Forward secrecy – Digital Citizenship and Surveillance Society https://dcssproject.net UK State-Media-Citizen Relations after the Snowden Leaks Wed, 28 Nov 2018 12:14:27 +0000 en-GB hourly 1 https://wordpress.org/?v=5.3.3 Emerging encryption software https://dcssproject.net/emerging-encryption-software/ Fri, 04 Mar 2016 09:08:47 +0000 http://sites.cardiff.ac.uk/dcssproject/?p=785 Continue reading

]]>
Purpose:
The Open Whispers Logo.

The Open Whispers Logo.

New types of encryption software are being developed that aim to address the vulnerabilities associated with traditional forms of encryption such as Public Key Encryption. At issue with traditional methods are traceability of authorship through the use of digital signatures (no true anonymity) and the decryption of messages and files that may be stored by third parties by either breaking the encryption or by legal means requiring the handing over of encryption keys (no true privacy).

Software applications

The most recent cryptographic software includes:

  • CryptoCat – a web browser plugin that uses Javascript encryption [W3C01] to implement the Off-the-record (OTR) protocol. Its key feature is usability, as it only requires the download of a web browser plugin to begin using it. In addition, it allows for secure group chat. However, many security experts have criticized the robustness of ‘in-browser, javascript’ encryption [SOG01; SCH01; TAR01] as there exist many vulnerabilities with a web browsers design for ‘remote code execution’ [TAR01]. Security experts have suggested that the media has hyped the software as a personal interest story rather than examining its actual robustness [SOG01], for example [WIR01]. Even so, it is reported that Glen Greenwald used Cyrptocat to communicate with Edward Snowden while in Hong Kong to arrange their meeting [WIR01].
  • ChatSecure – phone app, for both iPhone and Android that enables secure chat through OTR encryption. It can be used with multiple accounts such as Facebook Chat, Google Talk, Google Hangouts, and Jabber [EFF01]. Used with the Orbot plugin it can go around most firewalls, network restrictions and blacklists [GPR01]. The app also supports the use of TOR so that users can also hide their network activity [GPR01].
  • Open Whispers Systems – an Open Source community of contributors that work on a variety of free privacy software tools [OWH01] including:

– TextSecure – an encrypted mobile instant messaging app for Android phones that provides ‘forward secrecy’ of communications with others using the same app. It can send and receive both encrypted and unencrypted text (SMS) and media (MMS) messages, and attachments files. Messaging is compatible with Signal, the IOS version of TextSecure [TSR01].

– Signal – an encrypted mobile instant messaging and voice calls app for IOS phones that provides ‘forward secrecy’ of communications with others using the same app [SIL01]. Messaging is compatible with TextSecure, the Android version.

– Red Phone – an encrypted voice calling app for Android phones that uses Wi-Fi or data rather than mobile voice plans [RPH01].

  • Silent Circle – is a private company that offers encryption tools similar to Open Whisper. They use the same voice encryption protocol however users are charged a subscription fee. They also specialise in ‘enterprise solutions’ for organisations [SCR01]. Software includes:

– Silent Phone – encrypted voice and video calls on mobile devices for iOS and Android. The app can be used with Wi-Fi, EDGE, 3G or 4G cellular anywhere in the world.

– Silent Text – encrypted text messaging for iOS and Android with ‘burn functionality’ feature that destroys selected messages.

– Silent Contacts – encrypted address book for mobile phones.

– Blackphone – is an Android adapted phone using PrivatOS that focuses on enhancing privacy and security. It has a subscription-based service that enables users to make both encrypted and unencrypted voice calls. It also includes encrypted chat, browsing, file sharing, texting and conference calls.

  • Pond – a forward secure, asynchronous messaging system that aims to address the drawback of PGP asynchronous messaging [PND01]. Pond message expire automatically a week after they are received. However, the author of the software stresses that people would use it at their own risk as the code has not been reviewed. It relies upon email gateway servers that accept messages while the user is offline [PND02]. Users choose a server, e.g. [PND03] or create their own. It uses an overlay network that connects to intermediary nodes to hide, which servers people may be accessing to receive messages. Users exchange either PGP or OTR keys with the Pond server, e.g. [PND03]. Again, the author of the software warns that the code is incomplete [PND02].

Capabilities:

  • Forward secrecy – ensures that every new connection uses unique and ephemeral key information, this ensures that if long-term keys (e.g. PGP/GPG) are compromised that the content of messages cannot be decrypted [EFF02].

Surveillance mitigation:

  • Privacy – enables private digital communications so that messages cannot be read by third parties. The difference between plaintext and ciphertext has been compared to the postcard and the letter, where plaintext is more like a postcard that anyone can read and ciphertext is akin to placing a message in a sealed envelope. This has been called the ‘analog gap’ [MPE02].

Vulnerabilities:

  • Decryption – forward secrecy does not defend against a successful cryptanalysis of the underlying ciphers being used. This is because it is a method for decrypting an encrypted message without the key, whereas forward secrecy only protects keys, not the cipher algorithms used to perform encryption [ZUR01].

Layer of interaction:

  • Transport layer

Background:

Privacy and security of business and personal digital communication has received increased interest since the Snowden revelations of June 2013. In addition, the vulnerabilities associated with Public Key Encryption have been a catalyst for developers to provide more secure encryption to users.

Sources:

CryptoCat (CCA)

1) https://crypto.cat

Electronic Frontier Foundation (EFF)

1) https://ssd.eff.org/en/module/how-install-and-use-chatsecure

2) https://www.eff.org/deeplinks/2014/07/forward-secrecy-brings-better-long-term-privacy-wikipedia

Guardian Project (GPR)

1) https://guardianproject.info/apps/chatsecure

2) https://chatsecure.org/blog

Mailpile (MPE)

1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security

Open Whispers (OWH)

1) https://whispersystems.org/about/

TextSecure (TSR)

1) https://whispersystems.org/

Signal (SIL)

1) https://whispersystems.org/blog/signal/

2)   https://ssd.eff.org/en/module/how-use-signal-%E2%80%93-private-messenger

3)  http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the-iphone/

Red Phone (RPH)

1) https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en

Pond (PND)

1) https://pond.imperialviolet.org/

2) https://pond.imperialviolet.org/tech.html

3) https://pondgw.hoi-polloi.org/usage

Schneier on Security (SCH)
1) https://www.schneier.com/blog/archives/2012/08/cryptocat.html

Silent Circle (SCR)

1) https://silentcircle.com/services

Soghoian, Christopher (SOG)
1) http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html

Tony Arcieri (TAR)

1) http://tonyarcieri.com/whats-wrong-with-webcrypto

W3C, Web Cryptography API (W3C)

1) http://www.w3.org/TR/WebCryptoAPI/

Wired (WIR)

1) http://www.wired.com/2012/07/crypto-cat-encryption-for-all/

Zur:linux (ZUR)
1) http://zurlinux.com/?p=1772

]]>