Can Google’s Key Transparency make encrypted email ubiquitous?

Today I’m going to talk about a topic that has gained a lot of attention since the presidential election: encrypted email.

Services such as ProtonMail—a secure email system with end-to-end encryption—have reported record signup numbers in recent months. This parallels the increasing adoption and provision of encrypted instant messaging services such as Signal, Telegram, iMessage and WhatsApp. As someone who works in security, I applaud this; more people communicating via encrypted messaging can only be a good thing.

+ Also on Network World: Enterprise encryption adoption up, but the devil’s in the details +

However, there is a big problem with encrypted email, which is that it mostly sucks. The problem lies in the open nature of email itself. Unlike proprietary messaging systems like WhatsApp, email is based on open-standards. Anyone can run their own email server, and you can send an email to anyone in the world just by knowing their email address using any software you like.

While this freedom is fantastic, it makes implementing encryption much more complex. WhatsApp-style messaging platforms, on the other hand, are the electronic equivalent of an old-fashioned totalitarian state (think Big Brother from George Orwell’s 1984).  However, this makes it easier to implement encryption because the system already controls all the user data, how users communicate, the entire server infrastructure, and importantly, all the key management, storage and lookups. 

Almost all end-to-end encryption systems use public-key cryptography, which means in order to send a message to someone, I first need to encrypt the message using their public key. But how can I be sure I have the right public key? What if the person I’m sending the message to changed their key (maybe because it was stolen or they got a new device)? What if a bad guy found a way to make it look like they changed their key so that they could intercept the message I sent them? How do I even find someone’s public key in the first place?

These are problems that affect any end-to-end encrypted messaging system, and the security community has responded in different ways. Probably the most well-known and widely used email encryption scheme is OpenPGP, which uses the concept of the “Web of Trust.” The basic idea is that I know and trust certain people, who in turn know and trust certain other people, who in turn know and trust certain other people, etc.

Each person in the “Web of Trust” signs the public keys of people they have verified. Then, hopefully, when you get a public key, it may well be signed by someone you trust. One common way to achieve this is with “Key Signing Parties.” If this all sounds a bit technical and not very accessible to ordinary people, then you’d be correct. I mean, key signing parties, really?

Another problem with PGP is not just trusting someone else’s key, but finding out what that key is in the first place. Many people use public key servers to upload their public keys and allow others to look up their public keys. Unfortunately, public keys servers are also fraught with problems. Anyone can upload a key for my email address, so I’m back to the “Web of Trust” just to figure out if I can trust keys I found there (particularly if there are multiple keys for a single user).

Google’s encryption initiative

What this ultimately means for encrypted email is that almost nobody uses it or if they do, it tends to be in “islands” like ProtonMail or between groups of highly technical security-minded users. Many doubt whether end-to-end email encryption can or will ever become as ubiquitous as instant messaging encryption. With this in mind, Google has now entered the fray with it Key Transparency initiative.

Google’s Key Transparency is heavily influenced by Google’s existing work on Certificate Transparency, and it should be noted that it’s not specific to email, or even messaging. The program is trying to solve the problems we’ve discussed above in a general way for all encryption systems based on end-user identities, including OpenPGP keys. The idea is a transparent key directory that is spread over multiple servers using a gossip protocol (theoretically anyone could run a key transparency server), with auditing and verifiability a core part of the system. All changes to keys are logged in an append-only manner, and the entire change history can be audited using cryptographically verifiable primitives.

What all of this mean for end users:

• Users would be able to see if someone else changed their own keys or added new keys for them.
• Users would be able to see the history of someone’s key. Has it been around awhile? Is it stable?
• Each user can probably have only one identity in the system. (You don’t want other people using your identity.)

Having the system be auditable and verifiable by anyone is extremely important. For example, malicious actors might be able to change your key, but it’s very hard for them to hide it from you. The fact that the system allows you to detect these changes means encryption clients are able to automatically warn you if someone has changed your keys, as well as also potentially warn you if someone you’re sending to has changed their keys recently. The point is you’re not blindly trusting Big Brother; the system contains all the information for you to be able to make informed decisions about who and what to trust.

I’m particularly excited by the distributed nature of Key Transparency and the verifiability of the information stored in the key directory. However, these are not things most users will likely be interested in. Also, while Key Transparency addresses the key distribution/lookup problem, it doesn’t address the issue of very few people creating a key for encrypted email in the first place. If my mom didn’t create a key, I can’t look it up and thus I can’t send her an encrypted email message.

It will be interesting to see if key transparency becomes adopted widely by the industry and if so, would it lead to a much higher uptake in end-user encryption systems based on open standards like email. If this happens, user-agents might all support encryption by default and provide keys for you automatically (just like in proprietary instant messaging systems). If all of that happens, we could finally get to the day where end-to-end email encryption becomes ubiquitous.

It’s still early days for Key Transparency, and we’ve seen a few false dawns in this particular area, but I’ll be following its development with interest. I hope you will, too.