Tuesday, July 9, 2013

Simple solutions for message encryption

Simple solutions for message encryption

Simple solutions for message encryption

The revelations that the US National Security Agency (NSA) and the UK's Government Communications Headquarters (GCHQ) have been intercepting internet traffic highlight an important fact: many forms of communication are not secure from prying eyes and ears.

The worry is that if the US and UK intelligence communities can snoop on your confidential business communications, then perhaps other governments' intelligence agencies may also do so - not to mention business competitors and criminal gangs.

A partial solution is to encrypt you communications - email, instant messages, mobile phone calls and text messages. Good encryption ensures that no-one who intercepts your communications can read or change the contents. But it's only a parti al solution because encrypted messages usually still provide some information, such as who you are communicating with.

Encryption is also a signal that the content is worth hiding - a sure-fire way to attract the attention of eavesdroppers. A foreign intelligence service could store any encrypted communications it intercepts in the hope that in the future new technology will enable their decryption.

PKI encryption

Many encryption systems need two keys: a public one which you make freely available to anyone who wants it, and a private one which you keep secret. A person with your public key can use it to encrypt a message to you - and the message can only be decrypted using your private key.

In the same way, you can encrypt messages to anyone whose public key you have, and it can only be decrypted with their corresponding private key.

This type of solution, known as public key infrastructure (PKI), is extremely secure but far from straightforwa rd to use. It involves acquiring and managing - or at least knowing where to find - the public keys of the people with whom you want to communicate. That's assuming that they even have one.

Mailvelope screenshot

If you're a Microsoft Outlook user you can generate your own keys and encrypt your emails with a plugin called Outlook Privacy Plugin. You can also use the PKI encryption with popular webmail systems including Gmail, Yahoo! Mail and Outlook.com using a browser extension for Firefox or Chrome such as Mailvelope.

Easier use

The good news is that there are plenty of products around offering good encryption which are easy to use and avoid the problem of mana ging keys altogether.

Many are free and open source while still being up to scratch for business. In fact there's a good argument for saying that you should use open source encryption products whenever possible. That's because it's only possible to verify if a product is as secure as the developers say if the source code is open for inspection.

Encrypted email

Hushmail is a simple webmail service which uses strong encryption to protect messages.

If you are sending an email to someone who has never used Hushmail before then you are asked to add a question to the email (such as "Where did we eat last night?" or "What is the password that we arranged?") that the recipient must answer correctly to decrypt the message. They will then be prompted to supply their own passphrase that can be used to unlock any subsequent emails.

Hushmail screenshot

Encrypted instant messaging

Cryptocat is a free, open source add-on to the Firefox, Chrome and Safari browsers that provides an encrypted instant messaging and file transfer application.

You can use it to chat to colleagues securely in a pre-arranged conversation room from anywhere in the world. Each time you log on and join a conversation the software generates new encryption keys which are exchanged with other users automatically, so there is no possibility of Cryptocat being able to intercept and read your messages.

Cryptocat screenshot

Secure mobile calls and text messages

TextSecure and RedPhone are Android-only apps that encrypt text messages and voice calls between phones running the same applications. They have been developed by Whisper Systems, a company headed by renowned security researcher Moxie Marlinspike. Both applications are free and open source, and have been designed to be exceptionally easy to set up and use without worrying about obtaining and storing public keys.

RedPhone runs over Wi-Fi or data connection rather than the mobile phone network, while TextSecure runs over standard SMS channels.

Calls, texts, email and videoconferencing

Silent Circle is for iOS and Android. The company is led by Phil Zimmermann, the creator of the PGP encryption program, and offers four apps for secure email, text messaging, voice calls (with up to six people) and video conferencing with other Silent Circle users.

The apps themselves are free to download, but to use them requires a subscription (currently $ 120 - £80 - for 12 months.)

For an extra $ 288 (£193) per year you can also make use of the company's Out-Circle Access service, which allows you to use the apps to communicate with anyone - not just other Silent Circle users.

Your communications are secure from your phone to Silent Circle's servers, after which they are sent on to their destination unsecured. This can be useful if you are abroad and suspect that the local communications infrastructure may not be secure, but need to contact someone who is not an existing Silent Circle user.

Secure text

Threema is a secure mobile messaging application that lets you send encrypted text messages, photos and video clips. It can find other Threema users from your contacts automat ically and collect their public keys, or you can add them manually.

When Threema finds a contact automatically it gives them an orange verification level. This lets you know that you have not collected their public key in person, so it may not be genuine.

As an alternative, the application can generate a scannable QR code containing key information which you can scan directly from a contact's phone into yours. Contacts added like this are given a more secure green verification level to let you know that you have personally verified their source.

Threema costs £1.37 for Android and £1.49 for iOS.

Quick online text encryption

Infoencrypt is a free, simple web-based service that allows you to type in a message and choose a password for its encryption. You can then copy and paste the encrypted text into any email program and send it.

The recipient receives the encrypted text along w ith Infoencrypt's web address, and decrypts it by copying and pasting it onto the web page, typing in the password and clicking decrypt.

Infoencrypt screenshot

The obvious problem is how the recipient knows the password. It clearly can't be included in the email, so to use Infoencrypt you either need to have arranged a password beforehand, or to send it by a different method such as text message or phone call.

It's also important to bear in mind that the site provides no information about the encryption algorithm it uses, so there is no way to verify it's real level of security.

   < a href="http://share.feedsportal.com/share/gplus/?u=http%3A%2F%2Fwww.techradar.com%2Fnews%2Fsoftware%2Fsecurity-software%2Fsimple-solutions-for-message-encryption-1164571%3Fsrc%3Drss%26attr%3Dall&t=Simple+solutions+for+message+encryption" target="_blank"> 

No comments:

Post a Comment

//PART 2