OpenKeychain

Last updated
OpenKeychain
Initial release1 March 2012;11 years ago (2012-03-01)
Stable release
5.8.2 [1]   OOjs UI icon edit-ltr-progressive.svg / 7 January 2023;3 months ago (7 January 2023)
Repository
Written in Java
Operating system Android
Type OpenPGP
License GPL-3.0-or-later
Website www.openkeychain.org OOjs UI icon edit-ltr-progressive.svg

OpenKeychain is a free and open-source mobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files. The app allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary. As of August 2021, it is no longer actively developed. [2]

Contents

K-9 Mail Support

Together with K-9 Mail, it supports end-to-end encrypted emails via the OpenPGP INLINE and PGP/MIME formats. The developers of OpenKeychain and K-9 Mail are trying to change the way user interfaces for email encryption are designed. They propose to remove the ability to create encrypted-only emails [3] and hide the case of signed-only emails. [4] Instead, they focus on end-to-end security that provides confidentiality and authenticity by always encrypting and signing emails together.

Reception

OpenKeychain is listed on the official OpenPGP homepage [5] and the well-known developer collective Guardian Project recommends it instead of APG to encrypt emails. [6] TechRepublic published an article about it and conclude that "OpenKeychain happens to be one of the easiest encryption tools available for Android (that also happens to best follow OpenPGP standards)." [7] The publisher Heise reviewed it in their c't Android magazine 2016 and discussed OpenKeychain's backup mechanism. [8] The academic community uses OpenKeychain for experimental evaluations: It has been used as an example where cryptographic operations could be executed in a Trusted Execution Environment. [9] Furthermore, modern alternatives for public key fingerprints have been implemented by other researchers. [10] In 2016, the German Federal Office for Information Security published a study about OpenPGP on Android and evaluated OpenKeychain's functionality. [11] OpenKeychain has been adapted to work with smartcards and NFC rings resulting in a usability study published on Ubicomp 2017. [12]

Funding

The OpenKeychain developers participated in 3 Google Summer of Code programs with a total of 6 successful students. [13] [14] [15] In 2015, one of the main developers got a one-year funding to improve the OpenPGP support in K-9 Mail paid by the Open Technology Fund. [16]

History

OpenKeychain has been created as a fork of Android Privacy Guard (APG) in March 2012. Between December 2010 and October 2013 no new version of APG was released. Thus, OpenKeychain has been started with the intention of picking up the development to improve the user interface and API. A first version 2.0 has been released in January 2013. After three years without updates, APG merged back security fixes from OpenKeychain and some months later rebased an entire new version on OpenKeychain’s source code. However, this process stopped in March 2014, while the OpenKeychain developers continued to regularly release new versions. A number of vulnerabilities found by Cure53 [17] have been fixed in OpenKeychain. [18] These are still not fixed in APG since its last release in March 2014. Since K-9 Mail version 5.200, APG is no longer supported as a cryptography provider. [19]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July, 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

FileVault is a disk encryption program in Mac OS X 10.3 (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.

<span class="mw-page-title-main">Key exchange</span> Cryptographic protocol enabling the sharing of a secret key over an insecure channel

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

End-to-end encryption (E2EE) is a security method that keeps chats and messages secure. The end-to-end encryption is a system of communication where only the users communicating can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, malicious actors, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

This is a technical feature comparison of different disk encryption software.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

Android Privacy Guard (APG) is a free and open-source app for the Android operating system that provides strong, user-based encryption which is compatible with the Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) programs. This allows users to encrypt, decrypt, digitally sign, and verify signatures for text, emails, and other files.

<span class="mw-page-title-main">Mailpile</span>

Mailpile is a free and open-source email client with the main focus of privacy and usability. It is a webmail client, albeit one run from the user's computer, as a downloaded program launched as a local website.

<span class="mw-page-title-main">ProtonMail</span> End-to-end encrypted email service

Proton Mail is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

Peerio was a cross-platform end-to-end encrypted application that provided secure messaging, file sharing, and cloud file storage. Peerio was available as an application for iOS, Android, macOS, Windows, and Linux. Peerio (Legacy) was originally released on 14 January 2015, and was replaced by Peerio 2 on 15 June 2017. The app is discontinued.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is an encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by ContactOffice Group, which has been operating an online collaboration suite for universities and other organizations since 1999.

Autocrypt is a cryptographic protocol for email clients aiming to simplify key exchange and enabling encryption. Version 1.0 of the Autocrypt specification was released in December 2017 and makes no attempt to protect against MITM attacks. It is implemented on top of OpenPGP replacing its complex key management by fully automated unsecured exchange of cryptographic keys between peers.

<span class="mw-page-title-main">EFAIL</span> Email security vulnerability

Efail, also written EFAIL, is a security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.

References

  1. "Release 5.8.2". 7 January 2023. Retrieved 21 January 2023.
  2. "Note about maintenance mode" . Retrieved 19 November 2022.
  3. "OpenPGP Considerations, Part II: Encrypted-Only Mails" . Retrieved 11 Feb 2017.
  4. "OpenPGP Considerations, Part I: Signed-Only Mails" . Retrieved 11 Feb 2017.
  5. "Official OpenPGP Homepage" . Retrieved 11 Feb 2017.
  6. "How To: Lockdown Your Mobile E-Mail" . Retrieved 11 Feb 2017.
  7. "Let OpenKeychain help handle your encryption" . Retrieved 11 Feb 2017.
  8. Mansmann, Urs; Bleich, Holger; Kossel, Axel (2016). "Mit PGP verschlüsselt mailen". c't Android 2016. 1: 50–51.
  9. Rubinov, Konstantin; Rosculete, Lucia; Mitra, Tulika; Roychoudhury, Abhik (2016). "Automated Partitioning of Android Applications for Trusted Execution Environments" (PDF). Proceedings of the 38th International Conference on Software Engineering: 923–934. doi:10.1145/2884781.2884817. ISBN   978-1-4503-3900-1. Archived (PDF) from the original on 2021-10-06.
  10. Dechand, Sergej; Schürmann, Dominik; Busse, Karoline; Acar, Yasemin; Fahl, Sascha; Smith, Matthew (2016). "An Empirical Study of Textual Key-Fingerprint Representations". 25th USENIX Security Symposium (USENIX Security 16): 193–208. ISBN   978-1-931971-32-4.
  11. "BSI Study: Nutzung von OpenPGP auf Android" (PDF). Retrieved 13 Feb 2017.
  12. Schürmann, Dominik; Dechand, Sergej; Lars, Wolf (2017). "OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android". Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1 (3): 99:1-99:24. doi:10.1145/3130964.
  13. "GSoC Archive 2014" . Retrieved 11 Feb 2017.
  14. "GSoC Archive 2015" . Retrieved 11 Feb 2017.
  15. "GSoC Archive 2016" . Retrieved 11 Feb 2017.
  16. "Bringing OpenKeychain Support to K-9 Mail" . Retrieved 11 Feb 2017.
  17. "Cure53 Security Audit" (PDF). Retrieved 11 Feb 2017.
  18. "OpenKeychain Wiki: Cure53 Security Audit" . Retrieved 11 Feb 2017.
  19. "Why APG is no longer supported" . Retrieved 11 Feb 2017.