Existing PSST Tools
From Guardian Project Wiki
A compilation and examination of existing tools, both mobile and desktop based, currently used for Encryption and Authentication.
Contents |
PGP/GPG Key Management
PGP is best for formal communications, using long-lived encryption keys for confidentiality and digital signatures for authenticity. However these security mechanisms also create vulnerability, in that if a key is compromised, the entire historical record of conversations encrypted using that key can be read after the fact, providing a cryptographically verifiable transcript.
Mobile
Android Privacy Guard (APG)
APG is the only open source public key encryption tool available for Android. Originally built as a tool to allow on-device file encryption, it has expanded its featureset considerably to support integration with K9 Mail, an open source email client for Android. APG has intentions to grow into a fully-featured OpenGPG implementation of GOG or PGP caliber.
Notes from the field
From direct interations with end-users, it is clear that APG has a number of basic usability flaws and layout problems. As a mobile application, it is not designed intuitively for usage by average Android users. However, the most considerable flaw observed is that it too closely emulates the features and functionality of GPG, which is (unfortunately) not a standard that is widely known outside of the open source security community. Straightforward concepts such as Public Key vs. Private Key management are difficult to grasp, unless a user has been introduced to the technologies at-length beforehand.
Notes on application security
Along with other mobile applications, APG was the subject of a preliminary security audit by the team at FluidNexus. In that exercise, they found that APG caches passphrases in plain text. As a result, it becomes a security vulnerability to use your primary keypair on both APG and a desktop environment.
Desktop
Gnu Privacy Guard (GnuPG)
GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
Notes from the field
GnuPG is the gold standard in open source PGP. In practice, however, it can be extremely difficult for novice users to understand the intricacies of practices such as key exchange and key signing, and even the difference between message signing and encryption. The fact that it does not 'just work' seamlessly and behind the scenes is a major restriction to mass adoption.
Off-The-Record Messaging
Off-the-Record Messaging (OTR) is better suited for casual conversations, with short-lived keys that are generated for each new conversation. Messages sent using OTR are not digitally signed, and conversations are forgeable after the fact - thus providing deniability to a user. During a conversation, however, OTR ensures identity authentication.
Mobile
Gibberbot
Desktop
Pidgin
Adium
Encrypted Email
The two major, open standards for encrypting email are PGP and S/MIME. Both use public key cryptography, but the difference is how the keys are validated as trustworthy. PGP relies on the "Web of Trust" of people signing each others keys. S/MIME relies on Certificate Authorities to sign keys, basically the same idea as used in HTTPS certificate validation.
