A new instant messaging application for the iPhone uses an advanced, "post quantum" encryption scheme to scramble one-on-one chats. It's intended as a bullet-proof secure alternative to WhatsApp's addictive message interface and to mobile carrier's primitive and (outside the U.S.) pricey SMS texting services.
The app's encryption randomizes the message output before transmission, so each message is unique without detectable patterns that an attacker could exploit. And PQChat keeps minimal personal information about the sender: it stores a one-way encrypted value of the user's phone number, an encrypted user-supplied nickname, and a pseudo ID image.
The free version of PQChat, from SDR Wireless Ltd., is aimed at consumers. The paid version is licensed to enterprises and offers additional features, such as QR code authentication, enterprise key management, a full audit trail of all messages, message backup and in the future secure voice and video calls.
PQChat is the first SDR product to make use of the vendor's Never-the-Same (NTS) encryption. NTS itself is based on the asymmetric encryption algorithm developed in 1978 by Robert McEliece. According to SDR, McEliece's encryption scheme has so far not been broken, even using the emerging techniques of quantum computing. As a result the McEliece algorithm is considered a "post quantum" (the "PQ" in PQChat) encryption scheme.
Without going into the mathematical depths of McEliece's work, he figured out a way to create a public/private encryption key system that is prohibitively costly -- in computational time -- to break. Despite that, its encryption and decryption are faster than that of algorithms such as RSA. But one major drawback is that McEliece's public and private keys are very large, so large that they've been rarely used commercially.
SRD Wireless has at least two patents for improving McEliece's system, including one that makes these keys smaller without compromising security.
PQChat uses the XMPP protocol, originally designed for desktop IM, transmitted via VoIP, to improve message reliability and handling, says Andersen Cheng, SRD's CEO. The McEliece-based NTS encryption scrambles the message contents on the device, using the recipient's public key, which is available from the PQChat server. But the server has no knowledge of what's being sent, and can't unscramble the contents. The message is deleted after delivery to the recipient, who is the only person who can decipher, using his private key.
PQChat uses unique form of authentication, which the vendor dubs "man-at-the-end" or MATE. MATE generates a unique cryptographic representation a number -- of a user's public key. Then a user records a video of himself, reciting that number. According to SRD, this approach does away with the need for a third-party Certificate Authority.
Read more about anti-malware in Network World's Anti-malware section.