Google has released Key Transparency, an open source public directory meant to simplify the discovery of intended recipients’ public encryption key.
The project is still in the prototype phase, and the company is looking for input from the crypto community and other industry leaders. Security pros from Open Whisper Systems, Yahoo, and the CONIKS team have been leding their hand for a while now.
The aim is to make Key Transparency an easy-to-use (even by non-experts) lookup service for public encryption keys that will assure that the provided information hasn’t been tampered with.
All record changes are visible and logged, and those logs are tamper-proof, Google says.
“Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it,” the developing team noted.
But its use can also be expanded.
“Key Transparency is a general-use, transparent directory that makes it easy for developers to create systems of all kinds with independently auditable account data,” Ryan Hurst and Gary Belvin of Google’s Security and Privacy Engineering team explained.
“It can be used in a variety of scenarios where data needs to be encrypted or authenticated. It can be used to make security features that are easy for people to understand while supporting important user needs like account recovery.”
There have been attempts in the past to create a similar system, but they failed to gain widespread popularity due to different combinations of technical problems and social obstacles (web-of-trust schemes are one such example).
The public presentation of Key Transparency was made a day before the issue of key verification received much public attention due to a security researcher’s claim that a WhatsApp vulnerability regarding key changes “can be used to allow Facebook and others to intercept and read encrypted messages.”
But Open Whisper System’s Moxie Marlinspike put a stop to the speculation of whether the vulnerability was a deliberate backdoor, noting that senders are automatically notified if the recipient’s key changes and can verify whether they are still taking to the intended person.