![]() Let’s take Wickr Pro as an example: when I create a new account and accompanying identity keys, Wickr Pro app asks me to create a matching key verification video. The solution consists of two simple steps: These constraints motivate the video-based key verification solution used by Wickr applications. Wickr Pro: user verification screen + user status visualization across networks (external & internal) What’s more, when designing the key verification procedure we wanted to build a system which did not require contacts to already have a pre-existing authenticated out-of-band channel with which to communicate their key verification information as this could prove to be an onerous prerequisite in many practical use cases. However, as we do not want to solely rely on third party services for key verification, the certificate solution of TLS is not a realistic option for Wickr. Wickr is no exception in that key verification is a crucial part of using the app securely. A 2D barcode makes this easier by providing users with a simple image they can exchange and scan, potentially a much less arduous task than communicating say, a long strings of digits. The idea here is to make it easier for users to communicate their key to each other using some out-of-band channel. In other words, a certificate encodes statements of the form “Certification Authority Verisign guarantees that the holder of public key XYZ is the company Wickr Inc.”Īnother example of a tool to assist with key verification are the 2D barcodes used by some apps to encode the public part of a key. Essentially, a certificate is a digital voucher that a trusted third party, namely the Certification Authority which issued the certificate, has verified that the holder of a particular key pair has the real world identity specified in the certificate. Take as an example probably the most widely deployed solution - the certificates used in conjunction with TLS protocol. Given the importance of key verification, a variety of practical solutions exist to help users perform key verification. ![]() KEY VERIFICATION IN PRACTICE // Wickr Pro It is only by performing this step that we can protect ourselves from man-in-the-middle attacks where an adversary substitutes their own identity keys for those of the contacts during the initial setup phase. privately and authentically) communicating with your contact using Wickr (and really any tool making use of end-to-end encryption). Key verification is a crucial step for securely (i.e. Making that connection between identity keys and the actual person behind them is what is sometimes called key verification. In other words, although Wickr guarantees that all communication from a contact was really produced by the holder of that contact’s keys, it is equally important to ensure that the person using those keys is really who we think they are. However, in practice we all are usually interested in communicating with a particular person, not just anybody who controls a particular set of identity keys. Put differently, a Wickr account is controlled by whoever controls the identity keys belonging to the account. All subsequent communication to come from that contact can now be authenticated by checking that the received message was digitally signed using the contact’s identity keys. When you add someone to your contact list, your Wickr client immediately obtains the public part of the contact’s identity keys from the server and stores it locally. The latter is used to produce digital signatures and the former can then be used to verify those signatures. Such Identity Keys consist of a matching public and private key. On Wickr networks - either Messenger or Wickr Pro - each user’s account is ultimately bound to their signature key pair: Identity Keys. I want to share our thinking about key verification design and ways we implement it to help our users across Wickr apps to authenticate their contacts. One of the coolest things crypto enables is ensuring that a person I think I am talking to is exactly who I think it is, even if they are thousands of miles away and I’ve never met them. There are many things cryptography solves when it comes to ensuring the integrity and privacy of user connection - from protecting the content of communications so only intended recipients can decrypt them to authenticating the parties to multi-actor transactions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |