As experts in encrypted communications, technical details are our daily bread and butter. However, we understand that not everyone is quite as absorbed in the intricacies as we are, so we thought we’d give you an insight into what Key Fingerprints are, what they do, and how they appear on the Cellcrypt and Cellcrypt Federal apps.
Every time you communicate with a contact on our apps, Cellcrypt employs an end-to-end key exchange, ensuring that for each message, file transfer, or voice or video call, a new keyset is generated, negating the need for centralized COMSEC key management.
Although your public keys are exchanged through secured channels (Transport Layer Security/TLS-protected) it is always wise to confirm your keys with your contact. This can be done by confirming key fingerprints with one another.
Cellcrypt uses two types of key fingerprints for key confirmation between peers. The first is a public key fingerprint consisting of 16 alpha-numeric characters. In the phone image below, that key is highlighted with a red oval.
The second is a session key fingerprint consisting of 6 numeric digits, and is shown on the other phone image. Key fingerprints are not secret and are provided to make it convenient to confirm your keys with your contacts.
When you add or accept a new contact, their public key fingerprint is displayed in the message screen. The same occurs if you or your contact's public keys change e.g., when Cellcrypt is re-installed or installed on a new device. When this happens, you should confirm the fingerprint with your contact over a separate communication channel. Alternatively, you can confirm the session key fingerprint while on a call. This is done by simply challenging each other to read out the 6-digit fingerprint displayed on the call screen. Key confirmation need only be done once. Reconfirmation is only required if new key fingerprints are exchanged in the message screen.
The session key fingerprint is a powerful tool. In addition to confirming your public keys you can also use it to confirm that your call is not being monitored by a Man-in-The-Middle (MiTM). The session key fingerprint is not only derived using your long-term public keys but also from unique-per-call keys that can only be established between callers. Confirming your session key fingerprint during a call prevents MiTM attacks, even if both callers’ private keys have been compromised.
So now you know what those keys do, and how they keep your communications secure. If you have any technical questions about our Cellcrypt apps, and how we do what we do, you can request a blog on the subject by emailing us at firstname.lastname@example.org and we’ll be happy to give you the inside scoop.