OpenKeychain

OpenKeychain
Initial release 1 March 2012 (2012-03-01)
Development status Active
Written in Java
Operating system Android
Type OpenPGP
License GNU GPLv3
Website openkeychain.org

OpenKeychain is a free and open source software application that runs on the Android operating system. The application provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files.

The application allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary.

K-9 Mail Support

Together with K-9 Mail, it supports end-to-end encrypted emails via the OpenPGP INLINE and PGP/MIME formats. The developers of OpenKeychain and K-9 Mail are trying to change the way user interfaces for email encryption are designed. They propose to remove the ability to create encrypted-only emails[1] and hide the case of signed-only emails.[2] Instead, they focus on end-to-end security that provides confidentiality and authenticity by always encrypting and signing emails together.

Reception

OpenKeychain is listed on the official OpenPGP homepage[3] and the well-known developer collective Guardian Project recommends it instead of APG to encrypt emails.[4] TechRepublic published an article about it and conclude that "OpenKeychain happens to be one of the easiest encryption tools available for Android (that also happens to best follow OpenPGP standards)."[5] The publisher Heise reviewed it in their c't Android magazine 2016 and discussed OpenKeychain's backup mechanism.[6] The academic community uses OpenKeychain for experimental evaluations: It has been used as an example where cryptographic operations could be executed in a Trusted Execution Environment.[7] Furthermore, modern alternatives for public key fingerprints have been implemented by other researchers.[8] In 2016, the German Federal Office for Information Security published a study about OpenPGP on Android and evaluated OpenKeychain's functionality.[9]

Funding

The OpenKeychain developers participated in 3 Google Summer of Code programs with a total of 6 successful students.[10][11][12] In 2015, one of the main developers got a one-year funding to improve the OpenPGP support in K-9 Mail payed by the Open Technology Fund.[13]

History

OpenKeychain has been created as a fork of Android Privacy Guard (APG) in March 2012. Between December 2010 and October 2013 no new version of APG was released. Thus, OpenKeychain has been started with the intention of picking up the development to improve the user interface and API. A first version 2.0 has been released in January 2013. After three years without updates, APG merged back security fixes from OpenKeychain and some months later rebased an entire new version on OpenKeychain’s source code. However, this process stopped in March 2014, while the OpenKeychain developers continued to release regularly new versions. A number of vulnerabilities found by Cure53[14] have been fixed in OpenKeychain.[15] These are still not fixed in APG since its last release in March 2014. Since K-9 Mail version 5.200, APG is no longer supported as a cryptography provider.[16]

References

  1. "OpenPGP Considerations, Part II: Encrypted-Only Mails". Retrieved 11 Feb 2017.
  2. "OpenPGP Considerations, Part I: Signed-Only Mails". Retrieved 11 Feb 2017.
  3. "Official OpenPGP Homepage". Retrieved 11 Feb 2017.
  4. "How To: Lockdown Your Mobile E-Mail". Retrieved 11 Feb 2017.
  5. "Let OpenKeychain help handle your encryption". Retrieved 11 Feb 2017.
  6. Mansmann, Urs; Bleich, Holger; Kossel, Axel (2016). "Mit PGP verschlüsselt mailen". c't Android 2016. 1: 50–51.
  7. Rubinov, Konstantin; Rosculete, Lucia; Mitra, Tulika; Roychoudhury, Abhik (2016). "Automated Partitioning of Android Applications for Trusted Execution Environments". Proceedings of the 38th International Conference on Software Engineering: 923–934. ISBN 978-1-4503-3900-1. doi:10.1145/2884781.2884817.
  8. Dechand, Sergej; Schürmann, Dominik; Busse, Karoline; Acar, Yasemin; Fahl, Sascha; Smith, Matthew (2016). "An Empirical Study of Textual Key-Fingerprint Representations". 25th USENIX Security Symposium (USENIX Security 16): 193–208. ISBN 978-1-931971-32-4.
  9. "BSI Study: Nutzung von OpenPGP auf Android" (PDF). Retrieved 13 Feb 2017.
  10. "GSoC Archive 2014". Retrieved 11 Feb 2017.
  11. "GSoC Archive 2015". Retrieved 11 Feb 2017.
  12. "GSoC Archive 2016". Retrieved 11 Feb 2017.
  13. "Bringing OpenKeychain Support to K-9 Mail". Retrieved 11 Feb 2017.
  14. "Cure53 Security Audit" (PDF). Retrieved 11 Feb 2017.
  15. "OpenKeychain Wiki: Cure53 Security Audit". Retrieved 11 Feb 2017.
  16. "Why APG is no longer supported". Retrieved 11 Feb 2017.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.