Key Verification: Enhancing Your Privacy
When communicating online by use of end-to-end encryption, each message you send has a unique public key entitled to them. This key Verification technique is used to encrypt messages sent so that only they can recognize what the message is all about.
Key Verification: Enhancing Your Privacy
But how do you identify the correct public key for use?
In case you receive an email claiming to originate from your best friend, Hemstone. The email has a PGP public key file that aims to secure your future messages. Or, someone disguising to be Hemstone sends a message requesting you to chat. More so, chatting on encrypted messenger apps. For example, Signal, WhatsApp, or more with a security code to encrypt future messages. Chances are high that the messages may not be from your friend.
If you use the public key to encrypt messages you think come from Hemstone, it may shock you to learn it wasn’t him. The hacker may have tricked you so that they will be better positioned to decode all your messages.
To stay awake on this security matter, ensure you do key Verification. This ensures that you use your friend's right encryption key and they also use the right key from you.
When and Where To Have Key Verification
The different messaging platforms have their own way of verifying keys. But, each of them encourages users to check if the keys are correct outside the messaging platform. The process is referred to as out-of-band verification. So, in the case of Hemstone, you may consider meeting him in person. This is to verify the keys or call her to ascertain that the public encryption key belongs to her.
You may wonder why you have to use out-of-band verification. But here are the reasons for its use:
Without the surety of the person who sent the verification key, it’s hard to rely on them. Not all secure messaging platform are completely secure.
It's hard for a hacker to impersonate a person on more than one platform. For example, if verifying Signal fingerprints by use of FaceTime video chat, the impersonator would require to fake all the two accounts to succeed. This may be harder on their side besides wanting to execute their mission.
Verifying Out-of-band Keys
Encryption keys are a long set of numbers that are hard to check manually or read aloud. Communication software can offer a safety number or fingerprint-based on the key to ease the verification process. The number is often shorter and easy to check. Fingerprints can be an image or graphic, a set of common words, or even a smaller number.
Verifying your contact keys will require you to show or read the fingerprint of their key. It has to happen while checking the key against what you have on your device. Again, your contacts will do the same key fingerprint verification from their end. This is to ensure both of you are safe and secure.
You can verify keys out-of-band through these methods:
Verifying keys in person.
Verifying keys in person is the best method. It's easier to ascertain the person is the same one online, unlike when chatting through email, text, or social media. Through such mediums phishing attempts are high. When meeting in person, both of you will confirm that the public key fingerprint matches the other persons in everything. Though it's tedious – it is worth doing it.
It’s also noble to understand that the messaging apps are different. Consequently, some can give alternative methods of key fingerprint checking. Currently, there's no universal key fingerprinting or a laid process for its implementation. One app may require that you read individual fingerprint characters to ensure it matches your partners. Another may need you to scan a QR code on the other person's phone to verify the key.
Verifying keys over another medium
If meeting the other person is hard, you can verify the keys by contacting them using a different communication platform. This implies you'll use another way rather than the one you are using to do the verification.
For instance, when trying to do PGP keys verification, consider using an OTR chat or telephone to complete the process. Always try verifying keys on a medium that is superior to the one you're using in terms of security. This is important because the adversary will not be able to intercept messages from the different platforms simultaneously.
Despite your preferred app, you will always be in a position to locate the keys you are using with your communication partner. Though it can vary by app, the methods for key verification still remain the same. You can consider reading the key's fingerprints aloud to your partner when using the telephone or meeting face-to-face. Or, copy it and paste into your preferred channel of communication but ensure all letters and numbers are correctly copied.
Be on the lookout to note when your partner's keys change. Often the messaging apps let you know when this happens. Verify with them if the doing is from their end. Do so over another medium or do it in person. For example, if your friend is changing to a new phone, they should inform you earlier. This avoids being surprised when a new key notification comes through.
PGP’s Trust Web
When we talk about verifying out-of-band, it's often hard to organize when you have many contacts. It's always a good idea to organize. Now, if it's a tall order for you, consider using some tools to hint at using the correct key.
PGP allows the signing of other people's keys. Meaning, it vouches that the other person is the owner of the key you're using. Additionally, PGP users can interact at Key-signing parties where they meet and compare their identities and sign their keys. Even though it's easy to interact with, your PGP software is what will decide if a key can be trusted. This is mainly based on how many people have signed with it. The network of users that verify and vouch for each other is what is called the web of trust. Trust helps you know the validity of a new key, just like getting a friend's recommendation.
From the web of trust, you can also download new contact keys from your PGP keyservers. The software will upload the key tied to the email address to a specific keyserver. Then PGP users may ask for the correct key for a particular email address. After getting the keys from the keyserver, consider verifying it with the user to ensure safety.
Do you find this content interesting?
This is just a MIRROR ! Find us via our Main TOR domain
And Let us know by leaving a comment and a rating.
Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading NOIRdotNEWS