What is contact key verification?

Contact key verification (CKV) is a security process used in end-to-end encrypted messaging applications to confirm that you are communicating with the intended person and not an imposter. It involves verifying the cryptographic keys associated with your and your contact's accounts. This process helps protect against Man-in-the-Middle Attacks.

Here are some key aspects of CKV:

• Purpose: The primary purpose of Contact Key Verification is to establish trust and authenticity in your communication channels. It ensures that the messages you send are only decryptable by the intended recipient and vice-versa.

• Methods: Common methods include:

  • Comparing Keys: Manually comparing cryptographic fingerprints or short authentication strings (SAS) displayed by the application. These fingerprints or SAS represent the public keys used for encryption.
  • Scanning QR Codes: Scanning a QR code containing the contact's public key. This is a faster and less error-prone method than manual comparison.

• Fingerprints and SAS: Cryptographic Fingerprints are long, hexadecimal representations of the public key. SAS are shorter, human-readable strings derived from the key. Both serve the same purpose: uniquely identifying the key.

• Trust on First Use (TOFU) vs. Verification: TOFU assumes the initial key is valid and warns if it changes later. CKV actively verifies the key against an out-of-band mechanism to confirm its validity from the start.

• Importance: CKV is particularly important when communicating sensitive information or when there's a higher risk of interception or impersonation. It strengthens the security provided by End-to-End Encryption by adding an extra layer of assurance.

• Implementation: The specific steps for verifying keys vary depending on the messaging application. However, the underlying principle remains the same: confirming that the cryptographic keys match between you and your contact through a trusted channel.