2

A few days ago, Google published Key Transparency to solve the problem of verifying the key fingerprints of e.g. your chat partners.

Unfortunately, I don't really understand how Key Transparency works. Can someone explain it in simple words or with a nice example?

And will it make manual fingerprint comparison in real life obsolete?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Aliquis
  • 869
  • 1
  • 9
  • 12

1 Answers1

5

Key Transparency makes it possible for users to know about all the public keys that are in the user's account, preventing the server from adding public keys to a user's account without detection. Key Transparency does this by using piece of blockchain technology called a Merkle Tree.

When Bob wants to talk to Alice, he first asks the server for

  1. Alice's latest public key
  2. An inclusion proof of Alice's public key in the latest key-value database snapshot (Map Root)
  3. An inclusion proof of the latest snapshot in a log of global state (Signed Log Root).

This proves to Bob that Alice's key has been publicly committed to and that Alice can see it.

When Alice audits her account she walks through the merkle tree to see all the public keys that have ever been in her account. If there are any public keys that she does not recognize, she can remove them.

Manual fingerprint comparison still has value because it proves to Bob that Alice has indeed inspected her account for public keys she does not recognize. But for all those times that people don't check fingerprints, Key Transparency helps make sure that everything is still OK.

Gary Belvin
  • 61
  • 1
  • 3