For over two decades, the prevailing utility for sending and receiving encrypted files was PGP (Pretty Good Privacy) – including the popular free and open-source implementation GNU Privacy Guard (GPG). In order to use PGP, you needed to use a software tool to create at least one pair of encryption keys: one public (which you give away freely) and one private (which you guard very carefully). People use your public key to encrypt something and then send it to you via email or whatever. You then use your closely-guarded private key to decrypt it.
The problem, though, is that PGP is complicated and normal people just don’t have the patience for it. It’s also tricky to integrate PGP into things like email clients, especially web-based clients. And having to manage these keys is a real pain – they’re quite large and ugly. Here, for example, is one of my PGP public keys:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org mQENBFMgmu4BCADis9lcLt4Rvu8qs557zOI+immGGHki7i8H01tXJvJOicKniWo/ IP3p3MM4dPsggyCXB1LA1qZxDsiGvJVB2H+kCWmHClFfzBi6/G/RTzaB2+ecmcdl Etc1JHeaSzJjSEcSAAV9dwp3toQuID2JX5O6mtodCxufZnjrkyVauLL3GCAT99s7 mu5g87r+HTNiyl43RHAvZp1trsWQvwT/VtQOkUMKJBDs5s4l8UJEDLFPEN6JBJE1 dK8DplG5+i5jYQWEJi5OI/eu4/GYzkMsXfbnbk+6ufiO3Ik5rNWGxqm7zD21lwLL +V8M19l2dGVIcu/OhBPEEsZEcJB2Bh3msRUBABEBAAG0JUNhcmV5IFBhcmtlciA8 Y2FyZXkucGFya2VyQGdtYWlsLmNvbT6JAT0EEwEKACcFAlMgmu4CGwMFCQeGH4AF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQVLmNqFHnFbqKlgf/fuhtyfmf4zyb YLUEutZFx57bkExonB33UVZZ/phgo+Z6c60XPfizmNG5qBHA9IaG5VvX9kel1mea qtFrNdISOsVCDCzLTpI1mN3X8Dn6Fhk70APAHOiABxJr7LF+aX/t1GV4dQZjD4RL 8eRST6q7RsGrYIAFSbeUjZooeSkqUThGeeuIrKcMUhnTPG20uIGVDQ/x1tCjcnUR fgpUUO5o1TMLEsylGYTKASJYJc5uiIcXgCV+FUmpt21OM2rxpaf7AkCx0Qcm3Cro B8O+BiVqM7KYTRxu6CaVbb2lvYQqp+wUqSx1GussZ/Es1zno5ZXs9PVc+8LIK6XH PQm88aabd7kBDQRTIJruAQgAoxMGQJ5ntCa1orN7emuHg4EnazmrFGH0iMT83gR7 k8rhMEs2tYc46aFsiQhPmltH6YNbzeIA+7SArIc5YwKCcoGpJxQWznGysQuuT76s ScZnq/5AzhpOjymixAmMCXJ3X8LhWery4Ufw0mnHhJ7EhM0UP4o/7oXC1CHeXtwx abo4tVkxc0lMvclecc5IZQCbZlxukNLCkvQz91MgT0EnTD1akSOW211gO4JQ2rdu e0b7rVFGih+BOx6idJNfpKz+PheUo77ohLmnHFf0rWDPoCPjw/OIEiXd5JgLg8bH xqCEV6SXmgvOZFIylwDlFLUtzlSFTSreLseAv3NeeGzZEwARAQABiQElBBgBCgAP BQJTIJruAhsMBQkHhh+AAAoJEFS5jahR5xW6xQoH/1Yz0MT8a1tXKCOz5eX/Ed6D f+oY0f0q0TfOFABT7AxFqDkjP/aUwS7KhpRGGFDiwReDOip/U93U7kODdsILXpxF 3BQZrs74l7tjbKa5PlE8QWjtNZuxPLtB6f3sJ2XpRH0dD8vWyykvIH/Xig+Qjl+a wECfusncBkvrniXCSfTH0+uLtUUUpMdaT9i1DoQwGTSeUnUq/QOw+zGKyo0/b1Z3 ZwcYSz4zQhidLU5PrlOENBWDHZp2qlFFuB1f6THkHmqfUZG2mCEeUHwT6ztC0hA3 it22/PoHkXU+p1z5vIMcI5AUFFDCUBN8P/E+ghcDywfxMJruxeJ5j+kmN2od5ZI= =rZkO -----END PGP PUBLIC KEY BLOCK-----
If the computer that stores my private key dies, then I can no longer decrypt anything that was sent to me. Worse yet, if that computer is lost or stolen, then anything ever encrypted with it is vulnerable.
There’s a new kid on the block called miniLock which has three very important improvements over PGP:
- The private key is generated using an email address and a long passphrase. You no longer have to worry about storing and potentially losing your private key, you recreate it as needed from something you can easily remember.
- The public key is much, much shorter – only 44 characters long. This may seem bad since we know that shorter keys make for weaker encryption, but miniLock uses a different form of cryptography that can use smaller keys with the same level of security.
- Under the covers, miniLock uses a new(er) type of encryption called elliptic curve cryptography which allows for much smaller keys.
For comparison, here is my public miniLock key (or “miniLock ID”):
dtsyrmf4mQamR3G4xfMaCRe5zdRi78M6rvdJr5owgtg8z
That’s it! These keys are so short that you can easily send them to others, even tweet them.
This tool is brand new and hasn’t even officially been released yet, let alone fully vetted by the crypto experts. But it’s got a lot of potential and may finally allow regular people to use truly-secure, end-to-end encryption for all sorts of communication.
Until encryption is easy and built in to everything, it won’t be used. We have to find ways to make it much more accessible – and miniLock is a valiant attempt.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!
