I believe I have found the killer app for NFC - off-phone encryption hardware for the post-Snowden era. <\/p>\n
One of the revelations that Edward Snowden told us is that strong encryption works. Over the new year the person Snowden chose to contact, documentary filmmaker Laura Poitras, spelled out at the Chaos Computer Congress that the two protocols that the United States NSA and the UKs GCHQ could not decrypt were PGP (Pretty Good Privacy public-key encryption) and OTR (Off-The-Record instant messaging encryption). <\/p>\n
However, while the math behind PGP may be secure, unless messages are decrypted on air-gapped, offline PCs, the endpoints are the weakest link in the chain. If the file containing the key itself could be stolen it would be a relatively simple case of brute-force guessing the password to the key for the encryption to be broken. <\/p>\n
The idea of using mobile smart phones with PGP has long met with derision by the security community. Smart phones are by their nature online 24\/7 and are thus the secret key file is a sitting duck for attacks - especially with the plethora of insecure apps to exploit. <\/p>\n
Edward Snowdens lawyer said he only uses a simple phone and in Spain, police are taught to recognize terrorists by, among other factors, if they use a laptop in a car. <\/p>\n
Enter Yubicos Yubikey Neo, a small USB device that, among other features, works as an OpenPGP smartcard. <\/p>\n
This addresses the key problem with PGP keys on a mobile smart device. The private key is never present the phone itself, even for a split-second, and the actual decryption or signing happens on the Yubikey via NFC or on the laptop via USB. <\/p>\n
Indeed, for better or for worse, there is no way that a user can extract a private key generated on the key itself. For those paranoid that Yubico might be backdooring their key-generation algorithm, an option is to generate a key on an air-gapped PC and then transfer it to the Yubikey Neo. <\/p>\n
The combination of Android K-9 email client, OpenKeyChain PGP and Yubikey Neo suddenly solves the usability \/ security trade-off that has hampered widespread PGP adoption on mobile devices <\/p>\n
Signing or decrypting an email needs the Yubikey to be held against the back of the device for a few seconds, a PIN is entered and there is also a counter of the number of times the PIN has been entered. <\/p>\n
<\/p>\n