Due to the recently published information about mass surveillance on a yet not known level right now the question remains how to encrypt communication. I had some thoughts regarding that topic involving a GPG like web of trust combined with user friendliness which I’d like to share here.
Given everything which was published so far, un-encrypted communication is not save at all. The same is unfortunately true for encryption methods which rely on encryption provided by the servers of some organization. If there is a centralized organization storing the keys for you, or just providing you with the encryption technology, you are screwed, because the intelligence agencies will force them to cooperate. For that reason, the encryption must take place on the end users system already (and the software must be Open Source).
However, if you have end-user encryption, you have the problem of the key exchange – if two people want to communicate securely, they need to exchange the keys or at least securely verify that a public key indeed belongs to their private key. That only works if they meet in person – or if there is a web of trust.
A common example of such a web of trust is the GPG web of trust: people who have properly verified that person A belongs to key M sign this key. If person B trusts person A, it can just use key M since it is already verified by person A. However, in case of GPG the web of trust never reached mainstream. It is mainly used by technical minded people. Most users never got used to it.
So, from what I can tell the only chance to establish a web of trust is to hide the technical details as much as possible from the users. The same is true for the actual key exchange – it needs to be as simple as possible so that each normal user can use it.
Given this background I would suggest the following solution at least for mobile phones. You download the app, and it asks the user for a password. In the background, a key pair is generated and secured with the password, and all data stored on the device are encrypted using the public key. If user A meets user B all they need to do is pressing a button in the app, and a QR code is shown. The other user scans that QR code, and its done. The user shows up in the contact list, and they can chat. In the background, the app extracts the key ID and fingerprint from the QR code, downloads the public key, signs it and uploads the signature automatically.
The biggest problem comes up when user C comes into play, wants to communicate with user A, but they both have no common connection in their web of trust. They would have to meet – or use some other way of exchanging the data securely. A simple way would still be to talk on the phone, but that never worked for GPG. So some kind of web service to host their QR code for a short time only would probably a solution, although it would be pretty risky.
To lower the danger of a man in the middle attack in the above given web example the key servers must only accept one key pair for each identity, which is different to the way GPG works. That would in fact mean that you can have each login only once – if you loose your key, your are screwed.
One question though remains: how many steps in the web of trust are still trustworthy? I guess that could be left as a configuration option if, and only if, a user wants to modify that.
To summarize: I guess that the current cryptography technologies we have could really help to establish secure communication. But to really bring that communication to the masses we need easy-to-use (read: your grandma!) applications doing everything in the background.
15 thoughts on “Thoughts on crypted communication”
I’ve been using GPG for many years and the main problem with GPG is to get people to actually use it. Most people either don’t understand that the communications channels they use are insecure and actively spied or simply too lazy to care.
As for public key trust, I only trust keys I exchange personally or have confirmed through a side channel (e.g. video/phone call).
But now many people know that they are using insecure channels and that they are actively under surveillance. Yet, this has not lead to any significant rise of gpg usage, has it?
And if not using the web of trust works for you that is good. But to reach a broader audience we need to have the possibility to encrypt communication securly between people who have never met.
Hi nice post 😀
look at the Tox Project
Secure without GPG so fine solution for me but it is still in pre alpha and only for developers for now .
I know abou Tox – but as you said, its not ready yet. If it is ready soon, I will give it a try, no question there.
GPG is great at what it does. The content of your messages will be reasonably safe. But who cares about the content when GCHQ und NSA have the metadata to all of your communication?
They know who you talk to and when you do. The web of trust will also tell them who you trust (obviously). That makes it even easier to identify key targets.
Basicaly who you talk to tells more about yourself than what you talk about. And that is true for any form of communication.
A different kind of metadata can even be used to identify tor users.
So we are screwed anyway.
It’s not that They ARE watching us. They are propably not. But They could be. And that is enough.
You are right regarding the fact that the when and whom we communicate with tells a lot about us. I doubt that it tells more than the actual messages, though.
However, your comment gave me an idea: since the actual communication is encrypted, it is easy to automatically slip in fake messages – the fake message can be send and removed automatically on the sender and receiver side. But an outstanding person would have no chance identitfying if the messages were fake or not. That would at least cover how much we are talking, and when.
Your plan assumes that the phone itself can be trusted. In most cases, I claim that it cannot. I suspect that locked-down bootloaders exist in part to ensure that certain backdoors remain in place.
No – in fact the post does not deal with the question if the phoine or the computer the application runs on can be trusted. That is another question for another post.
liquidat: this is in response to your response to me. For some reason, I don’t see a Reply button on any of your comments, so I can’t reply to them directly.
I suppose we can assume that the phone can be trusted for the purposes of discussing the web of trust, but I suspect putting trustworthy phones in the hands of the average person will be the more difficult problem by several orders of magnitude. “Law enforcement” agencies don’t want to give up their ability to spy on people at will, and they will likely trot out all the usual scare tactics to suppress any attempt to change that.
For me in the end the problem regarding trustworthy phones is the same as trustworthy computers. The main question is the operating system. And to me it looks like we will have three options in the near future: FirefoxOS, UbuntuOS and Android/Cyanogenmod. Thus I’m not sure if the problem is really as difficult to solve as you see it…
I don’t know, maybe my perspective is warped by having Verizon Wireless as my carrier, but it seems like locked-down phones are nearly impossible for the average person to avoid. You have to be very well-informed to avoid them, and on some carriers (like Verizon), you’re simply out of luck. If the bootloader is locked, then you only have one option: whatever the carrier gave you. Want to use FirefoxOS, UbuntuOS, or CyanogenMod? Too bad. I’m planning to jump ship after my current contract is up and switch to T-Mobile (despite their inferior network), since I can use a decent phone like the Nexus 4 with them.
In short, I think the prevalence of locked bootloaders is going to seriously impede adoption of alternative, trustworthy OSes, and that’s going to fatally hobble any effort to use such devices for the web of trust, at least in the US. Maybe things are different in Europe.
I’m not sure what the carrier has to do with that – do they force you to use a certain phone in the US? Here in Europe the carrier is not allowed to force you on a specific phone. You can just buy a new one and put the sim card into it. So switching to a new phone is not such a problem.
Kind of. With the GSM carriers (I’m not quite sure if that distinction is going away with LTE), it’s pretty easy to buy whatever phone wherever you want and use it. With the CDMA carriers (mainly Verizon and Sprint), that’s not necessarily the case. My Droid 4 has a SIM card, but I got the impression that I still can’t just get whatever phone I want and stick the SIM card in it and expect it to work. The Nexus 4 definitely won’t work because its radio doesn’t support the necessary frequencies. Yeah, it’s a pretty perverse situation, and the company definitely won’t warn you about it up front, just like they won’t warn you about their phones being locked down. I guess Europe doesn’t have this situation since you’re all GSM all the time.
What makes all this worse is that the choices are as follows:
-Verizon: great coverage, locked-down phones, no escape
-Sprint: poor coverage (especially outside of urban areas)
-AT&T: it’s AT&T. A survey a while back identified AT&T as the worst aspect of the iPhone. I know an iPhone user who switched to Verizon as soon as they got the iPhone just to get away from AT&T.
-T-Mobile: poor coverage (especially outside of urban areas)
There are a large number of smaller carriers, but they use one of the above four companies’ networks (I think it’s usually Sprint), which means they aren’t really alternatives. Since the barrier to entry is humongous, market forces are practically non-existant, and the government doesn’t care (or thinks it’s just fine), so the situation is unlikely to improve any time soon.
The most depressing thing is when I tell people about this situation and they just don’t care. I seriously had someone tell me that she doesn’t care as long as she can use Facebook. God help us all.
Interesting, I never knew that the situation was that bad in the US market. Thanks for the detailed insight!
Regarding how many people are concerned – iirc George Orwell estimated that only 15% of the population will care anyway. So the best you can go for according to him is to reach these 15% – the rest will follow. However, I like it best to try to sensitize the other 85% as well. 😉