making crypto invisible

Q. What good is a tool that requires complicated rituals such as key signing parties, or fingerprint verification?> A. Instant loss of security, privacy and usability.

Q. What good is a tool that uses encryption in a network of plain-text connections?
A. Instant suspicion.

Q. What good is a tool for circumventing censorship in a country that forbids it?
A. Instant confession.

Our proposal

Eccentric Authentication is a protocol that weaves cryptography into
the normal workflow of the net. It hides all cryptography from view,
yet performs its duties at every moment.

People would interact with web sites just like they do now except that
they get:
- easier account creation, log-in and log-out handling; no more passwords;
- full pseudonymity, users have a different identity at each site;
- private messages that only the intended recipient can read;

Users (ie, the people) won’t notice any cryptography at all. They find
that the protocol offers:

  • fully automatic identity management;

  • their computer remembers their accounts for them;

  • no more impossible to answer security or trust questions;

  • their computer detects and blocks phishing attempts for them, keeping them safe;

  • users stay in control of their privacy;

Site operators will have to set up their servers in a slightly
different way than they do currently:

  • replace passwords for client certificates;

  • run https-only;

  • run their own fully automated certificate signer; this does all the
    hard work for the site-operator; (fully automated, so easy to
    outsource to a hosting provider without losing its security and
    privacy properties)

Passing the Greenwald-test

Site operators can go further. When setting up a newspaper, a blog or
a comment section, they can let people post signed messages, (fully
automated by the user agent).

This offers journalists the option to sign their articles with their
private key, which is no more dufficult than pressing the button at
the user agent.

Over time there will be a large corpus of articles, all signed using
that key. When someone reads an article, their user agent verifies the
necessary cryptographic properties. If it validates, the reader can
use the key to encrypt messages to the journalist. If there is a
validation error, the agent refuses to let people to get into
situations where a crypto-problem could lead to inadvertent disclosure
of identity or confidentiality.

In other words: The readers of that newspaper have to determine
whether or not they trust that journalist with their message, the
protocol keeps it confidential. Without either party having to think
about cryptography.

This same mechanisms works between bloggers and commenters. When a
blogger posts a signed message and your user agent has validated its
signature to be correct, you can use it to write a private message to
that blogger, however he/she is in real life.

When you want to write a private message, the system makes it
possible.
Again, without any need to know cryptography.

Village square

What we have done so far create a way for strangers to exchange public
keys between them. The only thing they need is a way to find each
other. That’s the role of the web site. It’s like the village square
where people meet and engage in public discussion or private
chat. However, it will leave a trail of pseudonyms who meets whom at
the square.

To protect the people from too much traffic analysis, the protocol
offers people to do the equivalent of exchanging telephone numbers at
the square, only more secure.

Once two people have met on a site and their agents have validated
their keys, they can set up a private communication channel between
them. This channel is independent of the site where they met, it goes
directly between their computers. The site cannot learn of anything
that these two people do once they’ve set up their independent
channel. The only metadata leak we have is network traffic analysis
but for that we have Tor which is also easy to automate at this point.

What this channel entails is upto them. It could be a VOIP-telephone
like connection, a shared document editing platform, or one has
invited the other to an existing community. All secure and
private. There are many good crypto-projects to let people communicate
either in private or in a a community. This project lets people find
others to join them. The other projects makes sure it happens. For
example: LEAP to mail to people, Ostel to talk, Jitsi to chat,
Secushare to collaborate with others.

Conclusion

We make it possible for normal people to be safe and secure on the
internet. Each person runs a user agent that handles all the key
management tasks for them.

It makes privacy the default on the net. Every whistleblower can reach
every journalist of their choice, the system keeps their communication
confidential.

It’s backwards compatible with the current web. People without the
user agent can still read all the public posted messages of
everyone. It doesn’t exclude anyone from reading. And people who don’t
have the user agent installed might still be able to participate in
public discussions, albeit anonymously. They cannot create private
channels, nor enjoy confidentiality.

It can slowly grow in momentum until there is a critical mass where
it becomes a must have.

It uses ubiquitous encryption, every connection is encrypted so
Tor-traffic doesn’t stand out amongst the ‘normal’ traffic. On the
contrary, it is advisable to use Tor or GnuNET every time. However,
that’s a decision that everyone has to make for themselves.

The project aims to let people discover others and join their
communities. The cryptography keeps them safe against warrantless
spying or snooping. The weaving of crypto into the net makes this
available to the common people, without requiring them to learn how to
use it. (That’s the programmer’s job).