Catch Key If You Can: A Bit About StealthTalk’s Encryption In One Q&A
1 Oct 2019
TL;DR: We don’t store the keys, don’t have any copies. StealthTalk relies on key derivation function to generate keys based on stored materials.
By now everyone interested in privacy already knows what encryption is.
Internet rewrites and rephrases what encryption means, in many different ways, but ultimately it all comes down to one sentence. “Encryption is when you change data with a special encoding process so that the data becomes unrecognizable”
But “what is responsible for that special encoding?” question often stays out of the picture, even by popular instant messengers with security aspirations, and many of our users don’t know anything about it.
Let Us Fix This Issue Real Quick
To give the answer straight, the encoding process is the responsibility of an encryption key.
Now key is a piece of information, or rather a string of characters that determines the functional output of a cryptographic algorithm. Let’s not get too technical with it and just agree with the following - encryption keys exist to lock up and open up your secure messages.
In modern cryptography, we differentiate private and public keys.
Public keys are issued out freely, as they only encrypt the content, and private keys stay with you and only you, as they are able to reform cipher text back into the normal form.
Woe Is Key? To Key Or Not To Key, And Other Questions
Now, this is where it gets tricky.
All these messengers that claim to have end-to-end encryption (meaning that only you and the recipient can read secure messages) are guilty of issuing out keys instead of generating them, and of course, holding copies of private keys on their servers.
Well, now you have to know that StealthTalk doesn’t store the keys at all. That is possible thanks to a key derivation function, or in plain English - a function that derives secret keys based on pseudorandom material on your device. Not plain enough?
To make some sense out of it, let us tell you a little story.
“The Powers That Be” Will First Look For Your Key
When people higher on the totem pole want to feast on someone’s data, they just demand the encryption keys.
State agencies, government or most of those three-letter organizations that shall not be named that want to unlock your conversations usually knock on the door of solution providers to get everything they need.
Because why waste time trying to kick the door in if you can just ask the factual landlord to cooperate?
Telegram’s Pavel Durov went through this experience when Russia’s FSB demanded him to cooperate. So what did he do? He sent them a letter with two metal keys packaged as a little farewell gift.
Durov claimed that Telegram would "not comply with unconstitutional and technically impossible" requirements, and that’s all good stuff, but.we already talked about how we can check messengers, Telegram included, for their big black lies.
The Lesson Is Simple - Do Not Abide With Key
The best way around the keys can be compared to the black cat in the pitch dark room.
It’s tricky to tell if it is present in the room or not based purely on what we see, but we can certainly test things out to know if the cat is indeed in the room. I mean, why try to adjust to the darkness if you can just borrow some catnip?
So to answer the key questions you might have about key management in StealthTalk…
- Where do you store the keys?
- We don’t store the keys, don’t have any copies. StealthTalk relies on key derivation function to generate keys based on stored materials.
- What are those materials? Where are they stored? How are they transferred?
- Different data pieces can play the role of the material. It can be a picture, some junk binary code, or other miniscule piece of information. Materials are stored in two places: your client and a server that stores ONLY materials. The two sets are combined, and on their basis, you get session keys. It is safe to transfer materials over SSL/TLS.
- What will happen if someone will still try to eavesdrop on the conversation?
- Perfect forward secrecy if you want a short answer. PFS is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if the private key of the server is compromised.
And to establish a better understanding of StealthTalk you can try out a 30-day trial today:
Educational materials that unveil some of the secrets are good, but the hands-on approach is even better.