There’s a fairly new social network—so to speak—on the scene these days. It’s called Keybase, and that is exactly what the main idea of the network is: A common base for (public) cryptography keys. In this two-part series, we’ll first look at public-key cryptography and then look at why Keybase is such a great idea.
Cryptographic algorithms are often split into two categories: Asymmetric and symmetric cryptography. In asymmetric cryptography, you have a public key for encrypting a plaintext into a ciphertext, and a private key to decrypt. In symmetric cryptography, the key used to encrypt and decrypt is the same.
One of the advantages of public-key cryptography is that the public keys can be distributed freely. This allows a number of parties to encrypt messages for a recipient without any of them being able to read each other’s messages. It also means that key management becomes easier, with less chance of a compromised key.
Keybase and Public-key Cryptography
Keybase is a web-based frontend to GPG, the GNU implementation of PGP. It offers two pairs of operations. The first is for writing secret texts, and the second is for writing tamper-proof texts with a verified author.
Encryption and Decryption
The word cryptography comes from Greek and means “hidden text” or “secret text”, and this is the most obvious use case. This is what you will use when you write a message that you want to be unreadable to anyone but the recipient. If you have someone’s public key, you can encrypt a message that only they can decrypt and read.
Keybase makes this easy. First, select encrypt and pick a recipient on Keybase:
As you can see, the recipient picker shows you their names on the sites and accounts they have verified. More about that shortly, but that means that you can easily recognize someone even though they have a different username than you are familiar with. The search matches on all of the sites.
Write Your Message
Time to bring out the secrets!
You can choose to sign your message. We’ll talk more about signing in a moment. You might not always want to sign your message—sometimes deniability can be desirable.
When encrypted, you can either copy the ciphertext and send it to the recipient, or you can edit it and re-encrypt if you need to make any changes.
The ciphertext looks like this:
-----BEGIN PGP MESSAGE----- Version: Keybase OpenPGP v2.0.8 Comment: https://keybase.io/crypto wcBMA39peCOFXxFrAQf/QQoKvqzPUMa39wBCZKewQmmMx1O8okJIVQCgFiEsACaC PmUckGsJAVkdMckfySDTIp3BkMX6llPKEVPLqBeTPRnlY5YWJLVzZTNIXzvrc9Dr +LVtSzPQQ1Tl6IBilh5lHpTQ0aIOxRr11yPxo8yDJi8BtPcksFccjAnkSPXHVZdy aqijVV+9PpBZdvbwJWvfowFxUFBWvLNbyYrlTkghX5hY8lWUtgNwqpTR6ic2lCvA I+am6Bt8qxJ2bnVtQXmU1WHBKfP//DCyL5SWgZjKHKNqJoQBCwqGp6oES8zkuaOz PfwRMsFFBliwgm8nioUZqT22dZN+NUZEh5LInSscVMHATAN/aXgjhV8RawEH/R9w LcV4EyI/TDW+r5ziuK/SwN0B778nIBgH3h9wjK1H6JK3vg6SZ3I00qgOxU4IpfcF 9YxeztcGLgbAA/IFh6qC6vg4NptDdtOnAT9lGkR8f6mC2PVB1gw6N4dvomfv0yEw YvQ+yyiDK7kDUlxmeJ8Xev9rM65Dj52f7mQlrnPwwv1zgoAJzomW8cYYsXdDhWK4 fF9O+AQtIFNERbRClqy77j7qcX2yPeX3P6G1QrJJGQ5UijudWCGaqxAT9HmdUcA7 PCvhLMxD3RMGov3H0wuZBNCly72qxkpyLOIz5X6/t/Ib/sgr9vDlBK4/0maffjTo de4Cqz7cPfvSFfoAEkw35bHqDVgNOCdVJAGPiwSlXA0s/5SVuhHRQgA/HW7V1Ogh KiPkZAyorEKzHmTxJHEWb18WQFoEkeoTW6AXxnuREh8GzGpjIEunoZNEo3YrOpTh +Z1lJGI8tvnGO72LYM+t6sEXcZ2WkQOxEZip0VSMEOFOHzT46jgGsRaZUeyAFREj EjyjlQd5HsevgGDWIXFQkqlBVtYggj1lP3ET4n+mnBGLutOtXqbJt0dcwdYbeRuc 1SC57U0oSGgVJYecUT1OAHEeh2Y9hyEP1l09DaS33ApGMn+2zGMiqOm4gzpimfgF 1b1WAhrf5Xuh9YUn+0VZ1Lq/1Al0PtnW1x2FfEbQw3/WVt8UFuDYW6v3sBbN11tG cQWmiQg+Z/92LG8ZWiS/Jw/VlcBKmoq8/f90DBoipEZK5qQ3sTmLqObDEgBa9cnv CpstU73lV301JFhrUQr/5u+dMfCcyT7Qo4Fo1q2hdcwjuVRqTvykCV+ezRVCs8/b 8jhD2p78RBVbV+3ZYC1/a9JSMuPfBn8f9IaNjdNn0g9aSrqFyjQSGPiRJ6pUiA== =RznU -----END PGP MESSAGE-----
Decrypting a message works the same way as encrypting it. A nice feature on Keybase is that it will automatically verify a signed message for you.
Digital Signing and Verification
Public-key encryption can also be used to verify the authenticity of a message. Using a public key, you can verify that a message was written by someone in the possession of a given private key, and that the message is unaltered. You can use this to give a public statement that others can verify was written by you. Unlike encryption, the resulting text is still readable by anyone.
To illustrate, we input this signed text.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I am the system administrator. My voice is my passport. Verify me. -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v2.0.8 Comment: https://keybase.io/crypto wsBcBAABCgAGBQJVVP0uAAoJEC0vcXWOE5OST9sIAI3Na866Jb/yH7Acx1jDrqBH bsQv8J21NNHHQfjXRA7fqxhoJCNjLRnMbnn4M97CsTzjgGoBhmn64mwTyrQpybYx EYso+gorZeCgOF2T2e78UC4dDCL2ywZMtgWT/PCnSJYy8j06MtdVKcxLwx9+vZjH QhVL6nFPN6dyhOzatplBSoilr3LEL9Nh5HV6CSDhgBYpWFkCzV2fxa09QMIy4MX5 gLr5CmUcm9yG8m2VVfOWdArx5o5a6NxSnKHjdnowmIRamLlCX0tLJ9Yf/rVJCsFQ 3f8RRi3sPdY+FJDpLZ3C73L0epCM+kuIpEw4oifj0dLUHjCf9C+fd7oqsEOdVmU= =XK7E -----END PGP SIGNATURE-----
If you’re wondering how this works, the following xkcd explains the algorithm behind it:
Keybase provides a web-based interface to PGP, and allows you to easily encrypt, decrypt, sign and verify messages. In the next post, we’ll take a closer look at why Keybase is so important.