What is Keybase?

If you look at my blog links, have followed me on Twitter, or received an email from my corporate "persona," you may have noticed a link to something called "Keybase" or "PGP."  While I don't do a ton of secure conversations with any of my email addresses, I was interested in the process of achieving the elusive goal of a truly "secure" conversation chain.  In 2016, I was sent an invite to join a new website called keybase.io their business model was the ability to post your public PGP key to allow other folks to send you an encrypted message or decrypt a message you had sent.  For a brief description of how public-key cryptography works, here's Wikipedia:
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.
In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
I had looked into PGP keys before but the issue had always been finding a way to make my public key available to anyone who wanted it.  I had a key I had generated using OpenPGP, but since I had nowhere to easily point people to if they wanted to use it, it was essentially useless.  I needed to solve the "Web of Trust" problem that I was having (described here by PGP inventor Phil Zimmerman via Wikipedia) before I could begin using PGP:
As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Since I was just getting started and none of my friends were using PGP, I had no web of trust to socialize my keys to.  Keybase solved the issue by letting me vouch for my own certificate from other places I was known.  You can see my original Tweet vouching for my Keybase identity if you scroll far enough back in my tweets, same with my GitHub and Reddit posts.  If you and I know each other on Facebook, you can find it there.  If you go into the DNS settings on my websites, you can see that I have information there tying them back to Keybase.  This allows you to know that the owner of each of these public functions is also the owner of the key in question.  Keybase allowed me to essentially become my own web of trust.

So, now that you can prove the public PGP Key I'm sharing is actually mine, what can you do with it?  Well, it's got 3 main uses.

  1. Encrypting messages to me you don't want read by others
  2. Decrypting messages I have sent you
  3. Validating digital signatures I have placed on messages to assure you I actually sent them
Are any of these vital requirements in the information economy?  Not really.  I'm no Snowden or Assange, so my crypotgraphy needs are minimal.  I don't sign my private messages since the capabilities of Gmail and other free providers at validating them are minimal.  I *do* digitally sign my corporate emails.  However, due to corporate requirements, I use a standard certificate authority to get a digital signature on every email I send.  I mainly went through this exercise in case I ever needed it.  It provides an extra level of security and allowed me to get into some of the details of PGP and certificates (but by no means all).  Keybase has also expanded their offerings and now offers encrypted file hosting, chat, Git repositories and other encryption-based services.  They have a command line tool you can install to encrypt items directly on your own computer.  Their PGP encryption offering is open source and available on their website.

If using something like Keybase sounds interesting to you or you want to get started using PGP, drop me a comment below.  I have a number of invites to Keybase sitting on my account and would be happy to send one your way to try it out.

Disclaimer I am not affiliated with Keybase.  Keybase has provided me with no incentives for this post.  All the invitations were received by virute of being a user of Keybase. While I am happy to send you an invite, I may run out.  I have no control of the Keybase services which may change at any time.  All thoughts on this post are mine unless otherwise noted.

Comments

Post a Comment