ShadowCrypt research project shows encryption approach
by Nancy Owano / 11/6/14
A team of researchers from UC Berkeley and University of Maryland believe they have come up with a previously unexplored design point, ShadowCrypt, that enables encrypted input/output without trusting any part of the web applications. That means they are suggesting a tool that can bring simple encrypted messaging to webmail and social networking sites. That means you could send and receive encrypted text on Facebook and Twitter. MIT Technology Review refers to it as a prototype browser extension, where the site operator or anyone intercepting the posting sees only a garbled string of letters and numbers. The researchers, in their paper, “ShadowCrypt: Encrypted Web Applications for Everyone,” prepared for presentation at the ACM Conference on Computer and Communications Security, discussed the chokepoint in their design. “This chokepoint encrypts data before the application code (including the client-side code) can access it. The application can only view an encrypted version of the data. This requires isolating the input and output fields while still providing the application access to the encrypted data. Choosing this chokepoint means that no application code is in the TCB. This leads to a system secure against attackers at the client-side as well as the server-side. It also gives the user complete control over the data. In contrast, previous proposals required trusting application developers to handle data in a privacy-preserving manner.”
They implemented ShadowCrypt as a Google Chrome browser extension. The extension is available on the Chrome Store for anyone to try out; ShadowCrypt also has its own web site. When you install the extension, said the team, you have a few keys set up by default. These are to see if everything is working correctly. “Encryption is great for small group collaboration,” said the site. “You can share your encryption key to allow your collaborators to see what you’ve written.” ShadowCrypt is developed and maintained by the WebBlaze team from UC Berkeley and collaborators from University of Maryland. They are Warren He, Devdatta Akhawe, and Sumeet Jain, and Dawn Song from Berkeley, and Elaine Shi from the University of Maryland. The source code is on their GitHub repository. To put ShadowCrypt to work, explained Tom Simonite in MIT Technology Review, “you install the extension and then create encryption keys for each website you wish to use it with. A small padlock icon at the corner of every text box is the only indication that ShadowCrypt is hiding the garbled encrypted version that will be submitted when you hit the ‘send’ or ‘post’ button.” Discussing future work in their paper, the team said “We are currently working on supporting additional schemes that can work transparently,” such as Format Preserving Encryption and Attribute-based Encryption. In the longer run, they said their aim is to support encryption schemes that rely on modifications to existing web applications to work, such as Searchable Encryption or Fully Homomorphic Encryption.
Kryptokit Launches as Dark Wallet Rival
by Danny Bradbury / December 10, 2013
As secure client-side bitcoin wallet Dark Wallet reaches its funding goal, a competitor has emerged – and is already shipping. Kryptokit, a wallet designed for secure bitcoin payments and messaging, launched today at the Inside Bitcoins conference in Las Vegas as an extension for the Chrome browser. This, coincidentally, was one of Dark Wallet’s main goals. The product, which is a reworked version of now-defunct project Rushwallet, features two tabs: a bitcoin wallet and a secure messaging system. Launched by Anthony Di Iorio, CEO of Canada’s Bitcoin Alliance, the wallet can automatically locate any bitcoin addresses contained within a web page. Thus, users can make payments automatically, without cutting and pasting. Di Iorio, who aims to replace Instawallet, an online wallet which was known for its ease-of-use, but also for its security flaws. Instawallet closed following a hack back in April. Kryptokit’s founder wanted to provide similarly simple service, albeit one that avoided storing a user’s private keys centrally. Thus, Kryptokit’s desktop wallet was designed to store bitcoin addresses locally.
As a Chrome extension, the Kryptokit wallet is an open-source project. Users can create their bitcoin addresses by moving their mouse around the screen. This, along with a random number generator, creates each user’s address. The system also has another tab, for secure messaging. This uses GPG (the open-source version of the Pretty Good Privacy protocol developed by Phil Zimmerman) to secure messages between its users. Users generate a GPG key from within their wallet, but they can also import them from elsewhere. The GTG key can be used to encrypt messages that are sent to other Kryptokit users. One of the disadvantages of this system, for now at least, is that it isn’t possible to email non-users of the software. However, one of the benefits is that there’s no SMTP (Simple Mail Transfer Protocol) header to worry about. SMTP, used for routing email around the Internet, is a notoriously leaky protocol that divulges lots of information about senders. Integration with conventional email systems is something that Di Iorio hopes to introduce in time, using an Open PGP encryption system called Mailvelope. Other future features may also include a social networking service to unite the wallet’s users, and a password management system to store login credentials for other sites. This system would only store them on the user’s local desktop machine, however. GPG-encrypted messages reside on Kryptokit’s servers until they are collected by the recipient, says Di Iorio. After that, they are deleted. “Let’s say the government wants to take down our server. They can take it. It’s all encrypted and they wouldn’t be able to see anything. This is why I say it’s all NSA-proof,” Di Iorio said, adding that GPG keys and bitcoin private keys are never stored on his central computers.
TextSecure : A drop-in replacement for the standard Android text messaging application, allowing you to send and receive text messages as normal. All text messages sent or received with TextSecure are stored in an encrypted database on your phone, and text messages are encrypted during transmission when communicating with someone else also using TextSecure.
RedPhone : An Android application that enables encrypted voice communication between RedPhone users. RedPhone integrates with the system dialer to provide a frictionless call experience, but uses ZRTP to setup an encrypted VoIP channel for the actual call. RedPhone was designed specifically for mobile devices, using audio codecs and buffer algorithms tuned to the characteristics of mobile networks, and using push notifications to maximally preserve your device’s battery life while still remaining responsive.
An App Keeps Spies Away from Your iPhone
A cryptography pioneer offers a simple way to fight electronic surveillance
by Tom Simonite / June 27, 2012
Anytime you use your phone to make a call or send an e-mail or text message, there’s a chance it will be intercepted by someone who has access—legal or otherwise—to your providers’ servers. A new app called Silent Circle tries to change that by encrypting calls, e-mails, and texts. It’s aimed at activists, companies, and individuals who fear they’re being spied on. Silent Circle is also the name of the company behind the app. Both were masterminded by Phil Zimmermann, who earned a place in Internet history in 1991 by releasing PGP (for pretty good privacy), open-source software that can be used to encrypt e-mails and other digital messages. PGP quickly earned a large following amongst free speech and privacy activists worldwide, but the technology is now controlled by a company that sells it to businesses. “PGP has got pretty far from what it was intended for: use by individuals,” says Zimmermann. “I wanted to do more stuff for the individual.” Silent Circle is intended to offer solid encryption to just about anyone, he says; and to promote privacy in an era when governments sometimes see electronic communications as ripe sources of intelligence. Prototypes of Silent Circle are being tested on iPhones and iPads. Zimmermann says a finished version will be released later this year for $20 a month. The product will actually be a suite of four apps—one each for encrypting voice calls, e-mails, and text messages, and one for encrypted cloud storage. Calls and texts between two users of the app will be fully encrypted at all stages; they are encrypted between a Silent Circle user and the company’s servers only if a user is communicating with someone not using the app. Silent Circle’s e-mail service can exchange fully encrypted messages between other users of the app as well as people with compatible e-mail systems that use PGP.
Zimmermann says the app is intended to be easy to use and expects it to have broader appeal than PGP, which requires some technical know-how. He thinks human rights workers and businesspeople traveling to countries such as Iran or China that are known to use wiretapping will welcome the app, as will privacy-conscious individuals in the U.S. “Surveillance is a growing problem all over the world,” he says, “and I believe there are a lot of people in the U.S. that might feel more comfortable using it.” Zimmermann chose to locate Silent Circle’s servers in Canada, which has strong privacy laws. To protect against government demands to hand over users’ data, he has also designed his apps so the encryption keys used to secure communications always remain with the user and never reach the central server (although the current version of the e-mail app doesn’t yet work this way). “We can’t be coerced into giving up what we don’t have,” says Zimmermann. Twitter, Facebook, and many other Web companies are required by law to hand over user data to U.S. government agencies and law enforcement in certain situations and typically comply. Using Silent Circle would also protect communications against controversial warrantless wiretapping tactics such as those the NSA was found to be using on U.S. telecommunications providers in 2005. Ashkan Soltani, an independent privacy researcher, welcomes Zimmermann’s attempt to make secure communications as easy as installing an app. Silent Circle is one of a handful of companies trying to prove that there is a market in charging for privacy-enhancing technology outside of specialized use cases such as for law enforcement or defense. “It’s a move to monetize privacy in the same way that computer security is, for example, with anti-virus,” he says. But Soltani says Silent Circle could struggle to persuade people that they need the app. He suggests that the company could attract users by putting less emphasis on technology or the specter of surveillance. “They’re selling the negative, not the value,” he says, adding that the company might do better to market privacy apps as providing a feeling or warmth and peace of mind.
SNOOPWALL PRIVACY FLASHLIGHT
‘Brightest Flashlight’ Android App Shared Users’ Location, Device ID Without Consumers’ Knowledge
“The creator of one of the most popular apps for Android mobile devices has agreed to settle Federal Trade Commission charges that the free app, which allows a device to be used as a flashlight, deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. …The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.”