( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Friday, July 29, 2011

Encrypt.se New Feature: Key exchange

Encrypt.se is a small tool that helps anyone to easily send encrypted messages. There is no registration, no cookies, no hassle.
Read more about it in this previous post: http://ha.xxor.se/2011/07/encryptse-beta-open-for-public.html

The Key Exchange feature enables users of Encrypt.se to communicate their secret crypto key to their friends over the phone, even if someone might be listening.

I've been working hard the last week to get this feature up and running. Currently there's only a PHP implementation, witch means that you will have to rely on our server to do some of the encryption and decryption. A JavaScript implementation is on its way.

How it works

To securely transmit a secret key over an insecure channel we utilize a well known method. This is how it works.

--------Sender--------           ------Recipient------

 (Step 1)
Input a secret key and
apply a first level of
encryption to the key.
Send the encrypted key            (Step 2)
to the recipient.      --------> The recipient applies
                                 a second level of
                                 encryption and
 (Step 3)                        transmits the double-
The sender now removes <-------- encrypted key back.
(decrypts) the first
level of encryption                       
and transfers the
encrypted key back to             (Step 4)
the recipient.         --------> The recipient can now 
                                 remove (decrypt) the
                                 second level of
                                 encryption and read
                                 the secret key.

--------Sender--------           ------Recipient------


This method is of course susceptible to a MITM attack. But by using the phone or any other medium where other parts identity can be validated, for example by recognizing their voice, it is safe.