Crypho’s end-to-end encryption protects your data from surveillance. For critical communications it is also important to be certain of the identity of the person you are talking to.
By verifying each other’s encryption keys, you and the other person confirm each other’s identities. In this way, you add another layer of protection to your conversation. This makes you certain that you are always talking to the right person. Crypho makes it simple to manage key signing and verification.
When verifying keys, it is important that you actually check that you are communicating with the correct person. This is why verification should be done through a different medium than Crypho itself — called out-of-band verification.
The fingerprint appears as both a QR code and a sequence of six seemingly random words. The QR code and the sequence of words are equivalent. Both are a unique representation of your cryptographic keys. By sharing the QR code or the sequence of words with your contacts, they can enter it into their app so it can always be aware of any suspicious changes to your keys.
Give your key fingerprint to your contacts in a medium separate from Crypho. In a manner where they can be sure it is really you.
Desktop and web: In the desktop or web apps, inside the conversation options menu in the top right corner of the chat, there is a Verify contact link. Enter the six words that your contact has shared with you in the form. Your contact should now be marked as verified, which is indicated by the green icon next to the contacts name in conversations header.
Mobile: In the mobile app, view a direct conversation with the contact you want to verify and open the conversation options menu in the top right corner. In the menu that appears, select Verify contact. You have two options for verifying:
If you have lost access to your account and reset your passphrase, new cryptographic keys will be created for you, and as a result, you will also get a new fingerprint. All your existing contacts will be notified, and all verifications will be invalidated.
Crypho detects when someone’s keys change - for example when they have lost and reset their passphrase. Key verifications are automatically invalidated and must be verified again in this case.
We recommend that you verify all your Crypho contacts.