A security researcher has developed a technique that could significantly improve the secrecy of text messages sent in near real time on iPhones. The technique, which will debut in September in an iOS app called TextSecure, will also be folded into a currently available Android app by the same name.
The cryptographic property known as perfect forward secrecy has always been considered important by privacy advocates, but it has taken on new urgency following the recent revelations of widespread surveillance of Americans by the National Security Agency. Rather than use the same key to encrypt multiple messages—the way, say PGP- and S/MIME-protected e-mail programs do—applications that offer perfect forward secrecy generate ephemeral keys on the fly. In the case of some apps, including the OTR protocol for encrypting instant messages, each individual message within a session is encrypted with a different key.
The use of multiple keys makes eavesdropping much harder. Even if the snoop manages to collect years worth of someone's encrypted messages, he would have to crack hundreds or possibly hundreds of thousands of keys to transform the data into the "plaintext" that a human could make sense of. What's more, even if the attacker obtains or otherwise compromises the computer that his target used to send the encrypted messages, it won't be of much help if the target has deleted the messages. Since the keys used in perfect forward secrecy are ephemeral, they aren't stored on the device.