Verifying key fingerprints
Crypho’s end-to-end encryption protects your data from surveillance. For critical communications it is also important to be certain of the identity of the person you are talking to.
By verifying each other’s encryption keys, you and the other person confirm each other’s identities. In this way, you add another layer of protection to your conversation. This makes you certain that you are always talking to the right person. Crypho makes it simple to manage key signing and verification.
When verifying keys, it is important that you actually check that you are communicating with the correct person. This is why verification should be done through a different medium than Crypho itself — called out-of-band verification.
- Meet in person and verify: If it can be arranged safely and conveniently, the ideal way is to meet in person and verify keys face-to-face. Crypho’s mobile app has convenient provisions for this: your key fingerprint is available as a scannable QR code, and scanning each other’s fingerprints is convenient and quick.
- Verify via phone: If meeting in person is not an option, telephone is a good alternative. Talking on the phone makes it easy to confirm that you are talking to the correct person and not an impostor. Crypho has convenient six-word fingerprints that can easily be communicated over the phone and entered in the app for verification.
Viewing your own key fingerprint
The fingerprint appears as both a QR code and a sequence of six seemingly random words. The QR code and the sequence of words are equivalent. Both are a unique representation of your cryptographic keys. By sharing the QR code or the sequence of words with your contacts, they can enter it into their app so it can always be aware of any suspicious changes to your keys.
Give your key fingerprint to your contacts in a medium separate from Crypho. In a manner where they can be sure it is really you.
- Desktop and web: In the desktop or web apps, your key fingerprint is available under Verification in the Settings section.
- Mobile: In the mobile app, your key fingerprint is available from the Settings screen.
Desktop and web: In the desktop or web apps, inside the conversation options menu in the top right corner of the chat, there is a Verify contact link. Enter the six words that your contact has shared with you in the form. Your contact should now be marked as verified, which is indicated by the green icon next to the contacts name in conversations header.
Mobile: In the mobile app, view a direct conversation with the contact you want to verify and open the conversation options menu in the top right corner. In the menu that appears, select Verify contact.
You have two options for verifying:
- Scan your contact’s QR code fingerprint with your phone’s camera
- Enter your contact’s six word fingerprint when they share it with you.
If you have lost access to your account and reset your passphrase, new cryptographic keys will be created for you, and as a result, you will also get a new fingerprint. All your existing contacts will be notified, and all verifications will be invalidated.
Crypho detects when someone’s keys change - for example when they have lost and reset their passphrase. Key verifications are automatically invalidated and must be verified again in this case.
We recommend that you verify all your Crypho contacts.