If some random person walked up to you and said your bank account was compromised, would you believe them? Probably not, or at least not without asking some questions. Why is it then that people trust most e-mail sent by complete strangers? It’s because most of the time the e-mail we receive is from proper sources. Vetting e-mail is also a lot harder than vetting people. Anselus makes figuring it all out much easier. How? Math. A lot of math. Don’t worry, though, we won’t get into that here. Read on to learn how Anselus uses cryptography to keep us all safe.
E-mail = Identity… Not So Great
When e-mail was invented, it was never meant to be your whole identity. Back in the early 1970s, people shared time on computers that took up as much space as multiple racks of servers. You could send a message to someone else on that same computer, but not to anyone beyond. Ray Tomlinson created a new program from two others that could send messages to people over the predecessor to the Internet, ARPANET, and in the process invented e-mail. It was really academic, and people generally behaved themselves. Trusting someone wasn’t a problem.
Times have changed dramatically since then. More and more services are available only online. Your e-mail address isn’t just used to communicate with you, it is you for purposes of the service. If someone guesses your password and gets into your e-mail, that’s a major problem. Using your e-mail address as your identity is like using a credit card to prove who you are — it has your name on it, but that’s about it. Compared to the importance of many services it’s used with, it’s just not that good.
Cryptography: Math on Steroids
Cryptography is an incredibly challenging branch of mathematics. Cryptographers use large prime numbers and numeric relationships to hide information or make it unchangeable. It’s a well-repeated rule In the technology industry to not design your own crypto. Why? It’s unspeakably difficult to get right and often hard to use. Generally speaking, a team of people work together to design a cryptographic process. From there, a community of other cryptographers and researchers try to break it, even years later. Experts can’t declare any algorithm completely safe because it only takes discovering just one major exploit to make a formerly-safe process insecure.
Anselus and other software use two cryptographic techniques to protect you and your information. Encryption prevents anyone except the recipient from reading a message. Digital signatures make detecting changes to a message immediately obvious and ensure that only you could have sent that message.
Digital Signatures: A Tale of Two Keys
Pairs of cryptographic keys are used to create and verify digital signatures. A signing key is kept private, but its corresponding verification key is given to everyone. A message is combined with the signing key to create the digital signature, and the signature is usually added to the end of the message.
Anyone can combine the document, the signature, and the verification key to see if they match. If the message has been changed at all, it will be immediately obvious.
If Bob sends Alice a document that is digitally signed and Alice successfully verifies it, she can be certain that no one changed it and that Bob was the one who sent it. Unless someone stole Bob’s signing key, no one else could possibly create that signature.
Historically, one of the major obstacles with working with digital signatures has been distributing the verification key to the people who need it. Anselus gets around this problem with Contact Requests. Contact Requests work just like Friend Requests on Facebook–someone sends you a Contact Request, you accept, and then you can message each other. This doesn’t sound like much, but this back-and-forth process makes exchanging keys simple and easy. It also makes it easy to block the bad guys.
What does this mean, then? When you create an Anselus account, your software generates several pairs of keys, including your master signing key. Every message you send is digitally signed by your master key. Your software sent the master verification key to your friend when you accepted their contact request, so when you send your friend a message, their software decrypts the message and checks the signature. Before your friend even sees the message, Anselus has already checked two different ways that it came from you and only you, and no one else could read it on the way. How’s that for protection?