I explored the challenge of establishing a secure channel in a business-to-business use case a few days ago. Between the company I work for and another company, where the information was very sensitive, the risk of it being compromised was unacceptable, and the requirement that I share the information with the other party undeniable.
The goal was to get a secret string of text from my system into the system of another party. I have explored cryptography for a long while and so I was confident that all the tools I had could do the job very well. The real challenge was in establishing a communications protocol and a secure channel. Amongst my explorations, I had the entire suite of OpenSSL library ciphers at hand, I had GPG, and the answer which I sort of knew already even before I started this foray into cybersecurity, that Signal would eventually be my answer.
It was at first exploration of the challenge of it. How could I get a secret alphanumeric string to another party that had none of the tools or the experience of cryptography that I had in my library? All of it was fated before I even started, but I at least wanted to go through the motions and explore this problem as if I was sitting in the middle of it without any view of the win condition at the end. The first stab was GPG, so I searched for any public keys related to the other company, and there were none. That was worth a smirk, and I nodded because I would have been shocked if there was a hit at all, so GPG was a dead end. The next effort was thinking about what sort of cipher could be used. This selection of a cipher was symmetric cryptography. I would need to encode the message so that it would be suitable for email transmission, and encrypt the data using some standard cipher that I knew would be possible for both parties, and then I spent a while trying to figure out the password for the cipher. I knew that base64 would be great for encoding and decoding the message, and I still have faith in AES-256-CTR, but that left me having to select a password that I could use that both sides knew. Any effort to share that password in any other non-secure channel would render all my efforts for nothing because then the cipher would be a mathematical contrivance because the security of the password then became equivalent to the security of the payload. If the password was passed in clear text, then the entire endeavor was meaningless.
So this entry becomes a love letter to Signal. It covered everything I needed. It used encryption end-to-end and it was vetted and secure, it didn’t require public keys, or specifically, the user wasn’t involved with that part of the process, and I could trust that the inbound mobile number matched the intended recipient. I didn’t need to exchange passwords or agree on a cipher or a protocol. The application and service are free as well, so there wasn’t even a cost barrier to this solution! It checks off every box on my list. I was able to copy and paste the secure string of data over Signal to the other person and conclude the task that I set for myself at the beginning of all of this. There is more to Signal than just this use case and I encourage everyone I know to download it, sign in, and start using it.