AnswerChain
Encrypt and decrypt your data securely using custom security questions — with all processing handled entirely offline
Install / Use
/learn @TraceNChase/AnswerChainREADME
🛡️🔒🔑 Securely encrypt & decrypt data with custom security questions — all processed offline 🔑🔒🛡️
<img width="1536" height="1024" alt="a1122" src="https://github.com/user-attachments/assets/085df38b-f3af-4ccc-91e9-4257d89b2ebd" />
Project Documentation and Guide
Visit the project site (under construction):
📑 Table of Contents
<details> <summary>🔒 Why the Security Questions File (kit) is Secure</summary>- 1. Key Derivation
- 2. Cascade Encryption
- 3. Secret Splitting (SSS)
- 4. Standard vs Critical Questions
- 5. Wrong Answers and Decoys
- 6. Final Verification
- 7. Offline and Passwordless
- 8. Leak Resilience
- 9. Brute-Force Cost Analysis
- 10. Trusted Cryptographic Libraries
- 11. The Code
- 12. Potential Leak
- Threat-Model–Driven Inspiration
- Use Cases
- Privacy Protection via Tolerance-Based Authentication
- Server-Side Authentication
- Unified Framework of Human-Centric Authentication
<!-- ANCHOR FIXES — PASTE THESE EXACTLY ONE LINE ABOVE EACH MATCHING HEADING. This guarantees the TOC links work regardless of emojis/punctuation in the heading text. --> <!-- About -->
<a id="about-answerchain"></a>
<!-- Disclaimer --><a id="disclaimer"></a>
<!-- How it works --><a id="how-it-works"></a>
<!-- Why Secure (section) --><a id="why-secure"></a>
<!-- Why Secure — subsections --><a id="key-derivation"></a> <a id="cascade-encryption"></a> <a id="shamir-secret-sharing"></a> <a id="standard-vs-critical"></a> <a id="wrong-answers-and-decoys"></a> <a id="final-verification"></a> <a id="offline-passwordless"></a> <a id="leak-resilience"></a> <a id="brute-force-cost"></a>
<!-- Libraries / Code / Leak --><a id="trusted-crypto-libs"></a> <a id="the-code"></a> <a id="data-leak"></a>
<!-- Threat model / Use cases --><a id="threat-model-inspiration"></a> <a id="use-cases"></a>
<!-- Feature ideas (subsections) --><a id="tolerance-based-auth"></a> <a id="server-side-auth"></a> <a id="human-centric-auth"></a>
<!-- How to use (subsections) --><a id="prepare-environment"></a> <a id="run-configure"></a> <a id="verify-setup"></a>
<!-- Support / FAQ / Contact --><a id="help-me-out"></a> <a id="faq"></a> <a id="contact"></a>
🔗 About AnswerChain
AnswerChain provides an offline, passwordless recovery system that empowers individuals and organizations to restore secrets securely. By allowing users to create their own knowledge-based questions and answer options, secrets can be rebuilt without relying on passwords—protected by modern cryptography to ensure safety and trust.
🚨⚠️🚨 Disclaimer 🚨⚠️🚨
Program is NOT yet READY!
Is this program secure to use?
- This program was developed with extensive AI assistance. While care has been taken to ensure safety, NO SOFTWARE CAN BE GUARANTEED 100% SECURE. At this stage, I would NOT RECOMMEND USING THIS PROGRAM FOR IT's INTENDED PURPOSE UNTIL IT HAS MATURED ENOUGH (e.g., gained broader community recognition, reviews, and testing).
Have you had prior experience with coding?
- No, I have not. This is my first application!
❓ How does it work
1️⃣. User defines their own questions
You create your own security questions (e.g., “What was my first pet’s name?”)
and provide multiple answer alternatives.
2️⃣. Standard and Critical questions
When setting up your recovery kit, each question can be marked as:
- Standard → regular knowledge prompts (e.g., “What city were you born in?”).
These contribute shares toward the recovery threshold and allow flexibility. - Critical → high-value prompts (e.g., “What is the code phrase I only told my family?”).
These must always be answered correctly for secret restoration to be possible —
even if all standard questions are answered correctly.
This two-tier system combines usability (standard questions)
with mandatory checkpoints (critical questions) for maximum security.
3️⃣. Every alternative is cryptographically protected
Each alternative is combined with a random salt and processed through Argon2id (a memory-hard key derivation function).
The derived key is used to encrypt a Shamir Secret Sharing (SSS) share with cascade encryption:
- First layer: AES-256-GCM
- Second layer: ChaCha20-Poly1305
This dual-layer (cascade AEAD) ensures ciphertexts all have the same structure
and strengthens security against single-algorithm weaknesses that the future could present.
4️⃣. Wrong answers look valid too
Incorrect answers are not left empty. Instead, they carry dummy SSS shares,
also Argon2id-hardened and cascade-encrypted (AES-256-GCM + ChaCha20-Poly1305).
This makes every answer indistinguishable, so attackers cannot know which ones are correct.
5️⃣. Decoy “real” answers
Users can define decoy real answers that decrypt into plausible but fake secrets.
Even if an attacker manages to decrypt shares, they cannot tell
whether the reconstructed output is the genuine secret or a decoy.
6️⃣. Secret recovery
During recovery, you answer your own questions. Each chosen alternative is re-processed
with Argon2id and cascade decryption.
- If the correct set of Standard questions is answered,
enough valid SSS shares may be obtained. - But recovery will only succeed if all required Critical questions are also answered correctly.
If both conditions are met, the valid shares can be recombined to reconstruct the secret.
7️⃣. Final authentication
The reconstructed secret undergoes a final Argon2id + HMAC check.
Only if this verification succeeds is the secret accepted as authentic.
🔒 Why the Security Questions File (kit) is Secure
1. Key Derivation
Every answer is combined with a random salt and processed through Argon2id
with enforced high memory cost (≥1 GiB, parallelism pinned to 1).
This makes brute-force attacks prohibitively expensive,
even for attackers using modern GPUs or ASICs.
2. Cascade Encryption
Each derived key is used in cascade encryption, first with AES-256-GCM
and then with ChaCha20-Poly1305.
This guarantees ciphertexts are uniform in structure and provides long-term resilience:
even if one cipher is broken in the future, the other still protects the data.
3. Secret Splitting (SSS)
The protected secret is never stored directly but split into shares using
Shamir’s Secret Sharing (SSS).
A defined threshold of correct answers must be provided to recombine the secret,
while any subset below the threshold reveals absolutely nothing.
4. Standard vs. Critical Questions
Questions can be standard or critical.
- Standard questions → contribute shares toward the threshold.
- Critical questions → must always be answered correctly.
Secret restoration is impossible if even one critical question is wrong,
regardless of how many standard answers are correct.
5. Wrong Answers and Decoys
Wrong answers are indistinguishable from correct ones because they also decrypt into
dummy shares hardened with Argon2id and cascade AEAD.
Users can also configure decoy real answers, which produce plausible but fake secrets.
These protections ensure attackers can never know whether a recovered result is genuine or a decoy.
6. Final Verification
Once enough shares are collected, the reconstructed secret must pass a
final Argon2id + HMAC verification step.
This prevents tampering and guarantees that only the genuine secret is accepted.
7. Offline and Passwordless
The entire system is offline and passwordless, eliminating risks associated with
servers, cloud storage, or a single vulnerable master password.
Everything needed for recovery
Related Skills
healthcheck
353.3kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
353.3kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
353.3kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
111.7kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
