Q: Why not use PGP to share a password?
Answer
If you like PGP, you can still benefit from Crosspass by using it to exchange PGP public keys or fingerprints.
The Pretty Good Privacy (PGP) protocol is primarily used to encrypt email. However, the biggest issue is the requirement for the recipient to already have the PGP configured and for the sender to have obtained the recipient’s PGP public key before sending the email. In detail,
- the sender creates a draft email
- the sender asks the recipient to install PGP software
- some time passes …
- the recipient configures PGP and emails PGP public key to sender
- some time passes …
- the sender inputs it into PGP software
- the sender encrypts and sends the message
- some time passes …
- the recipient receives the email and decrypts it with PGP software
In contrast, with Crosspass the sender does not require the recipient to install software apriori. This removes the need to wait for the recipient, making the flow natural. In detail,
- the sender creates an message (a note or a password)
- the sender registers it on the Crosspass server and receives a Lookup ID (the message is not sent to the server)
- the sender emails the Lookup ID and the PIN to the recipient
- some time passes …
- the recipient installs Crosspass
- the recipient inputs Lookup ID and the PIN into Crosspass
- the recipient’s and sender’s mobile devices negotiate an authenicated symmetric key
- the sender’s device encrypts the message and sends it to the recipient’s device
- the recipient’s device decrypts it
Note that in step 8 the sender does not need to be present at his device. His device merely needs to have WiFi or Cellular Data.
A recurrent theme of the last two decades is the difficulty to encrypt email. A 2021 academic survey Usability of End-to-End Encryption in E-Mail Communication concluded that “despite of existing technology, users seldom apply them for securing e-mail communication.”
There are other usability differences in favor of Crosspass,
- Installing PGP software is more complicated than installing the Crosspass mobile app.
- Crosspass uses simpler terminology of Lookup ID and PIN compared to PGP’s private, public keys and fingerprints which are a bad analogy to physical keys and physical fingerprints.
- PGP users must not lose private keys. Crosspass uses a new PIN (and new keys) for every transfer.
- If a private PGP key is stolen, confidential communication will be decrypted. In contrast, the Crosspass app deletes all data after transfer and pending data is deleted after 2 weeks.