Email is not secure. Let’s stop fooling ourselves. Just because I use Gmail, and I’m using it over HTTPS does not mean that the email I send or receive is encrypted while being transmitted outside of Google’s network. Inside Google’s network, even, the contents are not encrypted. So, why do we keep sending sensitive information through email, and why do our banks and mortgage brokers and HR departments keep asking for us to send our Social Security number, bank accounts, and other private details through email?
Is it because we are oblivious, naïve, or do we just not care? I suspect it’s a little of all three, but mainly it’s because encryption is hard, and the difficulty barrier keeps us from adopting it.
The alpha launch of Keybase has got me excited. It uses the public-key cryptography (a.k.a. PGP/GnuPG) model to identify yourself, prove your identity, and allow others to vouch for your identity. I hope it paves the way to making encryption easier for us all, from the technologically-skilled to the technologically-challenged.
How Public-key Encryption Works
I want people to send me sensitive information, but I don’t want anyone else to read it while the information is traveling across the Internet. So, I create a pair of keys. One is public; I can send it to others. One is private; I should keep it secret and safe, like the most secret password I’ve ever had.
I give my public key to someone who wants to send me sensitive information, like a Social Security number. They encrypt a file using my public key and send the encrypted file to me. I can decrypt it, since I have the private key that’s paired with the public key used to encrypt the file. I’m the only one in the world who can read the file, and that’s great because I was the intended recipient.
Here’s what’s important: even if someone intercepts the file, they cannot read it because they do not have the private key to decrypt the message. Even if they have my public key, they cannot decrypt it. The information is safe!
A second benefit of encryption is that I can sign my messages to other people, using my private key. If the recipient has my public key, they can verify the signature. If the signature is bogus, they know I didn’t send the message, but if it checks out, they can be certain I sent the message. No one can forge my signature. Using the signature ensures the message hasn’t been tampered with and the recipient hasn’t been fooled into thinking they’ve received a message from me that is really spam (or worse).
A third benefit is the web of trust . Others may validate my public key by signing it with their own key. These signatures are then added to public key servers as additional proofs that the keys in question do, in fact, belong to their real owners. This helps others know whether a signed message from me is actually coming from the real me and not just someone claiming to be me with a false key. The web of trust is decentralized, with key servers around the world.
Encryption Is Hard
While encryption provides massive benefits, it is difficult even for seasoned technologists to perform, much less everyone else. This is because the tools we use for encryption often require basic knowledge of how encryption works. Command line tools and mail and browser plugins may be used to encrypt and decrypt messages using your public/private key pair, but these tools are all afterthoughts, things that must be installed and maintained by a user who knows what they are doing.
In order to gain mass adoption of encryption, it needs to be made central to the applications and platforms we use, and we need the ability to use it easily without fully understanding it. It needs to just work.
How Keybase Fits In
I think Keybase is taking steps toward making encryption work for everyone. Keybase is like a key server with much more. I’m excited about what it could become and what it means for the technology community.
With the alpha launch, here are a few of the things Keybase provides:
- Identity verification with your Twitter and GitHub
Truncated by Planet PHP, read more at the original (another 3912 bytes)
more
{ 0 comments... » Will Encryption Catch on With Keybase? read them below or add one }
Post a Comment