Comments:"A Few Thoughts on Cryptographic Engineering: Here come the encryption apps!"
URL:http://blog.cryptographyengineering.com/2013/03/here-come-encryption-apps.html
It seems like these days I can't eat breakfast without reading about some new encryption app that will (supposedly) revolutionize our communications -- while making tyrannical regimes fall like cheap confetti.This is exciting stuff, and I want to believe. After all, I've spent a lot of my professional life working on crypto, and it's nice to imagine that people are actually going to start using it. At the same time, I worry that too much hype can be a bad thing -- and could even get people killed.
Given what's at stake, it seems worthwhile to sit down and look carefully at some of these new tools. How solid are they? What makes them different/better than what came before? And most importantly: should you trust them with your life?
A couple of notes...
Before we get to the details, a few stipulations. First, the apps we'll talk about here are hardly the only apps that use encryption. In fact, these days almost everyone advertises some form of 'end-to-end encryption' for your data. This has even gotten Skype and Blackberry into a bit of hot water with foreign governments.
However -- and this is a critical point -- 'end-to-end encryption' is rapidly becoming the most useless term in the security lexicon. That's because actually encrypting stuff is not the interesting part. The real challenge turns out to be distributing users' encryption keys securely, i.e., without relying on a trusted, central service.
The problem here is simple: if I can compromise such a service, then I can convince you to use my encryption key instead of your intended recipient's. In this scenario -- known as a Man in the Middle (MITM) attack -- all the encryption in the world won't help you.
(An even worse variant of this attack comes from services that actually store your secret keys for you. In this case you're truly dependent on their good behavior.*)
One important feature of the 'new' encryption apps is that they recognize this concern. That is, they don't require you to trust the service. A few even point this out in their marketing material, and have included their own dishonesty into the threat model.
Cryptocat
The weakness is that it runs in a frigging web browser.
To put a finer point on it: web browsers are some of the most complex software packages you can run on a consumer device. They do eight million things, most of which require them to process arbitrary and untrusted data. Running security-critical code in a browser is like having surgery in a hospital that doubles as a sardine cannery and sewage-treatment plant -- maybe it's fine, but you should be aware of the risk you're taking.
So how does Cryptocat stack up?
Ease of use:My five year old can use Cryptocat.
Other notes:If the silent auto-update functionality is activated (in Chrome) it is technically possible for someone to compromise Cryptocat's update keys and quietly push out a malicious version of the app. This concern probably applies to most applications, but it is something you should be aware of.
Silent Circle
Now most users will probably understand this, and SilentCircle certainly does its best to make sure people do. Still, most users aren't experts, and it's easy to imagine a typical user getting confused -- and possibly assuming they're safer than they actually are.
Ease of use:To quote SilentCircle's PR: so simple even an MBA can use it. (No, I'm kidding, they don't say that. They just think it.)
Other thoughts:Rumor has it that the current market price for an iOS vulnerability is currently near $500,000. That doesn't mean iOS (or Silent Circle's app) is bulletproof. But it should give you a little bit of confidence. If you're being targeted with an iOS software vulnerability, then someone really wants you.
Should I use this to fight my oppressive regime?SilentCircle's founders have made it clear that they'll chew off their own legs before they allow themselves to be a party to eavesdropping on their clients. But even so -- I would still have to think on this for a while.
RedPhone/TextSecure
RedPhone does a much of what SilentCircle does, though without the paid subscription and termination to POTS. In fact, I'm not quite sure if you can terminate it to POTS (I'll update if I find out.)
Like Silent Circle, RedPhone uses ZRTP to establish keys, then encrypts voice data using AES. Consequently, most of what I said for SilentCircle also applies here, including the use of a short authentication string to prevent MITM attacks.
Overall code quality: After reading Moxie's RedPhone code the first time, I literally discovered a line of drool running down my face. It's really nice.
Crypto:Most of what I said about Silent Circle applies here, except that RedPhone uses only ZRTP, not SCIMP. However, RedPhone's implementation of ZRTP is somewhat simplified and avoids most of the options that make ZRTP a pain to deal with.
Other thoughts: In fairness to my students, they did point out that Redphone does not retain a cache of secrets from connection to connection. Technically this is an optional feature of ZRTP, so it's not wrong to omit it. However, it means that you have to verify the authentication string on every single call. Moxie is working on this, so it may change in the future.
Should I use this to fight my oppressive regime? Oh look, a pony!
Wickr
Wickr is an encrypted Snapchat-like app for the iPhone. Like the above applications it provides for instant messaging, but it also focuses heavily on the message destruction feature. Chats/messages can be set to self-destruct after a pre-specified period of time.
As for the destruction of secrets, well, this does seem like a nice idea, particularly if the destruction is enforced cryptographically. Unfortunately this is a fundamentally hard problem to solve correctly: if I can get a copy of your phone's memory while the message is there, I can keep the message forever.
Overall code quality: Who knows.
Ease of use:Very easy. Just set your message expiration date, key in the destruct time, and send away.
Should I use this to fight my oppressive regime?Yes, as long your fight consists of sending naughty self-portraits to your comrades-at-arms. Otherwise, probably not.
In summary
If you've made it this far, I'm guessing you still have one burning question. Namely: What app should I use if I'm trying to overthrow my government?
The simple answer is that I just don't know. It's not an easy question.
Each of the above apps seem quite good, cryptographically speaking. But that's not the problem. The real issue is that they each run on a vulnerable, networked platform. If I really had to trust my life to a piece of software, I would probably use something much less flashy -- GnuPG, maybe, running on an isolated computer locked in a basement.
Then I would probably stay locked in the basement with it.
But not everyone is a coward like me. The widespread availability of smartphones has already changed the way people interact with their government. These encryption apps could well be the first wave in an entirely new revolution -- one that makes truly private communication a reality.
Notes:
* Some services actually know and store your private keys, while others operate as a Certificate Authority, allowing you to 'certify' new public keys under your name. Either of these models makes eavesdropping relatively easy for someone with access to the server.