This simple app lets anyone be an encryption expert

Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldn't figure out the venerable crypto program PGP even after Snowden madea 12-minute tutorial video.

Nadim Kobeissi wants to bulldoze that steep learning curve. At theHOPE hacker conferencein New York later this month he'll release a beta version of an all-purpose file encryption program called MiniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.

"The tagline is that this is file encryption that does more with less," says Kobeissi, a 23-year old coder, activist and security consultant. "It's super simple, approachable, and it's almost impossible to be confused using it."

Kobeissi's creation, which he says is in an experimental phase and shouldn't yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by Wired, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipient -- in theory not even law enforcement or intelligence agencies -- could unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive.

Like the older PGP, MiniLock offers so-called "public key" encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.

Kobeissi's version of public key encryption hides nearly all of that complexity. There's no need to even register or log in -- every time MiniLock launches, the user enters only a passphrase, though MiniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a MiniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.

"No logins, and no private keys to manage. Both are eliminated. That's what's special," says Kobeissi. "Users can have their identity for sending and receiving files on any computer that has MiniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP."

In fact, MiniLock uses a flavour of encryption that had barely been developed when PGP became popular in the 90s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that haven't been possible before; PGP's public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible MiniLock's feature of deriving the user's keys from his or her passphrase every time it's entered rather than storing them. Kobeissi says he's saving the full technical explanation of MiniLock's elliptic curve feats for hisHOPE conference talk.

Despite all those clever features, MiniLock may not get a warm welcome from the crypto community. Kobeissi'sbest-known previous creation is Cryptocat, a secure chat program that, like MiniLock, made encryptionso easy that a five-year-old could use it. But it also suffered fromseveral serious security flawsthat led many in the security community todismiss it as useless or worse, a trap offering vulnerable users an illusion of privacy.

But the flaws that made Cryptocat into the security community's whipping boy have been fixed, Kobeissi points out. Today the program been downloaded close to 750,000 times, and in asecurity ranking of chat programs by the German security firm PSW Grouplast month it tied for first place.

See original here:
This simple app lets anyone be an encryption expert