This simple app lets anyone be an encryption expert (Wired UK)


Shutterstock


Encryption is hard. When NSA
leaker Edward Snowden wanted to communicate with journalist Glenn
Greenwald via encrypted email, Greenwald couldn’t figure out the
venerable crypto program PGP even after Snowden made a 12-minute tutorial
video
.

Nadim Kobeissi wants to bulldoze that steep learning curve. At
the HOPE hacker
conference
 in New York later this month he’ll release a
beta version of an all-purpose file encryption program called
MiniLock, a free and open-source browser plugin designed to let
even Luddites encrypt and decrypt files with practically
uncrackable cryptographic protection in seconds.

“The tagline is that this is file encryption that does more with
less,” says Kobeissi, a 23-year old coder, activist and security
consultant. “It’s super simple, approachable, and it’s almost
impossible to be confused using it.”

Kobeissi’s creation, which he says is in an experimental phase
and shouldn’t yet be used for high security files, may in fact be
the easiest encryption software of its kind. In an early version of
the Google Chrome plugin tested by Wired, we were able to drag and
drop a file into the program in seconds, scrambling the data such
that no one but the intended recipient — in theory not even law
enforcement or intelligence agencies — could unscramble and read
it. MiniLock can be used to encrypt anything from video email
attachments to photos stored on a USB drive, or to encrypt files
for secure storage on Dropbox or Google Drive.

Like the older PGP, MiniLock offers so-called “public key”
encryption. In public key encryption systems, users have two
cryptographic keys, a public key and a private one. They share the
public key with anyone who wants to securely send them files;
anything encrypted with that public key can only be decrypted with
their private key, which the user guards closely.

Kobeissi’s version of public key encryption hides nearly all of
that complexity. There’s no need to even register or log in –
every time MiniLock launches, the user enters only a passphrase,
though MiniLock requires a strong one with as many as 30 characters
or a lot of symbols and numbers. From that passphrase, the program
derives a public key, which it calls a MiniLock ID, and a private
key, which the user never sees and is erased when the program
closes. Both are the same every time the user enters the
 passphrase. That trick of generating the same keys again in
every session means anyone can use the program on any computer
without worrying about safely storing or moving a sensitive private
key.

“No logins, and no private keys to manage. Both are eliminated.
That’s what’s special,” says Kobeissi. “Users can have their
identity for sending and receiving files on any computer that has
MiniLock installed, without needing to have an account like a web
service does, and without needing to manage key files like
PGP.”

In fact, MiniLock uses a flavour of encryption that had barely
been developed when PGP became popular in the 90s: elliptic curve
cryptography. Kobeissi says that crypto toolset allows for tricks
that haven’t been possible before; PGP’s public keys, which users
have to share with anyone who wants to send them encrypted files,
often fill close to a page with random text. MiniLock IDs are only
44 characters, small enough that they can fit in a tweet with room
to spare. And elliptic curve crypto makes possible MiniLock’s
feature of deriving the user’s keys from his or her passphrase
every time it’s entered rather than storing them. Kobeissi says
he’s saving the full technical explanation of MiniLock’s elliptic
curve feats for his HOPE conference
talk
.

Despite all those clever features, MiniLock may not get a warm
welcome from the crypto community. Kobeissi’s best-known previous creation is Cryptocat, a secure chat
program that, like MiniLock, made encryption so easy that a five-year-old could use it. But it also suffered
from several
serious security flaws
 that led many in the security
community to dismiss it as useless or worse, a trap offering vulnerable
users an illusion of privacy.

But the flaws that made Cryptocat into the security community’s
whipping boy have been fixed, Kobeissi points out. Today the
program been downloaded close to 750,000 times, and in a security ranking of chat programs by the German security firm PSW
Group
 last month it tied for first place.

Despite Cryptocat’s early flaws, MiniLock shouldn’t be
dismissed, says Matthew Green, a cryptography professor at Johns
Hopkins University who highlighted previous bugs in Cryptocat and
has now also reviewed Kobeissi’s design spec for miniLock. “Nadim
gets a lot of crap,” Green says. “But slighting him over things he
did years ago is getting to be pretty unfair.”

Green is cautiously optimistic about MiniLock’s security. “I
wouldn’t go out and encrypt NSA documents with it right now,” he
says. “But it has a nice and simple cryptographic design, with not
a lot of places for it to go wrong… This is one that I actually
think will take some review, but could be pretty secure.”

Kobeissi says he’s also learned lessons from Cryptocat’s
failures: MiniLock won’t initially be released in the Chrome Web
Store. Instead, he’s making its code available on GitHub for
review, and has taken special pains to document how it works in
detail for any auditors. “This isn’t my first rodeo,” he says.
“[MiniLock’s] openness is designed to show sound programming
practice, studied cryptographic design decisions, and to make it
easy to evaluate MiniLock for potential bugs.”

If MiniLock becomes the first truly idiot-proof public key
encryption program, it could bring sophisticated encryption to a
broad new audience. “PGP sucks,” Johns Hopkins’ Green says. “The
ability for regular people to encrypt files is actually a valuable
thing…[Kobeissi] has stripped away the complexity and made this
thing that does what we need it to do.”


This article originally appeared on Wired.com

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

Source: wired.co.uk
———————————————————————————————————————

Leave a Reply

Your email address will not be published.