While US security agencies including the FBI have been warning against the increasing use of encryption, the German government wants to do the opposite and make the technology widespread. After initial efforts failed to gain traction, the Fraunhofer Institute believes it has the solution: Volksverschlüsselung - 'Encryption for Everyone'.
The Volksverschlüsselung service, also available as an app, is designed to provide easy-to-use, end-to-end email encryption, and it will be free.
"Everybody should use encryption," project manager Michael Herfert told ZDNet. "It needs to be so simple that it's the normal way of communicating."
While the security issues inherent to online communications have been known about for some time, it wasn't until whistelblower Edward Snowden released documents about the NSA's data collection programs that the general public realised that widespread email espionage was actually occurring.
In Germany, a country that prides itself on protecting personal privacy, the Snowden revelations were a call to action. The government made the creation of encryption for the masses part of its digital agenda, and in 2012, the German interior ministry launched De-Mail, aimed at ordinary web users. However, De-Mail has so far failed to gain significant take up, with around one million people using the encrypted email service as of February this year.
Part of the problem with De-Mail is that it did not meet the highest standards of security, and just recently started offering end-to-end encryption, and only then as optional. It's also a "closed circle," as Herfert highlighted: De-Mail users can only send encrypted emails if the recipient also uses the same service.
The keys to easy encryption
Fraunhofer's solution aims to solve many of the tricky problems of providing end-to-end encryption for the general public.
First, to offer a high level of security, it uses the two-key method: users must have a private key and a public key. To send an email to someone, the sender must have the receiver's public key, which is published in a directory. The receiver then decodes the email using their private key, which is known only to them.
Such keys have been available in Germany for about 18 years. However, the agency that provides them charges about €100 for the service. Fraunhofer intends to remove this hurdle by providing keys for free.
The institute is making a no-cost app available on its website which will generate keys with a high-security key length of 2,000 bits. "The NSA can't break a key like that," Herfert said.
The application will also automatically configure the user's email programs to support the keys. The first version, which will be released this summer, will work with Microsoft Outlook, one of the most common email programs used in Germany. Future versions will include more email programs including Mozilla's Thunderbird and even web-based mail like Gmail and Yahoo. The next highest priority for Fraunhofer is to make the application work with Android so that people can send encrypted emails from their smartphones.
Burn after reading
Fraunhofer's 'Encryption for Everyone' is not a closed circle. It allows users to send encrypted emails to people who are not using the app -- or any encryption service at all, for that matter. The latter option is less secure, but uses a 'burn after reading' type feature that will alert the recipient if the mail has been compromised.
When a user sends an encrypted email to someone without encryption, the email goes to a zero-bin server, a server that has no knowledge of the data it's storing. Then, the intended recipient will get an email with a URL and another email with a password so they can then access the server, use the password to retrieve the message, and decrypt it.
There is a chance that those emails can be seen by a third party who can then access the encrypted message. However, the email can only be read once. That means in the worst case scenario where a criminal or surveillance worker has read the email, the intended recipient can't go on to read it themselves. Instead, they get a message that says the email has been read by someone else.
"Then you know your email has been read," said Herfert. "You'll know you're a victim. That's motivation to be part of Volksverschlüsselung."
The Fraunhofer Institute also intends to have the service reach past the closed circle of national borders. The institute showcased the 'Encryption for Everyone' app at the Cebit conference in Hannover in March and is now searching for partners to expand the reach of the system.
"The first step will be in Germany, but we don't want to be alone," Herfert said. "We're happy to have partners anywhere in the world."