Verifying key fingerprints
Crypho’s end-to-end encryption protects your data from surveillance. For critical communications it is also important to be certain of the identity of the person you are talking to.
By verifying each other’s encryption keys, you and the person with whom you are communicating add another layer of protection to your conversation by confirming each other’s identities. This makes you certain that you are always talking to the right person. Crypho makes it simple to manage key signing and verification.
When verifying keys, it is important that you actually check that you are communicating with the correct person. This is why verification should be done through a different medium than Crypho itself — called out-of-band verification.
- Meet in person and verify: If it can be arranged safely and conveniently, the ideal way is to meet in person and verify keys face-to-face. Crypho’s mobile app has convenient provisions for this: your key fingerprint is available as a scannable QR code, and scanning each other’s fingerprints is convenient and quick.
- Verify via phone: If meeting in person is not an option, telephone is a good alternative. Talking on the phone makes it easy to confirm that you are talking to the correct person and not an impostor. Crypho has convenient six-word fingerprints that can easily be communicated over the phone and entered in the app for verification.
Viewing your own key fingerprint
The fingerprint appears as both a QR code and a list of six seemingly random words. The QR code and the list of words are equivalent. Both are a unique representation of your cryphographic keys. By sharing the QR code or the list of words with your contacts, they can enter it into their app so it can always be aware of any suspicious changes to your keys.
Give your key fingerprint to your contacts in a medium separate from Crypho. In a manner where they can be sure it is really you.
- Desktop and web: In the desktop or web apps, your key fingerprint is available through the menu under “My fingerprint”.
- Mobile: In the mobile app, your key fingerprint is available from the settings screen.
Desktop and web: In the desktop or web apps, clicking the red circle next to a contact in the contact list brings up the key verification screen. Enter the six words that your contact has shared with you in the form. Your contact should now be listed as verified.
Mobile: In the mobile app, view a direct conversation with the contact you want to verify and press the cog symbol in the top right corner. In the menu that appears, select “Verify contact”.
You have two options for verifying:
- Scan your contact’s QR code fingerprint with your phone’s camera
- or enter your contact’s six word fingerprint when they share it with you.
If you have lost access to your account and reset your passphrase, new cryptographic keys will be created for you, and as a result you will also get a new fingerprint. All your existing contacts will be notified, and all verifications will be invalidated.
Crypho detects when someone’s keys change - for example when they have lost and reset their password. Key verifications are automatically invalidated and must be verified again in this case.
We recommend that you verify all your Crypho contacts.