5 July 2014

This Ultra Simple App Let’s Anyone — Encrypt Anything

July 3, 2014 ·
http://www.fortunascorner.wordpress.com

Andy Greenberg has an article in today’s (July 3, 2014) Wired.com, with the title above. He begins by noting, “encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald, via encrypted email, Greenwald couldn’t figure out the venerable crypto program PGP — even after Snowden made a 12 minute tutorial video.”

“Nadim Kobeissi wants to bulldoze that steep learning curve,” adds Mr. Greenberg. “At the Hope Hacker Conference in New York later this month,” he writes, “he’ll release a beta version of an all-purpose file encryption program called — MiniLock – a free, and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.”

“The tagline is that this is file encryption — that does more with less,” said Kobeissi, a 23yr. old coder, activist, and security consultant. “It’s super simple, approachable, and it’s almost impossible to be confused using it,” he added.

Mr. Greenberg writes that Kobeissi’s creation is in “an experimental phase; and, shouldn’t yet be used for high security files; and, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin — tested by Wired — Mr. Greenberg says “we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipient — in theory — not even law enforcement, nor intelligence agencies — could unscramble and read it.” “MiniLock,” he writes, “can be used to encrypt anything from video email attachments, to photos — stored on a UBS drive; or, to encrypt files for secure storage on DropBox, or Google Drive.”

“Like older PGP,” Mr. Greenberg adds, “MiniLock also offers so-called “public key” encryption systems. In public key encryption systems, users have two cryptographic keys, a public key, and a private one. They share the same public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.”

“Kobeissi’s version of public key encryption hides nearly all of that complexity,” Mr. Greenberg notes. “There’s no need to even register or log in — every time MiniLock launches, the user uses only a passphrase, though MiniLock requires a strong one — with as many as 30 characters; or, a lot of symbols and numbers. From that passphrase, the program devises a public key, which it calls a MiniLock ID, and a private key which the user never sees; and, is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session — means anyone can use the program on any computer/device, without worrying about safely storing, or moving a sensitive private key.”

“No logins, and no private keys to manage. Both are eliminated. That’s what’s special,” said Kobeissi. “Users can have their identity for sending and receiving files on any computer that has MiniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.”

“In fact,” adds Mr. Greenberg, “MiniLock uses a flavor of encryption that had barely been developed when PGP became popular in the 1990s: elliptic curve cryptography. Kobeissi says that the crypto tool set allows for tricks that haven’t been possible before; PGP’s public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And, elliptic curve crypto makes possible MiniLock’s feature of deriving the user’s keys from his or her passphrase every time it’s entered — rather than storing them. Kobeissi says he’s saving the full technical explanation of MiniLock’s elliptic curve feats for his Hope Conference talk.”

“Despite all those clever features,” notes Mr. Greenberg, “Minilock may not get a warm welcome from the crypto community. Kobeissi’s best-known previous creation is CryptoCat, a secure chat program that, like MiniLock, made encryption so easy that a five-year old could use it. But, it also suffered from several serious security flaws that led many in the security community to dismiss it as useless, or worse, a trap offering vulnerable users an illusion of privacy.”

“But, the flaws that made CrypoCat into the security community’s whipping boy have been fixed Kobeissi claims. Today, the program has been downloaded close to 750K times; and, a security ranking of online chat programs by the German firm, PSW Group last month — it tied for first,” notes Mr. Greenberg.

“Despite CryptoCat’s early flaws, MiniLock shouldn’t be dismissed,” says Matthew Green, a cryptography professor at John’s Hopkins University — who highlighted previous bugs in CryptoCat, and has now reviewed Kobeissi’s design spec for MiniLock. “Nadium gets a lot of crap,” Green says. “But, slighting him over things he did years ago is getting pretty unfair.”

“Green is cautiously optimistic about MiniLock’s security,” notes Mr. Greenberg, with Green saying “I wouldn’t go out and encrypt NSA documents with it right now. But, added, “it has a nice and simple cryptographic design, with not a lot of places for it to go wrong…This is one that I actually take some review; but, could be pretty secure.”

Kobeissi says he’s also learned lessons from CryproCat’s failures: MiniLock won’t initially be released in the Chrome Web Store. Instead, he’s making its code available on GitHub for review; and, has taken special pains to document how it works in detail for any auditors. “This isn’t my first rodeo,” he says. “[MiniLock's] openness is designed to show sound programming practice, studied cryptographic design decisions, and had to make it easy to evaluate MiniLock for potential bugs.”

Mr. Greenberg concludes, “if MiniLock becomes the first — truly idiot-proof, public key encryption program, it could bring sophisticated encryption to a broad new audience.” “PGP sucks,” Johns Hopkins Green says. “The ability for a regular person to encrypt files is actually a valuable thing…[Kobeissi] has stripped the complexity and made this thing that does what we need it to do.”

User Friendly, And Widespread End-To-End Encryption, With Self-Destruct Technology — Is Only A Matter Of Time

Mr. Greenberg’s article, and Mr. Kobeissi’s new encryption technique is part of a wave of new encryption methods and techniques that got a substantial boost as a result of the Edward Snowden leaks. As Klint Finley recently wrote (May 16, 2014) in Wired.com, “we’re still a long way from ubiquitous encryption, but according to new research conducted by network equipment company Sandvine, we’re at lest making progress.”

Before the Snowden leaks, encrypted web traffic accounted for [just] 2.29 percent of all peak-hour [web] traffic in North America,” according to the cyber security firm Sandvine. Now, [encrypted web traffic] has grown to 3.8 percent increase in less than one year. The surge in encrypted traffic was even greater overseas. In Europe, encrypted [web] traffic grew from 1.47 percent, to 6.1 percent; while, in Latin America, it increased from 1.8 percent to a staggering 10.37 percent — both in less than a year, according to Sandvine. No doubt al Qaeda and other darker angles of our nature are also part of this growing encrypted/”gated digital” community.

But, end-to-end, wide-spread Internet encryption isn’t the panacea that one might think. David Meyer, writing in the November 13, 2013 online edition of Gigaom, noted that encrypted [web] conversations can still fall victim to “so-called, man-in-the-middle attacks — where the attacker effectively sits in-between the service and the user, duping the user into thinking the attacker is the service they’re trying to reach.’ “There is a danger that if people think HTTP is secure by default, they might develop a false sense of security,” wrote Mark Nottingham, an Akamai emissary; and, Chair of The World Wide Web Consortium’s (W3C) HTTP Working Group.

Moreover, at least at this stage of the technology, both parties, (the sender and the receiver) exchanging emails must have the same, encrypted software installed on their devices — in order for this kind of widespread encryption to work. And, until the technology progresses, there is a performance tradeoff — in that encryption slows down the sending and receiving web traffic — though, there are indications with Mr. Kobeissi’s MiniLock, or Google’s Proton end-to-end encryption might mitigate much of that performance tradeoff. Finally, there is no guarantee that the encryption software that you are purchasing — doesn’t itself have a backdoor implanted somewhere in the software. It is a different world out there on the web.

No comments: