3ncr.org is a standard for string encryption/decryption (algorithms + storage format). Originally it was intended for encryption tokens in configuration files. It may be used to encrypt any UTF-8 strings.
3ncr.org v1 uses AES-256-GCM for authenticated encryption and base64 for encoding binary data back to string. The envelope format is fairly simple:
header + base64(iv + aes-256-gcm(data) + tag)
Encrypted data looks like this 3ncr.org/1#I09Dwt6q05ZrH8GQ0cp+g9Jm0hD0BmCwEdylCh8
The envelope format does not prescribe how the 32-byte AES key is obtained. A key may be supplied directly, or derived from a secret using a key derivation function (KDF). See Key Derivation below.
A self-contained browser demo is available for encrypting and decrypting 3ncr.org v1 values without installing any library.
A 3ncr.org v1 string consists of the literal header 3ncr.org/1# followed by the base64 encoding of the binary payload. The binary payload is the concatenation of three fixed-layout fields:
iv[12] || ciphertext[N] || tag[16]
The AES key is always 32 bytes (AES-256). No associated data (AAD) is used.
The payload is encoded using standard base64 (RFC 4648 §4 alphabet: A–Z, a–z, 0–9, +, /) without padding: any trailing = characters produced by a padded encoder must be stripped before emission. Decoders should accept input with or without padding for robustness.
The minimum binary payload length is 12 + 0 + 16 = 28 bytes, which base64-encodes to 38 characters (no padding).
The AES-256-GCM cipher takes a 32-byte key. Implementations should accept a raw 32-byte key as their primary input. When a raw key is not available, the recommended derivation depends on the entropy of the source material.
Use Argon2id. For interoperability, implementations should default to these parameters so that the same secret and salt always produce the same derived key:
These follow the OWASP Password Storage baseline for Argon2id and are compatible with RFC 9106. Implementations must use the raw key-derivation variant that returns 32 raw bytes, not the encoded-string "password hash" variant that embeds its own parameters.
When the input already carries at least 128 bits of unique entropy — for example a random pre-shared key, a UUIDv4, or a sufficiently long random API token — a full password KDF is unnecessary. A single SHA3-256 hash over the input produces a well-distributed 32-byte AES key. No salt or iteration count is required in this tier.
PBKDF2 with SHA3-256, parameterised by secret, salt and iterations (default 1000), was the original KDF shipped with 3ncr.org v1 and is retained for backward compatibility with existing encrypted data. It is not recommended for new deployments: the default iteration count is too low by modern standards, and PBKDF2 offers no memory-hardness against GPU/ASIC attackers. New code should use one of the recommended KDFs above, or supply the 32-byte AES key directly.
Because 3ncr.org encryption is non-deterministic — a fresh random IV is generated on every call — two encryptions of the same plaintext under the same key produce different ciphertexts. There are therefore no fixed "encryption vectors" to match byte-for-byte. A conforming implementation should instead be exercised along the axes below.
The fundamental property: for any plaintext p and any key, decrypt(encrypt(p)) == p. Cover at minimum:
While encryption is non-deterministic, decryption is deterministic: given a fixed key, a given ciphertext always yields the same plaintext. The canonical v1 test vectors below use the legacy PBKDF2-SHA3 KDF with secret = "a", salt = "b", iterations = 1000. A new implementation can cross-check itself by decrypting each ciphertext and comparing against the expected plaintext. The vectors are ordered by plaintext length and deliberately cover the edge cases listed under Round-trip above: the empty string, a single ASCII character, a short ASCII string, a UUID-shaped ASCII string, a multibyte UTF-8 string, and a longer multi-sentence ASCII string that crosses several AES blocks. The same vectors are pre-loaded into the browser demo so they can be decrypted interactively.
| Plaintext | Ciphertext |
|---|---|
| (empty string) | 3ncr.org/1#gZJaluDTQCZuN1t96F0JnFOpZFeF2s3JdLSy4Q |
| a | 3ncr.org/1#I09Dwt6q05ZrH8GQ0cp+g9Jm0hD0BmCwEdylCh8 |
| test | 3ncr.org/1#Y3/v2PY7kYQgveAn4AJ8zP+oOuysbs5btYLZ9vl8DLc |
| 08019215-B205-4416-B2FB-132962F9952F | 3ncr.org/1#pHRufQld0SajqjHx+FmLMcORfNQi1d674ziOPpG52hqW5+0zfJD91hjXsBsvULVtB017mEghGy3Ohj+GgQY5MQ |
| перевірка | 3ncr.org/1#EPw7S5+BG6hn/9Sjf6zoYUCdwlzweeB+ahBIabUD6NogAcevXszOGHz9Jzv4vQ |
| The quick brown fox jumps over the lazy dog. Pack my box with five dozen liquor jugs. How vexingly quick daft zebras jump! | 3ncr.org/1#jcHalWX7XnMaCG7jU/mBnaIS06gX+0xZo7isiXoKmMzr9NKOUBfis/gmrnX/uKIaIvizUMeFJy7dYKrpofjKrzEpUpihWbk7gLhxLzWKy8b5LpkLHTruO1A8TPg5KqXKFkoDg2Lvbyq/2nBSL20NTVoqzgRFHmNcYfPIZFqvWcCgaSKhU+b3JKZVGQO+Wyvvhp40c0Lg |
A more thorough option is a cross-implementation interop test: encrypt with implementation A, decrypt with implementation B, for every (A, B) pair of libraries one cares about. This is the only way to catch subtle divergences (base64 alphabet, padding rules, IV length, tag placement) without relying on a single reference.
AES-GCM is authenticated encryption. Implementations must reject any input whose authentication tag does not verify. A useful test is to take a valid ciphertext, flip a single bit anywhere in the base64 payload (IV, ciphertext, or tag region), and confirm that decryption fails with an error rather than returning garbage plaintext. Truncated inputs shorter than 28 bytes after base64 decoding must also be rejected.
Encrypting the same plaintext twice with the same key must produce two different ciphertexts — if they are ever equal, the IV source is broken. A simple regression test is to call encrypt twice on the same input and assert the resulting strings differ. The first 12 bytes of the decoded payload are the IV; their distribution across many encryptions should be indistinguishable from random.
The decryptIf3ncr convenience function must return the original string unchanged when the input does not start with the 3ncr.org/1# header. This branch is easy to miss in tests because the happy path exercises only the encrypted form.
The following libraries implement 3ncr.org version 1:
To have a third-party implementation listed here, please open an issue or pull request on 3ncr/3ncr.org. To report a security vulnerability, please open a private advisory via the Security tab of the relevant 3ncr repository on GitHub.
All original content at 3ncr.org is distributed under MIT license:
Copyright (c) 2018-2026 3ncr.org
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.