January 17, 2017
To improve encryption, Google has launched an open source project, Key Transparency, a follow-up to its Certificate Transparency, both of which focus on the need to verify the authenticity of the person or server the user believes he is connecting to. Keybase, a collection of verified users and their “cryptographic credentials” is one solution, but Google now wants to ascertain that the contacts are verified systematically and are privacy-protected, by having the address “double-check” itself.
TechCrunch reports that Google collaborated with the CONIKS team, Open Whisper Systems and the security team at Yahoo on Key Transparency, which relies on a large-scale database of accounts (and their public keys). The encoded system, which is “obscure to an attacker but verifiable by users,” is “efficient, auditable, highly scalable … and potentially integrated into credential-tracking services like Keybase or into secure communications.”
An overview of the complicated technical method is available on GitHub.
InfoSecurity Magazine reports that the “new toolkit for encryption key transparency designed to help developers improve messaging security” is a “generic, secure way to discover a recipient’s public keys for addressing messages correctly.” PGP and other current systems “require users to manually verify recipients’ accounts in-person.”
Google security/privacy engineers Ryan Hurst and Gary Belvin report that, “One of our goals with Key Transparency was to simplify this process and create infrastructure that allows making it usable by non-experts.”
“Users should be able to see all the keys that have been attached to an account, while making any attempt to tamper with the record publicly visible,” they said. “This also ensures that senders will always use the same keys that account owners are verifying.”
Many cryptographers have welcomed the new initiative, but Venafi chief cybersecurity strategist Kevin Bocek points out that, “its success will depend on developer interest.”
“Building a database of public keys not linked to digital certificates has been attempted before with PGP and never gained widespread adoption,” he adds.