};

struct ct_buf
{
unsigned char* p;
size_t sz;
};

/*
CRITICAL: Cryptographically Secure Random Number Generation

This function uses:
- /dev/urandom on Unix/Linux/macOS (non-blocking, cryptographically secure)
- CryptGenRandom on Windows (CSPRNG)

NEVER use rand() for cryptographic purposes!
*/
int ct_get_random_bytes(
unsigned char* buf,
size_t buf_sz
) {
if (!buf || buf_sz == 0) {
fprintf(stderr, "ERROR: Invalid buffer for random bytes\n");
return 0;
}

#ifdef _WIN32
// Windows: Use CryptGenRandom
HCRYPTPROV hCryptProv;

if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
fprintf(stderr, "ERROR: CryptAcquireContext failed\n");
return 0;
}

if (!CryptGenRandom(hCryptProv, (DWORD)buf_sz, buf)) {
fprintf(stderr, "ERROR: CryptGenRandom failed\n");
CryptReleaseContext(hCryptProv, 0);
return 0;
}

CryptReleaseContext(hCryptProv, 0);
return 1;

#else
// Unix/Linux/macOS: Use /dev/urandom
int fd = open("/dev/urandom", O_RDONLY);

if (fd < 0) {
fprintf(stderr, "ERROR: Cannot open /dev/urandom\n");
perror("open");
return 0;
}

size_t bytes_read = 0;
while (bytes_read < buf_sz) {
ssize_t result = read(fd, buf + bytes_read, buf_sz - bytes_read);

if (result < 0) {
fprintf(stderr, "ERROR: Failed to read from /dev/urandom\n");
perror("read");
close(fd);
return 0;
}

bytes_read += result;
}

close(fd);
return 1;
#endif
}

void ct_hex_printf(
FILE* fout,
unsigned char* buf,
size_t buf_sz
) {
for (size_t i = 0; i < buf_sz; i++)
{
fprintf(fout, "%02x", buf[i]);
}
}

unsigned char*
ct_reverse(
unsigned char* P,
size_t P_sz
) {
for (size_t i = 0; i < P_sz / 2; ++i)
{
size_t r = P_sz - i - 1;
unsigned char t = P[i];
P[i] = P[r];
P[r] = t;
}

return P;
}

size_t
ct_file_get_size(
FILE* file
) {
size_t file_sz = 0;
for (file_sz = 0; fgetc(file) != EOF; ++file_sz);
rewind(file);
return file_sz;
}

// return value ct_buf.p needs to be freed!
struct ct_buf
ct_file_copy(
FILE* file
) {
size_t file_sz = ct_file_get_size(file);
struct ct_buf buf = { calloc(1, file_sz), file_sz };
assert(buf.p);

if (buf.p)
{
for (size_t i = 0; i < file_sz; ++i)
{
int byte = fgetc(file);
assert(byte != EOF);
buf.p[i] = byte;
}
}

return buf;
}

// return value ct_buf.p needs to be freed!
struct ct_buf
ct_prepend_from_file(
struct ct_secret_key const* const SK,
const char* fname
) {
FILE* file = fopen(fname, "rb");
assert(file);

size_t file_sz = ct_file_get_size(file) + SK->rand_n;

struct ct_buf buf = { calloc(1, file_sz), file_sz };

if (buf.p)
{
// Prepend the random bytes.
// CRITICAL: These are drawn from a TRNG (cryptographically secure)

#if defined (PYTHON_TEST_VECTOR)
// Test vector mode: deterministic for testing only
printf("WARNING: Using test vector mode - NOT SECURE!\n");
for (size_t i = 0; i < SK->rand_n; ++i)
{
buf.p[i] = (unsigned char)i;
}
#else
// Production mode: Use proper TRNG
printf("Generating %zu bytes of cryptographically secure random data...\n", SK->rand_n);

if (!ct_get_random_bytes(buf.p, SK->rand_n)) {
fprintf(stderr, "FATAL: Failed to generate secure random bytes!\n");
free(buf.p);
fclose(file);
exit(EXIT_FAILURE);
}

printf("Random prefix generated successfully\n");
#endif

// Append the original plaintext
for (size_t i = SK->rand_n; i < file_sz; ++i)
{
int byte = fgetc(file);
assert(byte != EOF);
buf.p[i] = byte;
}
}

fclose(file);

return buf;
}

struct ct_buf
ct_load_from_file(
const char* fname
) {
FILE* file = fopen(fname, "rb");
assert(file);

size_t file_sz = ct_file_get_size(file);

struct ct_buf buf = { calloc(1, file_sz), file_sz };

if (buf.p)
{
// Append the original plaintext
for (size_t i = 0; i < file_sz; ++i)
{
int byte = fgetc(file);
assert(byte != EOF);
buf.p[i] = byte;
}
}

fclose(file);

return buf;
}

void ct_hmac_sha512_digest(
hmac_sha512_ctx* ctx,
unsigned char* digest
) {
hmac_sha512_ctx ctx_copy = *ctx;
hmac_sha512_final(&ctx_copy, digest, CT_HMAC_SZ);
}

unsigned char*
ct_crypt_round(
struct ct_secret_key* SK,
unsigned char* P,
size_t P_sz,
int M
) {
hmac_sha512_ctx H;
hmac_sha512_init(&H, SK->hmac_key, SK->hmac_key_sz);
ct_reverse(SK->hmac_key, SK->hmac_key_sz);
hmac_sha512_update(&H, SK->hmac_key, SK->hmac_key_sz);
ct_reverse(SK->hmac_key, SK->hmac_key_sz);

unsigned char D[256] = { 0 };
size_t P_I = 0;
unsigned long di = 0;

while (P_I < P_sz)
{
ct_hmac_sha512_digest(&H, D);

// Progress indicator
if (!(di % 128))
{
printf("P_I = %zu of %zu\r", P_I, P_sz);
}

size_t D_I = 0;
++di;

unsigned char update[CT_HMAC_SZ * 2];
size_t bytes_written = 0;

while (P_I < P_sz && D_I < CT_HMAC_SZ)
{
unsigned char P_byte = P[P_I];
unsigned char C_byte = P_byte ^ D[D_I];
P[P_I] = C_byte;

if (M == 0)
{
update[D_I * 2] = P_byte;
update[D_I * 2 + 1] = C_byte;
}
else
{
update[D_I * 2] = C_byte;
update[D_I * 2 + 1] = P_byte;
}

++P_I;
++D_I;
bytes_written += 2;
}

// Update with ACTUAL bytes, not full buffer!
hmac_sha512_update(&H, update, bytes_written);
}

printf("P_I = %zu of %zu\n", P_I, P_sz);

return P;
}

unsigned char*
ct_crypt(
struct ct_secret_key* SK,
unsigned char* P,
size_t P_sz,
int M
) {
printf("Crypt Round 0:\n________________________\n");
unsigned char* C = ct_crypt_round(SK, P, P_sz, M);
unsigned char* C_1 = ct_reverse(C, P_sz);
printf("\n\nCrypt Round 1:\n________________________\n");
C = ct_crypt_round(SK, C_1, P_sz, M);
return C;
}

int
ct_ciphertext_to_file(
FILE* fout,
struct ct_buf const* buf
) {
for (size_t i = 0; i < buf->sz; ++i)
{
int status = fputc((int)buf->p[i], fout);

if (status == EOF)
{
assert(status != EOF);
return 0;
}
}

return 1;
}

int
ct_plaintext_to_file(
FILE* fout,
struct ct_secret_key* SK,
struct ct_buf const* buf
) {
assert(SK->rand_n <= buf->sz);

for (size_t i = SK->rand_n; i < buf->sz; ++i)
{
int status = fputc((int)buf->p[i], fout);

if (status == EOF)
{
assert(status != EOF);
return 0;
}
}

return 1;
}

int
ct_encrypt(
struct ct_secret_key* SK,
char const* fname_in,
char const* fname_out
) {
int status = 0;

// Prepend the random bytes to the file...
struct ct_buf buf = ct_prepend_from_file(SK, fname_in);

if (buf.p)
{
unsigned char* C = ct_crypt(SK, buf.p, buf.sz, 0);

//printf("\n\n\nCiphertext:");
//ct_hex_printf(stdout, C, buf.sz);
//printf("\n\n\n");

// Write encrypted buffer to out file
{
FILE* fout = fopen(fname_out, "wb");
assert(fout);

status = ct_ciphertext_to_file(fout, &buf);

fclose(fout);
}

free(buf.p);
}

return status;
}

int
ct_decrypt(
struct ct_secret_key* SK,
char const* fname_in,
char const* fname_out
) {
int status = 0;

// Load the file...
struct ct_buf buf = ct_load_from_file(fname_in);

if (buf.p)
{
unsigned char* C = ct_crypt(SK, buf.p, buf.sz, 1);

//printf("\n\n\nPlaintext:");
//ct_hex_printf(stdout, C, buf.sz);
//printf("\n\n\n");

// Write decrypted buffer to out file
{
FILE* fout = fopen(fname_out, "wb");
assert(fout);

status = ct_plaintext_to_file(fout, SK, &buf);

fclose(fout);
}

free(buf.p);
}

return status;
}

void ct_help(void)
{
printf(
"\n\n\n"
"DrMoron Cipher - HMAC-based Stream Cipher\n"
"==========================================\n\n"
"Usage: program in_file out_file mode_flag\n\n"
"mode_flag -e is encrypt where the in_file gets encrypted as out_file\n\n"
"mode_flag -d is decrypt where the in_file gets decrypted as out_file\n\n"
"Example:\n\n"
"program plaintext.txt ciphertext.bin -e\n"
"program ciphertext.bin plaintext_decrypt.txt -d\n\n"
"SECURITY NOTES:\n"
"- Uses cryptographically secure RNG (/dev/urandom on Unix, CryptGenRandom on Windows)\n"
"- Hardcoded key in this version - REPLACE with proper key
management for real use!\n"
"- This is an EXPERIMENTAL cipher - not recommended for
production use\n\n"
);
}

int main(int argc, char* argv[])
{
printf("\n=== DrMoron Cipher (Fixed TRNG Version) ===\n\n");

if (argc != 4)
{
printf("ERROR: Incorrect argument count!\n");
ct_help();
return EXIT_FAILURE;
}

{
int mode = 0;

if (strcmp(argv[3], "-e") == 0)
{
mode = 0;
printf("Mode: ENCRYPT\n");
}

else if (strcmp(argv[3], "-d") == 0)
{
mode = 1;
printf("Mode: DECRYPT\n");
}

else
{
printf("ERROR: Invalid encrypt/decrypt flag!\n");
ct_help();
return EXIT_FAILURE;
}

// WARNING: This is a hardcoded key for demonstration only!
// In real use, generate a proper 64-byte key from a TRNG
unsigned char hmac_key[] = "Password";

printf("WARNING: Using hardcoded demo key - NOT SECURE for production!\n");
printf("Input file: %s\n", argv[1]);
printf("Output file: %s\n\n", argv[2]);

struct ct_secret_key SK = {
hmac_key,
sizeof(hmac_key) - 1,
"sha512",
73 // >64 bytes for SHA-512 digest size requirement
};

if (mode == 0)
{
ct_encrypt(&SK, argv[1], argv[2]);
printf("\n\nEncryption complete!\n");
}

else
{
ct_decrypt(&SK, argv[1], argv[2]);
printf("\n\nDecryption complete!\n");
}
}

return EXIT_SUCCESS;
}
____________________________________

--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Fri Feb 13 12:23:01 2026

From Newsgroup: comp.lang.c

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It
uses some non-portable API's in order to try to get a TRNG. It prints
out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

--- Synchronet 3.21b-Linux NewsLink 1.2

From Stefan Claas@noreply@oc2mx.net to comp.lang.c,sci.crypt on Sat Feb 14 14:48:54 2026

From Newsgroup: comp.lang.c

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It uses some non-portable API's in order to try to get a TRNG. It prints
out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG,
your's is not a TRNG, use instead on your Windows box your TPM 2.0
hardware TRNG module, like I did, for example with pwgen:

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum
Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

Regards
Stefan
--
https://oc2mx.net
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Sat Feb 14 12:50:48 2026

From Newsgroup: comp.lang.c

On 2/14/2026 6:48 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It
uses some non-portable API's in order to try to get a TRNG. It prints
out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks
everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only dependency.
After that, it should work fine. I cannot just copy those files from
ogay into my repository, right? :^)

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG,
your's is not a TRNG, use instead on your Windows box your TPM 2.0
hardware TRNG module, like I did, for example with pwgen:

Well, if somebody has access to a "real" TRNG device, they can adapt my
code to use its API.

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum
Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

That is a TRNG? I thought I needed a special device for that?
--- Synchronet 3.21b-Linux NewsLink 1.2

From Stefan Claas@noreply@oc2mx.net to comp.lang.c,sci.crypt on Sat Feb 14 21:46:52 2026

From Newsgroup: comp.lang.c

Chris M. Thomasson wrote:

On 2/14/2026 6:48 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It uses some non-portable API's in order to try to get a TRNG. It prints out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only dependency.
After that, it should work fine. I cannot just copy those files from
ogay into my repository, right? :^)

Oh well, at least you should have mentioned in your OP the dependencies!

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG,
your's is not a TRNG, use instead on your Windows box your TPM 2.0
hardware TRNG module, like I did, for example with pwgen:

Well, if somebody has access to a "real" TRNG device, they can adapt my
code to use its API.

So, you don't have one in your PC? Then you should also not speak in the
future about TRNG in your code, when it is not!

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum
Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

That is a TRNG? I thought I needed a special device for that?

Yes, it uses a real TRNG in my PC, i.e. the TMP 2.0 hardware module.
--
https://oc2mx.net
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Sun Feb 15 01:31:54 2026

From Newsgroup: comp.lang.c

On 2/14/2026 1:46 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/14/2026 6:48 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It >>>>> uses some non-portable API's in order to try to get a TRNG. It prints >>>>> out its usage, just run the program with no arguments, look in ct_help. >>>>>
Well, can anybody else get it to compile _and_ run on their end? Thanks >>>>> everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only dependency.
After that, it should work fine. I cannot just copy those files from
ogay into my repository, right? :^)

Oh well, at least you should have mentioned in your OP the dependencies!

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG,
your's is not a TRNG, use instead on your Windows box your TPM 2.0
hardware TRNG module, like I did, for example with pwgen:

Well, if somebody has access to a "real" TRNG device, they can adapt my
code to use its API.

So, you don't have one in your PC? Then you should also not speak in the future about TRNG in your code, when it is not!

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum
Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

That is a TRNG? I thought I needed a special device for that?

Yes, it uses a real TRNG in my PC, i.e. the TMP 2.0 hardware module.

I put DrMoron up online. Here is a message encrypted using the default
key. Click it, and you should see the message:

https://fractallife247.com/test/hmac_cipher/drmoron/?ct_hmac_cipher=0decd464be7496f9534ef9fabee04f8d283ee784811a8a9bff4193329f2bcaa859fb8288acc5c096618dcaf71c19304cce3f02d7a9e60975fdb9b468fbf3093a29c266846ff228c4ef1ca0fc8b6e81b7654857a35440a75a4d44711efb61a18fb2d26b4f373d5cc86ee5809dcadf96f42f5ed62e27e1d6bb2fe3c8574047fcc55d92066a9faa0958edaa93c371939a50c08b1f0885d42e028d8190f10609
--- Synchronet 3.21b-Linux NewsLink 1.2

From Stefan Claas@noreply@oc2mx.net to comp.lang.c,sci.crypt on Sun Feb 15 10:00:10 2026

From Newsgroup: comp.lang.c

Chris M. Thomasson wrote:

On 2/14/2026 1:46 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/14/2026 6:48 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It
uses some non-portable API's in order to try to get a TRNG. It prints
out its usage, just run the program with no arguments, look in ct_help.

Well, can anybody else get it to compile _and_ run on their end? Thanks
everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only dependency. After that, it should work fine. I cannot just copy those files from
ogay into my repository, right? :^)

Oh well, at least you should have mentioned in your OP the dependencies!

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG, your's is not a TRNG, use instead on your Windows box your TPM 2.0 hardware TRNG module, like I did, for example with pwgen:

Well, if somebody has access to a "real" TRNG device, they can adapt my code to use its API.

So, you don't have one in your PC? Then you should also not speak in the future about TRNG in your code, when it is not!

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

That is a TRNG? I thought I needed a special device for that?

Yes, it uses a real TRNG in my PC, i.e. the TMP 2.0 hardware module.

I put DrMoron up online. Here is a message encrypted using the default
key. Click it, and you should see the message:

https://fractallife247.com/test/hmac_cipher/drmoron/?ct_hmac_cipher=0decd464be7496f9534ef9fabee04f8d283ee784811a8a9bff4193329f2bcaa859fb8288acc5c096618dcaf71c19304cce3f02d7a9e60975fdb9b468fbf3093a29c266846ff228c4ef1ca0fc8b6e81b7654857a35440a75a4d44711efb61a18fb2d26b4f373d5cc86ee5809dcadf96f42f5ed62e27e1d6bb2fe3c8574047fcc55d92066a9faa0958edaa93c371939a50c08b1f0885d42e028d8190f10609

I will try out your online cipher, once your website is secured with:

https://github.com/Ch1ffr3punk/mfv

because best security pratices should be used when someone is offering
online encryption, so that the site and owner can be trusted.
--
https://oc2mx.net
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Sun Feb 15 11:51:16 2026

From Newsgroup: comp.lang.c

On 2/15/2026 2:00 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/14/2026 1:46 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/14/2026 6:48 AM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/12/2026 9:40 PM, Chris M. Thomasson wrote:

Well, I made some alterations to my old C version of my HMAC cipher. It >>>>>>> uses some non-portable API's in order to try to get a TRNG. It prints >>>>>>> out its usage, just run the program with no arguments, look in ct_help. >>>>>>>
Well, can anybody else get it to compile _and_ run on their end? Thanks >>>>>>> everybody!

The secret key is hardcoded to Password and SHA2-512:

[...]

I put it up on github:

https://github.com/ChrisMThomasson/ct_HMAC_Cipher_Experiment/blob/main/ct_hmac_sha2_512.c

Why I do not like your code snippets:

$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only dependency. >>>> After that, it should work fine. I cannot just copy those files from
ogay into my repository, right? :^)

Oh well, at least you should have mentioned in your OP the dependencies! >>>

You should definetly learn Go or Rust...!!! BTW. speaking of TRNG,
your's is not a TRNG, use instead on your Windows box your TPM 2.0
hardware TRNG module, like I did, for example with pwgen:

Well, if somebody has access to a "real" TRNG device, they can adapt my >>>> code to use its API.

So, you don't have one in your PC? Then you should also not speak in the >>> future about TRNG in your code, when it is not!

https://github.com/Ch1ffr3punk/pwgen

Or if your computer is too old for TPM 2.0 usage try to use Quantum
Random bytes:

https://github.com/Ch1ffr3punk/qrng
https://github.com/Ch1ffr3punk/pnr

HTH!

That is a TRNG? I thought I needed a special device for that?

Yes, it uses a real TRNG in my PC, i.e. the TMP 2.0 hardware module.

I put DrMoron up online. Here is a message encrypted using the default
key. Click it, and you should see the message:

https://fractallife247.com/test/hmac_cipher/drmoron/?ct_hmac_cipher=0decd464be7496f9534ef9fabee04f8d283ee784811a8a9bff4193329f2bcaa859fb8288acc5c096618dcaf71c19304cce3f02d7a9e60975fdb9b468fbf3093a29c266846ff228c4ef1ca0fc8b6e81b7654857a35440a75a4d44711efb61a18fb2d26b4f373d5cc86ee5809dcadf96f42f5ed62e27e1d6bb2fe3c8574047fcc55d92066a9faa0958edaa93c371939a50c08b1f0885d42e028d8190f10609

I will try out your online cipher, once your website is secured with:

https://github.com/Ch1ffr3punk/mfv

Fwiw, notice the clear warning on my site:
________________
EXPERIMENTAL - NOT SECURE ENCRYPTION ⚠️
DO NOT use for real secrets! This cipher is experimental, unreviewed,
and for educational purposes only.
________________

because best security pratices should be used when someone is offering
online encryption, so that the site and owner can be trusted.

Well, one can download the files for the site and run it offline for
sure. No server, no internet connection needed. Fair enough? Btw, has
_your_ work been properly peer reviewed?
--- Synchronet 3.21b-Linux NewsLink 1.2

From Stefan Claas@noreply@oc2mx.net to comp.lang.c,sci.crypt on Sun Feb 15 20:58:29 2026

From Newsgroup: comp.lang.c

Chris M. Thomasson wrote:

On 2/15/2026 2:00 AM, Stefan Claas wrote:

because best security pratices should be used when someone is offering online encryption, so that the site and owner can be trusted.

Well, one can download the files for the site and run it offline for
sure. No server, no internet connection needed. Fair enough? Btw, has
_your_ work been properly peer reviewed?

Many thousands of people have seen it on reddit, in various forums,
and no programmer there had complained. I showed it also to the
guys of opentimestamps.org and they liked it too. You can show it
to your Go friend, if you are unsure, or discuss it with your C
friends on Usenet. You can also take a look at the source code,
prior installing it on your website and I can tell you too that Go
crypto libraries had an audit. The advantage of Go and Rust over C(++)
is that those programming languages are made with security in mind
unlike C(++) and others. So give it at try and you will be amazed.
--
https://oc2mx.net
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Sun Feb 15 13:36:31 2026

From Newsgroup: comp.lang.c

On 2/15/2026 12:58 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/15/2026 2:00 AM, Stefan Claas wrote:

because best security pratices should be used when someone is offering
online encryption, so that the site and owner can be trusted.

Well, one can download the files for the site and run it offline for
sure. No server, no internet connection needed. Fair enough? Btw, has
_your_ work been properly peer reviewed?

Many thousands of people have seen it on reddit, in various forums,
and no programmer there had complained. I showed it also to the
guys of opentimestamps.org and they liked it too. You can show it
to your Go friend, if you are unsure, or discuss it with your C
friends on Usenet. You can also take a look at the source code,
prior installing it on your website and I can tell you too that Go
crypto libraries had an audit. The advantage of Go and Rust over C(++)
is that those programming languages are made with security in mind
unlike C(++) and others. So give it at try and you will be amazed.

People seem to like my DrMoron on reddit as well. But, that is NOT a
proper review by professionals?

https://www.reddit.com/r/crypto/comments/1r369lv/drmoron_a_cipher/
--- Synchronet 3.21b-Linux NewsLink 1.2

From Stefan Claas@noreply@oc2mx.net to comp.lang.c,sci.crypt on Sun Feb 15 22:05:32 2026

From Newsgroup: comp.lang.c

Chris M. Thomasson wrote:

On 2/15/2026 12:58 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/15/2026 2:00 AM, Stefan Claas wrote:

because best security pratices should be used when someone is offering online encryption, so that the site and owner can be trusted.

Well, one can download the files for the site and run it offline for sure. No server, no internet connection needed. Fair enough? Btw, has _your_ work been properly peer reviewed?

Many thousands of people have seen it on reddit, in various forums,
and no programmer there had complained. I showed it also to the
guys of opentimestamps.org and they liked it too. You can show it
to your Go friend, if you are unsure, or discuss it with your C
friends on Usenet. You can also take a look at the source code,
prior installing it on your website and I can tell you too that Go
crypto libraries had an audit. The advantage of Go and Rust over C(++)
is that those programming languages are made with security in mind
unlike C(++) and others. So give it at try and you will be amazed.

People seem to like my DrMoron on reddit as well. But, that is NOT a
proper review by professionals?

https://www.reddit.com/r/crypto/comments/1r369lv/drmoron_a_cipher/

You can do of course an audit by professionals, like cure53, wich cost
money.

https://cure53.de/
--
https://oc2mx.net
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Sun Feb 15 16:17:53 2026

From Newsgroup: comp.lang.c

On 2/15/2026 2:05 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/15/2026 12:58 PM, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 2/15/2026 2:00 AM, Stefan Claas wrote:

because best security pratices should be used when someone is offering >>>>> online encryption, so that the site and owner can be trusted.

Well, one can download the files for the site and run it offline for
sure. No server, no internet connection needed. Fair enough? Btw, has
_your_ work been properly peer reviewed?

Many thousands of people have seen it on reddit, in various forums,
and no programmer there had complained. I showed it also to the
guys of opentimestamps.org and they liked it too. You can show it
to your Go friend, if you are unsure, or discuss it with your C
friends on Usenet. You can also take a look at the source code,
prior installing it on your website and I can tell you too that Go
crypto libraries had an audit. The advantage of Go and Rust over C(++)
is that those programming languages are made with security in mind
unlike C(++) and others. So give it at try and you will be amazed.

People seem to like my DrMoron on reddit as well. But, that is NOT a
proper review by professionals?

https://www.reddit.com/r/crypto/comments/1r369lv/drmoron_a_cipher/

You can do of course an audit by professionals, like cure53, wich cost
money.

https://cure53.de/

How much did you pay them?
--- Synchronet 3.21b-Linux NewsLink 1.2

From jayjwa@jayjwa@atr2.ath.cx.invalid to comp.lang.c,sci.crypt on Wed Feb 18 12:41:15 2026

From Newsgroup: comp.lang.c

"Chris M. Thomasson" <chris.m.thomasson.1@gmail.com> writes:

Why I do not like your code snippets:
$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

It would be better if that project made a library to link against, so
that you didn't have to put it all on the command line.

[12:24] jayjwa@ibushi:~/hmac$ gcc -pipe -o ct_hmac_sha2_512
ct_hmac_sha2_512.c hmac_sha2.c sha2.c
[12:25] jayjwa@ibushi:~/hmac$ echo "How now brown cow?" > test.txt
[12:26] jayjwa@ibushi:~/hmac$ ./ct_hmac_sha2_512 test.txt test.enc -e

=== DrMoron Cipher (Fixed TRNG Version) ===

Mode: ENCRYPT
WARNING: Using hardcoded demo key - NOT SECURE for production!
Input file: test.txt
Output file: test.enc

Generating 73 bytes of cryptographically secure random data...
Random prefix generated successfully
Crypt Round 0:
________________________
P_I = 92 of 92

Crypt Round 1:
________________________
P_I = 92 of 92

Encryption complete!
[12:26] jayjwa@ibushi:~/hmac$ ./ct_hmac_sha2_512 test.enc test.new -d

=== DrMoron Cipher (Fixed TRNG Version) ===

Mode: DECRYPT
WARNING: Using hardcoded demo key - NOT SECURE for production!
Input file: test.enc
Output file: test.new

Crypt Round 0:
________________________
P_I = 92 of 92

Crypt Round 1:
________________________
P_I = 92 of 92

Decryption complete!
[12:27] jayjwa@ibushi:~/hmac$ cat test.new
How now brown cow?
[12:34] jayjwa@ibushi:~/hmac$ uname -a
SunOS ibushi 5.11 illumos-f8f3128c12 i86pc i386 i86pc
--
PGP Key ID: 781C A3E2 C6ED 70A6 B356 7AF5 B510 542E D460 5CAE
"The Internet should always be the Wild West!"
--- Synchronet 3.21b-Linux NewsLink 1.2

From scott@scott@slp53.sl.home (Scott Lurndal) to comp.lang.c,sci.crypt on Wed Feb 18 18:06:38 2026

From Newsgroup: comp.lang.c

jayjwa <jayjwa@atr2.ath.cx.invalid> writes:

"Chris M. Thomasson" <chris.m.thomasson.1@gmail.com> writes:

Why I do not like your code snippets:
$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

It would be better if that project made a library to link against, so
that you didn't have to put it all on the command line.

[12:24] jayjwa@ibushi:~/hmac$ gcc -pipe -o ct_hmac_sha2_512

You'd have more command line to work with if you set PS1="$ ".

I mean, surely you know which host you're logged into and
which user you logged in with without a constant reminder
eating up half the command line :-)

In my case, the current host and working directory is stashed in the
xterm title bar automatically by a shell function wrapping the cd command.
--- Synchronet 3.21b-Linux NewsLink 1.2

From James Kuyper@jameskuyper@alumni.caltech.edu to comp.lang.c,sci.crypt on Wed Feb 18 13:58:34 2026

From Newsgroup: comp.lang.c

On 2026-02-18 13:06, Scott Lurndal wrote:

jayjwa <jayjwa@atr2.ath.cx.invalid> writes:

...

[12:24] jayjwa@ibushi:~/hmac$ gcc -pipe -o ct_hmac_sha2_512

You'd have more command line to work with if you set PS1="$ ".

I mean, surely you know which host you're logged into and
which user you logged in with without a constant reminder
eating up half the command line :-)

It depends very much upon your work environment. I've worked in
environments where I might often be logged into multiple hosts in
different windows at the same time, and in some cases there were
multiple different users I might have been logged into a given host.

In my case, the current host and working directory is stashed in the
xterm title bar automatically by a shell function wrapping the cd command.

I agree that the title bar is a more appropriate location for current
host and current user information. However, I've found it useful to be
able to tell directly which directory was the current one when I issued
each command. If the cd (or pushd or popd) command is still on screen,
it can be figured out, but it is easier when it's part of the prompt. Of course, the value of this depends upon how much work you do at the
command line. While I was working on NASA projects, most of my work was
done at the command line.
--- Synchronet 3.21b-Linux NewsLink 1.2

From Richard Harnden@richard.nospam@gmail.invalid to comp.lang.c,sci.crypt on Wed Feb 18 19:26:37 2026

From Newsgroup: comp.lang.c

On 18/02/2026 18:58, James Kuyper wrote:

On 2026-02-18 13:06, Scott Lurndal wrote:

jayjwa <jayjwa@atr2.ath.cx.invalid> writes:

...

[12:24] jayjwa@ibushi:~/hmac$ gcc -pipe -o ct_hmac_sha2_512

You'd have more command line to work with if you set PS1="$ ".

I mean, surely you know which host you're logged into and
which user you logged in with without a constant reminder
eating up half the command line :-)

It depends very much upon your work environment. I've worked in
environments where I might often be logged into multiple hosts in
different windows at the same time, and in some cases there were
multiple different users I might have been logged into a given host.

In my case, the current host and working directory is stashed in the
xterm title bar automatically by a shell function wrapping the cd command.

I agree that the title bar is a more appropriate location for current
host and current user information. However, I've found it useful to be
able to tell directly which directory was the current one when I issued
each command. If the cd (or pushd or popd) command is still on screen,
it can be figured out, but it is easier when it's part of the prompt. Of course, the value of this depends upon how much work you do at the
command line. While I was working on NASA projects, most of my work was
done at the command line.

I have a multi-line PS1 for exactly those reasons. Wastes a bit of
vertical space, but I want the constant reminder about
this-host-is-production and which directory I'm in.

Having info in the title very useful when the window is minimised.

--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Thu Feb 19 12:54:33 2026

From Newsgroup: comp.lang.c

On 2/18/2026 9:41 AM, jayjwa wrote:

"Chris M. Thomasson" <chris.m.thomasson.1@gmail.com> writes:

Why I do not like your code snippets:
$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

It would be better if that project made a library to link against, so
that you didn't have to put it all on the command line.

It would be more convenient for sure. Also, I don't want to put ogay's
hmac files in my repository. A makefile would also help.

[12:24] jayjwa@ibushi:~/hmac$ gcc -pipe -o ct_hmac_sha2_512 ct_hmac_sha2_512.c hmac_sha2.c sha2.c
[12:25] jayjwa@ibushi:~/hmac$ echo "How now brown cow?" > test.txt
[12:26] jayjwa@ibushi:~/hmac$ ./ct_hmac_sha2_512 test.txt test.enc -e

=== DrMoron Cipher (Fixed TRNG Version) ===

Mode: ENCRYPT
WARNING: Using hardcoded demo key - NOT SECURE for production!
Input file: test.txt
Output file: test.enc

Generating 73 bytes of cryptographically secure random data...
Random prefix generated successfully
Crypt Round 0:
________________________
P_I = 92 of 92

Crypt Round 1:
________________________
P_I = 92 of 92

Encryption complete!
[12:26] jayjwa@ibushi:~/hmac$ ./ct_hmac_sha2_512 test.enc test.new -d

=== DrMoron Cipher (Fixed TRNG Version) ===

Mode: DECRYPT
WARNING: Using hardcoded demo key - NOT SECURE for production!
Input file: test.enc
Output file: test.new

Crypt Round 0:
________________________
P_I = 92 of 92

Crypt Round 1:
________________________
P_I = 92 of 92

Decryption complete!
[12:27] jayjwa@ibushi:~/hmac$ cat test.new
How now brown cow?
[12:34] jayjwa@ibushi:~/hmac$ uname -a
SunOS ibushi 5.11 illumos-f8f3128c12 i86pc i386 i86pc

Excellent! Thanks for giving it a go. My next version will allow one to
create a secret key file and use it.
--- Synchronet 3.21b-Linux NewsLink 1.2

From Chris M. Thomasson@chris.m.thomasson.1@gmail.com to comp.lang.c,sci.crypt on Thu Feb 19 12:58:10 2026

From Newsgroup: comp.lang.c

On 2/19/2026 12:54 PM, Chris M. Thomasson wrote:

On 2/18/2026 9:41 AM, jayjwa wrote:

"Chris M. Thomasson" <chris.m.thomasson.1@gmail.com> writes:

Why I do not like your code snippets:
$ gcc hmac.c -o hmac
hmac.c:29:10: fatal error: hmac_sha2.h: No such file or directory
29 | #include "hmac_sha2.h"
| ^~~~~~~~~~~~~
compilation terminated.

Well, it uses the following lib:

https://github.com/ogay/hmac

It would be better if that project made a library to link against, so
that you didn't have to put it all on the command line.

It would be more convenient for sure. Also, I don't want to put ogay's
hmac files in my repository. A makefile would also help.

[...]

Excellent! Thanks for giving it a go. My next version will allow one to create a secret key file and use it.

Actually, for the password it can use any existing file. To include
rand_n and the hash algo, then it would need to be a special file, say:

secret key:

<hash_algo>
<rand_n>
<payload>

--- Synchronet 3.21b-Linux NewsLink 1.2

From Lawrence =?iso-8859-13?q?D=FFOliveiro?=@ldo@nz.invalid to comp.lang.c,sci.crypt on Sat Feb 21 01:42:59 2026

From Newsgroup: comp.lang.c

On Sat, 14 Feb 2026 12:50:48 -0800, Chris M. Thomasson wrote:

Well, it uses the following lib:

https://github.com/ogay/hmac

So, go get it. Actually, its pretty nice. That is the only
dependency. After that, it should work fine. I cannot just copy
those files from ogay into my repository, right? :^)

There is a way to bring external dependencies into the source tree automatically <https://git-scm.com/docs/gitsubmodules>.
--- Synchronet 3.21b-Linux NewsLink 1.2

Who's Online

System Info

Sysop:	DaiTengu
Location:	Appleton, WI
Users:	1,097
Nodes:	10 (0 / 10)
Uptime:	21:13:49
Calls:	14,089
Files:	187,111
D/L today:	1,311 files (437M bytes)
Messages:	2,490,428

My experimental HMAC cipher in C99, version 2...

Who's Online

System Info