The Ultra-Simple App That Lets Anyone Encrypt Anything

Original illustration: Getty

Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldnt figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video.

Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month hell release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.

The tagline is that this is file encryption that does more with less, says Kobeissi, a 23-year old coder, activist and security consultant. Its super simple, approachable, and its almost impossible to be confused using it.

A screenshot from an early demo of miniLock.

Kobeissis creation, which he says is in an experimental phase and shouldnt yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by WIRED, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipientin theory not even law enforcement or intelligence agenciescould unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive.

Like the older PGP, miniLock offers so-called public key encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.

Kobeissis version of public key encryption hides nearly all of that complexity. Theres no need to even register or log inevery time miniLock launches, the user enters only a passphrase, though miniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.

No logins, and no private keys to manage. Both are eliminated. Thats whats special, says Kobeissi. Users can have their identity for sending and receiving files on any computer that has miniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.

In fact, miniLock uses a flavor of encryption that had barely been developed when PGP became popular in the 1990s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that havent been possible before; PGPs public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible miniLocks feature of deriving the users keys from his or her passphrase every time its entered rather than storing them. Kobeissi says hes saving the full technical explanation of miniLocks elliptic curve feats for his HOPE conference talk.

See the original post here:
The Ultra-Simple App That Lets Anyone Encrypt Anything