Search engine giant Yahoo is getting on the e-mail encryption bandwagon. The company is joining Google to create a system that could roll out next year and virtually make your inbox completely secure.
In fact, the Wall Street Journal is reporting the system Google and Yahoo are pushing forward could make it “mathematically impossible” to hand over your messages to a court of law. The announcement comes just months after upgraded its encryption for Outlook.com, however Redmond is not on board with the Google/Yahoo project -- at least not yet.
“We have to make it to clear to people it is not secret you’re emailing your priest,” Alex Stamos, Yahoo’s Chief Information Security Officer, said in an interview at the Black Hat security conference, according to the Journal. “But the content of what you’re emailing him is secret.”
In June, Google made headlines by flying in the face of the National Security Agency with a new Chrome browser add-on. The idea is to make your e-mail more secure and spy-proof -- and to provoke other e-mail providers to take similar measures. But the new system Google and Yahoo are building aims to takes it up a notch.
While end-to-end encryption tools like PGP (Pretty Good Privacy) and GnuPG (Gnu Privacy Guard) have been around for a long time, they require a lot of technical know-how and manual effort to use. Google is trying to make this kind of encryption easier by releasing code for a new Chrome extension that uses OpenPGP, and Yahoo and Google will continue working on a broader PGP-based solution for the consumer market.
According to International PGP, PGP combines some of the best features of both conventional and public key cryptography. In other words, PGP is a hybrid cryptosystem.
“When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security,” according to the Web site. “Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.)”
How it Works
The International PGP site explains that PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type.
“This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext,” according to the International PGP. “Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.”
According to the site, decryption works in the reverse. That means the recipient's PGP copy uses a private key to recover the temporary session key. PGP then uses that temporary session key to decrypt the conventionally encrypted ciphertext.
“The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption,” the International PGP explained. “Conventional encryption is about 1, 000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any sacrifice in security.”