Tuta Mail has announced TutaCrypt, a new post-quantum encryption protocol to secure communications from powerful and anticipated decryption attacks.
Tuta Mail is an open-source end-to-end encrypted email service with ten million users.
Its creator, Tuta, is based in Germany, where it's involved in developing post-quantum secure cloud storage and file-sharing solutions for the government.
Today, Tuta announced the launch of TutaCrypt, a new protocol designed to protect currently exchanged communications from 'harvest now, decrypt later' attacks.
Harvest now, decrypt later attacks are the act of collecting encrypted data that cannot be currently decrypted to save for the future when more powerful decryption methods become available.
TutaCrypt combines CRYSTALS-Kyber for post-quantum key encapsulation and X25519 for the Elliptic-Curve-Diffie-Hellmann key exchange.
Like others in the field, including Signal and Apple, Tuta has opted for a hybrid model approach, combining state-of-the-art quantum-safe algorithms with traditional algorithms to offer complete protection against current and future threats.
TutaCrypt encryption generates two key pairs for Tuta Mail accounts: an X25519 key pair for the ECDH and a Kyber-1024 key pair for key encapsulation.
These keys, which now replace the old RSA key pairs, are securely stored and encrypted on Tuta's Germany-based servers and are accessible across user devices.
For authenticated encryption, TutaCrypt employs AES-256 in CBC mode with HMAC-SHA-256.
The protocol derives long-term AES-256 keys to encrypt data stored on the server from the user's password using Argon2.
TutaCrypt uses a combination of these algorithms to exchange a cryptographic key, which is then used to encrypt and decrypt the entire message, including its body, subject, and attachments.
The process combines two ECDH-derived shared secrets and a third from Kyber key encapsulation.
These secrets feed into a key derivation function, creating a secure message key for encryption and decryption.
Compromise of the long-term identity keys is a risk point.
Cryptographically guaranteed authentication and various improvements in the protocol itself are part of Tuta's plans.
New Tuta Mail accounts will get TutaCrypt upon creation, and existing users will get the superior protocol through a gradual key rotation that will take place over the next period.
No user action is required when migrating to the new encryption algorithm.
Apple adds PQ3 quantum-resistant encryption to iMessage.
DuckDuckGo browser gets end-to-end encrypted sync feature.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 11 Mar 2024 21:25:11 +0000