When you communicate online using end-to-end encryption, each person you send a message to has their own unique public key. You use this key to encrypt messages to them, so that only they can decode them.
But how do you know which public key to use?
Suppose you get an email that claims to be from your friend Esra’a. The email includes a PGP public key file to secure future messages. Or, suppose someone claiming to be Esra’a sends you a chat request on an encrypted messenger application like WhatsApp, Signal, or Wire, along with a security code that you can use to encrypt future messages.
A text message on a smartphone that says it’s from your friend, Esra’a. She says “Hello!” and sends another message with a public key file (pubkey.asc), and the emojis for “sparkles” and “key.”
These messages might not be from Esra’a at all!
Even though you are using what you think is Esra’a’s public key, you may be encrypting your messages using a key that came from a different person entirely—which means this fake Esra’a will be able to decode all your future messages.
When And Where To Verify Keys Anchor link
Different secure messaging systems have different ways to verify keys, but all of them encourage you to check those keys outside of the messaging system itself. This is called out-of-band verification. So in our case, you should find some other way to check that online Esra’a is the same as real life Esra’a. You can do this by calling Esra’a on the phone, or meeting Esra’a in person to verify the public encryption key she sent you actually belongs to her.
Why use out-of-band verification?
- Without definitively knowing who a key came from, you can’t rely on a secure messaging system since it’s not completely secure yet!
- It’s often harder to fake someone’s communications in more than one service. For instance, if you ask to verify Signal fingerprints using a FaceTime video chat, the fake person would have to be able to both run a fake Signal account *and* a fake FaceTime account, *and* disguise themselves as your friend on video.
An illustration of a video chat with Esra’a. You ask her to verify the new key she sent you on Signal. She looks worried and confused.
Here are a few questions you might be asking yourself:
Question: Can’t I just ask online-Esra’a some security questions to prove it’s really her? For example, what if I asked: “If you’re the real Esra’a, what was I wearing the last time we met?”
Answer: The problem is that a fake Esra’a could be talking to the real Esra’a at the same time pretending to be you. Fake Esra’a could ask the real Esra’a the questions you ask, and immediately send you her real answers! This is called a “Man-in-the-middle” or “machine-in-the-middle” attack. It’s not common, but it does happen, and that’s why out-of-band verification is important for key verification.
Two people holding smartphones. The person on the left (the sender) sends their public key fingerprint by chat. Before the person on the right (the receiver) receives the message, a bad actor (the man-in-the-middle) intercepts the sender’s message, changes a few of the fingerprint characters and numbers, and sends a similar-looking public key fingerprint to the receiver. On the right is a view of the receiver's phone. The message appears to come from the original sender, but it’s actually the corrupted, fake message from the person in the middle.
Question: What if I’m certain I’m talking to the right person? Do I still need to verify keys?
Answer: Let’s say you got your keys from a source you think is reliable (like a mutual friend). Even if you’re absolutely positive you are talking to the right person, it’s still wise to verify keys. The process can be reassuring and it shows that you are both take the security of your messages seriously.
Question: When should I verify keys?
Answer: You should verify keys when you use a new messaging tool to communicate, or when someone’s keys you communicate with change. Below are some reasons a person’s keys might change:
- A PGP user might set old keys to expire.
- Phone messaging apps often tie a key to a particular phone, so if a user buys a new phone, they might be required to use a new key.
- Sometimes people lose keys, or forget the passwords they use to protect their keys.
When you see someone use a new key for the first time, you should verify it.
So, how might we check these keys?
Verifying Keys Out-of-band Anchor link
Encryption keys are very long sets of numbers, which makes them hard to read aloud and check manually. To make key verification easier, communication software can show you a “fingerprint” or “safety number,” based on the key, which is shorter and easier to check. Fingerprints can be a smaller number, a set of common words, or even a graphic or image.
To verify keys your contact will most likely read or show you the fingerprint of their key, while you check it against the fingerprint of the key you have for them on your device. After you’ve verified your contact’s key, they can verify your key by asking you to read or show them your key fingerprint as they check it against the copy on their device. Once you both know you have the right keys, you can communicate more securely.
There are several ways to verify keys out-of-band. Here are the most common methods:
- Verifying keys in person, or
- Verifying keys over another medium than the medium in which you are communicating.
Verifying keys in person
Verifying keys in person is the most ideal method. This is because it is easier to confirm someone is who they say they are when you’re face-to-face with them than, say, when you’re chatting with them by text, email, or social media chat (where impersonation and phishing attempts are easier).
In person, you have your public key fingerprint available and your friend double-checks that every single character from your public key fingerprint matches what they have for your public key fingerprint. It’s a little tedious, but it’s really worth doing. The in-person method might happen when people exchange business cards with their public key fingerprints, or when colleagues see each other at a meeting.
Each end-to-end encrypted messaging app is different and some provide alternative ways to check key fingerprints. Currently, there is no universal term for what the practice is called and how it is implemented. For one app you might have to read each character of the fingerprint and ensure it matches what you see on your screen versus your friend’s screen. In another, you might scan a QR code on another person’s phone in order to “verify” their key.
Let’s imagine that An Ming meets her friend, Ghassan, at an event. They decide that it’s best to communicate with each other using an end-to-end encryption app on their smartphones so they install Signal or WhatsApp. While An Ming and Ghassan are physically close in proximity of each other, they take advantage of these apps’ key verification capabilities.
Two people hold up their smartphones with QR codes and a string of random letters and numbers visible on their screens. They verify each other’s key fingerprints by scanning the other person’s QR code with their phone cameras. Locks and green checkmarks float above their phones.
Verifying keys over another medium
If you can’t verify keys in person, you can contact your friend using a different way of communication—a way other than the one you’re using to verify keys.
For example, if you’re trying to verify PGP keys with someone, you could use the telephone or an OTR chat to do so. Try to verify keys over a medium that is more secure than the one you’re ultimately trying to secure (e.g. through another encrypted communication ). Why? Because it would be difficult for an adversary to intercept your messages from all these different mediums simultaneously.
Let’s say that An Ming and Ghassan decide to also use PGP. An Ming sends Ghassan her PGP public key fingerprint through another medium—like Signal—making sure that each character matches her public key fingerprint. Ghassan would then cross-check that every character of An Ming’s public key fingerprint match the public key he has on file for An Ming.
A laptop open, with a PGP public key and 10 block fingerprint of four random letters and numbers in each block. It is paired with a happy face. On the right, a second method of encrypted communication: a phone open to the Signal encrypted messaging app, shown with that same happy face and the same character and number set for the 10 block fingerprint.
Regardless of the app that you use, you will always be able to locate both your key and the key of your communication partner.
Although locating your key can vary by app, the key verification methods remain approximately the same. You can either read your key’s fingerprint aloud (if you are face-to-face or using the telephone) or you can copy and paste it into a communications program, but whichever you choose, it is important that you check every single letter and number.
Lastly, many of these end-to-end encryption apps indicate if the keys change. As we previously mentioned, it’s important to be on the lookout for when your friends’ keys change—be sure to verify that this is an expected change with them. You can do so in person or over another medium. For example, some people send their friends a message when they are about to get a new phone so that their friends are not startled by a new key notification.
Verify keys with one of your friends. To learn how to verify keys in a specific app, visit that app’s how-to guide.
PGP’s Web of Trust And Other Key Verification Aids Anchor link
Out-of-band key verification can be hard to organize, especially if you have lots of contacts. While it’s always a good idea, some tools can help give you strong hints that you’re using the right key.
PGP allows you to sign other people’s keys, which means that you officially vouch that this key really belongs to the person it says it is from. PGP users can meet each other at key-signing parties, where they check each other’s identities, and then sign their keys. Your PGP software can decide whether to trust a key based on how many people have signed it—and whether you already trust those signers. This network of PGP users, all verifying and vouching for each other, is called “the web of trust.” The web of trust helps you assess the validity of new keys, but it’s like getting a recommendation from a friend: it doesn’t beat checking out the person yourself.
Thanks to the web of trust, PGP also lets you download keys for new contacts from the PGP keyservers. Your software can upload your key, tied to your email address to a keyserver. Then any PGP users can ask the keyservers for the right key for a particular email address.
There’s nothing stopping bad actors from uploading wrong keys for an email address or identity to the keyservers—indeed, this has happened in the past—but if a key is signed as valid by a lot of people you know, it is more likely to be real. Again, if you get a key from a keyserver, it’s best to verify it directly with the user, or in person, as soon as possible.
A bad actor might create and upload a key whose fingerprint is almost, but not quite, the same as the real keys to the keyservers. This is why you should check every digit of a fingerprint carefully!
Some services, like Keybase.io, let users confirm the validity of a key by letting their users prove their identities using social media. These services demonstrate that the person who uses a certain key is also the person who runs a certain Twitter account or Facebook account. Once again, it helps make the case that a key is the right one to use, but verify in person or directly to be absolutely sure!