Latest posts by Alvin Bryan (see all)
- Finally, Facebook Apologizes for Emotion Experiment - October 13, 2014
- Twitter Sues for Rights to Disclose Government Data Requests - October 12, 2014
- NSA Falsely Accused Snowden of Helping Terrorists - October 9, 2014
Text messaging gets a lot more secure with the new TextSecure app for iOS. Perfect forward secrecy and multiple keys gives the app the power to hinder attempts to snoop information form text messages. This function in the app that secures messaging is also available in the current Android app version.
Perfect Forward Secrecy
TextSecure uses perfect forward secrecy to better secure text messaging on smartphones. Perfect forward secrecy is a cryptographic property that can significantly improve the secrecy of text messages sent in near real time on iPhones. TextSecure was released last month and has so far gotten good reviews. Perfect forward secrecy has always been important to privacy advocates, and is now considered crucial by many in light of heightened privacy concerns.
Perfect forward secrecy in the TextSecure app will generate keys as the app is used instead of using the same key to encrypt multiple messages. Each individual message within a session can therefore be encrypted with a different key. This is currently the highest level of text messaging security that is widely available to smartphone users. This is because using multiple keys makes eavesdropping much harder. With each message encrypted individually, a snooper would have to crack hundreds or thousands of keys to read the data. In addition, if the snooper gets into or otherwise compromises the device that was used to send the encrypted messages, deleted messages cannot be retrieved because the keys used in perfect forward secrecy are not stored on the device.
The level of cryptographic protection used in perfect forward secrecy is not yet available in most encrypted e-mail programs. This is because for email, all messages sent to one address are decrypted using only a single private key. Other asynchronous messaging systems face the same problem. E-mail and SMS texting services can temporarily store a message on a third-party server until the recipient’s device is ready to receive it. Synchronous systems work only when both sender and receiver devices are active. But message storage poses another security risk, so developers are working on how they can allow messages to be received even when devices are not active without having third parties store any messages.
TextSecure and VPN for Mobile Devices
To secure text messages, both the sender and recipient using TextSecure must be available to swap random bits of data in near real time. This data will be used to negotiate and generate the keys. Then the session has the assurance of protection by truly strong secrecy. The key negotiation can halt the flow of SMS texts so that the temporary public key needed to assure public forward secrecy is only sent when devices are active. Normally apps can automatically respond to negotiation requests even when running in the background. TextSecure got around the problem on Android devices. It does not yet work perfectly, but it is still an advantage to use it. The key negotiation was more problematic on iOS, but this has now also been fixed. Privacy app developer Moxie Marlinspike devised a way for “prekeys” to be generated by the app and sent to a server when TextSecure is first registered on a device. This is so that when a TextSecure user wants to send a message, he or she can download a prekey instead of waiting for a response. This preserves secrecy while eliminating the hassle.
When used together with a VPN connection, TextSecure can provide a much higher level of all-around privacy for users. But the two people who are communicating must both be using TextSecure and be connected to their respective VPN services. Encrypted messages sent through the app can still be intercepted and decoded. Though it is unlikely that a snooper would take the time and make the effort to individually decode messages, the VPN ensures that other data sent online by either user cannot be intercepted and used to aid in the decoding process. The volume of information that the average user sends online every day is staggering. Many users do not realize how easily they can be identified, profiled, and linked to other users just from their daily activities online. Using a VPN to shield all data and traffic from online snooping safeguards the user from unintentionally releasing sensitive information on the internet. With a good privacy VPN, users are much safer from snoopers who need to gather personal data about them to help them launch attacks and retrieve encrypted data.