Two are always stronger than one. It’s common knowledge everyone can get behind, especially when it comes to security and privacy. At Tungsten, the natural next step for us to boost the security of our encrypted chat app was to introduce a hardware layer that protects our users’ private personas. Since we’re always on the lookout for the right partners, we were thrilled when we found some like-minded individuals right here in Berlin to help us develop our Tungsten hardware solution.
As experts in mobile device security, Cotech helped us integrate their solution into our existing codebase to build a hardware key that protects users’ anonymous personas and their data on Tungsten.
What is the Hardware Key All About?
Near-field communication (NFC) devices communicate over very short ranges, usually a few centimeters. You may already be using key fobs or contactless payment cards with this technology. Cotech develops cards that store encryption keys and can unlock accounts, Tungsten personas, and encrypted data on your mobile device.
For the most part, we control custody of our mobile phones. We have them with us at all times. However, depending on where you live, where you travel to, or other factors, you may need to plan for your phone being stolen or someone demanding that you unlock your phone. For example:
The border patrol case:
Border control agents can ask to inspect phones and ask travelers to log into social media and chat accounts. Having no chat accounts looks suspicious. Tungsten Messenger has both private and public personas on the same app. By presenting only Tungsten *public* personas, you can plausibly deny owning any other sensitive communication accounts. The Tungsten Security Card gives you access to private persona accounts only when the card and the device are combined. This acts as a physical 2FA (2-factor authentication).
Strong disk encryption:
By using a strong password generated by the security key we can ensure that the local database is protected against any brute force cracking attempt. So even if someone obtains your phone and breaks through the device sandbox or pin protection, they will still fail at brute-forcing the local Tungsten database for your hidden persona. Just stealing your key card doesn’t grant any access to your Tungsten account, either.
How Does it Work?
Once you’ve received your security card you can start using it instantly to create disposable, anonymous personas.
When signing up or logging into an anonymous persona, a toggle called ‘Use Hardware Key to encrypt this persona’ will appear in the UI. After the toggle is turned on and you follow the on-screen instructions, you’re prompted to use the Hardware Key by laying it on the back of the device.
The cards are reusable and a new persona can be set up using the same steps. Keep in mind you can only have one persona on the card at the same time. As soon as you close the app, you’ll be logged out and your persona will disappear. It will only re-appear once you open the app and tap the back of your phone again with the Key Card.
Unlike simple NFC tags that openly store data and are available for anyone to read, security cards store cryptographic keys in a way that prevents copying or theft. Because your card is bound to the Tungsten app on your phone no data about your persona can be extracted from the card, even if someone tries to copy or steal it. The same goes for stealing your phone: all data about the hidden persona is encrypted with the cryptographic keys stored on the card, so even getting access to the phone will not reveal any information.
How do I Get a Card?
We will be testing our product out this month with our users. The cards will be initially distributed freely at meetups, so be sure to sign up for one if you are in the area: https://www.meetup.com/Online-Security-and-Privacy/
We are Tungsten Labs and we are building an industry leading secure messenger that protects your privacy. It has built-in Tor support, multiple personas, and strong encryption protocols.