♪ I’ve got the key, I’ve got the secreeeee-eeet ♪
Google has released an open-source technology dubbed Key Transparency, which is designed to offer an interoperable directory of public encryption keys.
Key Transparency offers a generic, secure way to discover public keys.
The technology is built to scale up to internet size while providing a way to establish secure communications through untrusted servers.
The whole approach is designed to make encrypted apps easier and safer to use.
Google put together elements of Certificate Transparency and CONIKS to develop Key Transparency, which it made available as an open-source prototype on Thursday.
The approach is a more efficient means of building a web of trust than older alternatives such as PGP, as Google security engineers Ryan Hurst and Gary Belvin explain in a blog post.
Existing methods of protecting users against server compromise require users to manually verify recipients’ accounts in-person.
This simply hasn’t worked.
The PGP web-of-trust for encrypted email is just one example: over 20 years after its invention, most people still can’t or won’t use it, including its original author. Messaging apps, file sharing, and software updates also suffer from the same challenge.
Key Transparency aims to make the relationship between online personas and public keys “automatically verifiable and publicly auditable” while supporting important user needs such as account recovery. “Users should be able to see all the keys that have been attached to an account, while making any attempt to tamper with the record publicly visible,” Google’s security boffins explain.
The directory will make it easier for developers to create systems of all kinds with independently auditable account data, Google techies add.
Google is quick to emphasise that the technology is very much a work in progress.
“It’s still very early days for Key Transparency. With this first open-source release, we’re continuing a conversation with the crypto community and other industry leaders, soliciting feedback, and working toward creating a standard that can help advance security for everyone,” they explain.
The project so far has already involved collaboration from the CONIKS team, Open Whisper Systems, as well as the security engineering teams at Yahoo! and internally at Google.
Early reaction to the project from some independent experts such as Matthew Green, a professor of cryptography at Johns Hopkins University, has been positive.
Kevin Bocek, chief cyber-security strategist at certificate management vendor Venafi, was much more sceptical.
“Google’s introduction of Key Transparency is a ‘build it and hope the developers will come’ initiative,” he said. “There is not the clear compelling event as there was with Certificate Transparency, when the fraudulent issuance of digital [certificates] was starting to run rampant. Moreover, building a database of public keys not linked to digital certificates has been attempted before with PGP and never gain[ed] widespread adoption.” ®
Sponsored: Want to know more about Privileged Access Management? Visit The Register’s hub