Archives for posts with tag: verifying keys

Only the owner of a cryptographic key can decrypt any message encrypted against it. Therefore, if you want to send a message securely to another person, you have to know and use his key to encrypt the message. You have to be certain that it belongs to that person, and not to somebody else that tries to eavesdrop on your communication. This is why many secure communication apps allow you to verify keys using a short fingerprint that is uniquely tied to the key and that can be verified ‘out of band’. This means you have to ask for someone’s fingerprint (over the phone, or by looking at his business card) and compare it to the fingerprint your app shows for that person’s key. Apple’s iMessage is a notable exception, though. And frequently criticised for it.
Read the rest of this entry »

After Apple released a document last month describing iOS security in detail for the first time, a lively discussion about iMessage security ensued on Hacker News. The main criticism: users so not need to (cannot even) verify the authenticity of the public keys used to encrypt the messages. Instead users need to trust Apple to give them the right keys, and not to sneak an extra key in that would allow Apple (or the NSA) to eavesdrop on your messages. But is this criticism fair?

Read the rest of this entry »