A compilation and examination of existing tools, both mobile and desktop based, currently used for Encryption and Authentication.

PGP/GPG Key Management

PGP is best for formal communications, using long-lived encryption keys for confidentiality and digital signatures for authenticity. However these security mechanisms also create vulnerability, in that if a key is compromised, the entire historical record of conversations encrypted using that key can be read after the fact, providing a cryptographically verifiable transcript.

Mobile

(APG) Android Privacy Guard

APG is the only open source public key encryption tool available for Android. Originally built as a tool to allow on-device file encryption, it has expanded its featureset considerably to support integration with K9 Mail, an open source email client for Android. APG has intentions to grow into a fully-featured OpenGPG implementation of GOG or PGP caliber.

Notes from the field

From direct interations with end-users, it is clear that APG has a number of basic usability flaws and layout problems. As a mobile application, it is not designed intuitively for usage by average Android users. However, the most considerable flaw observed is that it too closely emulates the features and functionality of GPG, which is (unfortunately) not a standard that is widely known outside of the open source security community. Straightforward concepts such as Public Key vs. Private Key management are difficult to grasp, unless a user has been introduced to the technologies at-length beforehand.

Notes on application security

Along with other mobile applications, APG was the subject of a preliminary security audit by the team at exercise FluidNexus]. In [http://fluidnexus.net/blog/post/6 that, they found that APG caches passphrases in plain text. As a result, it becomes a security vulnerability to use your primary keypair on both APG and a desktop environment.

Desktop

(GnuPG) Gnu Privacy Guard

GnuPG is the libraries GNU project]'s complete and free implementation of the OpenPGP standard as defined by [http://www.ietf.org/rfc/rfc4880.txt RFC4880] . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of [http://www.gnupg.org/related_software/frontends.html frontend applications] and [http://www.gnupg.org/related_software/libraries.html are available. Version 2 of GnuPG also provides support for S/MIME.

Notes from the field

GnuPG is the gold standard in open source PGP. In practice, however, it can be extremely difficult for novice users to understand the intricacies of practices such as key exchange and key signing, and even the difference between message signing and encryption. The fact that it does not 'just work' seamlessly and behind the scenes is a major restriction to mass adoption.

Off-The-Record Messaging

Off-the-Record Messaging (OTR) is better suited for casual conversations, with short-lived keys that are generated for each new conversation. Messages sent using OTR are not digitally signed, and conversations are forgeable after the fact - thus providing deniability to a user. During a conversation, however, OTR ensures identity authentication.

Mobile

  • Gibberbot
  • xabber

Desktop

  • Pidgin
  • Adium
  • Psi
  • gajim

Encrypted Email

The two major, open standards for encrypting email are PGP and S/MIME. Both use public key cryptography, but the difference is how the keys are validated as trustworthy. PGP relies on the "Web of Trust" of people signing each others keys. S/MIME relies on Certificate Authorities to sign keys, basically the same idea as used in HTTPS certificate validation.

PGP

S/MIME

  • Apple Mail
  • Evolution GNOME
  • Mozilla Thunderbird

Also available in: PDF HTML TXT