John Gilmore wrote: > Brad Templeton has been kicking around some ideas on how to make > zero-UI encryption work (with some small UI available for us experts > who care more about our privacy than the average joe).
That's an interesting article. I wrote Whisper (http://234.cx/whisper.php) as a different way of making crypto more usable. The idea is that you simply agree a pass phrase with the correspondent beforehand. You then encrypt your message with a small and hopefully bullet-proof program. It isn't innovative cryptographically, and that is the point -- hopefully it is simple enough that anyone with basic computer literacy can make it work. Of course the effect of Whisper is different to the zero-UI encryption. Whisper provides you with good security (subject to weak pass phrases and bugs), but you must agree a pass phrase beforehand. Zero-UI encryption is more vulnerable to active attacks on the network, but works with much less effort. One enhancement to the zero-UI model that I think might be worthwhile is automated key exchange ahead of the first message. So when Alice asks to email Bob, her computer first sends a message asking for Bob's key. When the reply is received, Alice's original message is taken out of the queue, encrypted and sent. This way the first message doesn't go across the network in the clear. If we don't want to add another round-trip time, we could make keys available from a key server. This would have the disadvantage that attackers could compromise the key server and replace the keys with false ones. However, this would be detected almost straight away if they could not modify communications going directly between Alice and Bob -- Bob would receive a message that he couldn't decrypt. Normally surveillance operations have to be kept secret so this kind of attack would be impractical. -- Pete --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
