The gold standard of secure private messaging requires end-to-end encryption between the parties involved with no way for the messaging service to obtain the keys used to scramble the message. Open Whisper Systems’ Signal Protocol and Signal apps implement seemingly the best version of that.
But there’s a small problem: the Signal apps are tied to your phone number, and Open Whisper uses a registration system to match you and find others. Companies like WhatsApp (part of Facebook) have taken the Signal Protocol and built it into their apps, but they have a similar problem of centralized management, even though it’s done well.
However, neither WhatsApp nor Open Whisper can obtain the keys involved in chats because of how the system was designed, which is what’s important. Apple’s iMessage is secured end-to-end, but a weaker design makes it feasible (if unlikely) that Apple could revise the system without users being aware to reduce the ability for messaging to remain absolutely private.
This is where a new, modest offering fits in from Keybase, a company centered on user-controlled ownership of identity using cryptographic elements, where said identity is proven and validated through social media accounts, websites, Bitcoin, and other methods. Keybase has just introduced an end-to-end encrypted chat option that relies entirely on cryptography and validation that’s in your control.
I’ve written about Keybase before, because I admire the combination of approaches they’re taking to provide a simplified strong identity. The firm’s code is open source, allowing validation, and they rely on open-source software for some of the fundamental parts of what they do. The secret sauce is binding it together into a graphically pleasing and user-comprehensible format, even for those people who have zero interest in or knowledge of the underlying details. Desktop software introduced a year ago helps a lot.
Keybase centers around a PGP-style key, a format that dates back over 20 years. PGP combines the power of public-key cryptography with simpler symmetrical encryption for speed. It’s effectively how SSL/TLS works for Web and email encrypted sessions.
A PGP key comprises a public/private key pair, in which fiendishly complicated math allows the creation of two intertwined keys. Knowing one doesn’t help you in any way determine the other. One key is public (hence “public-key cryptography”) and can be distributed freely. The other is private, and you must protect it at all costs.
To encrypt a message to one or more people with PGP, you obtain their public keys, and an algorithm encrypts a strong session key—one that can both encrypt and decrypt—with each public key. The message is encrypted with the session key, but only a recipient with an associated private key can retrieve the session key and then decrypt the message.
You can also create a file signature, which verifies that a document was unchanged since you signed it. The file is run through a “hashing” algorithm that creates a unique numerical representation that is encrypted by the sender’s private key. Any recipient can take the original document and run it through the same algorithm, then user the sender’s public key to decrypt the signature and confirm the document remains unchanged. Only someone with the private key can create a valid signature that the public key decrypts.
Your PGP key always stays private to you when using Keybase—it’s never stored in unencrypted form by Keybase and they never have access to it. All use of the key happens on the user side in a browser or in a native app. (You don’t have to have an existing key; Keybase can help you generate one.)
Cofounder Max Krohn says, “If someone came into our office and put a gun to our head, and said, ‘Guys, we’re going to need you to give out the wrong cryptographic credentials for this user,’ we’d have to say we can’t do this.” Even if Keybase’s systems were breached, only encrypted data would be leaked, requiring users’ keys and passphrases to unlock.
Keybase launched in 2013 to solve a couple big issues with PGP keys: how to find other people’s keys and verify they were legitimately in use by the party you were thinking of. Before Keybase, most PGP exchange was either personal (literally in person or verified through a website) or through publicly run keyservers, which are full of outdated junk, and sometimes contain dozens or hundreds of keys for a single person—without any way to figure which are valid.
To counter the problem, Keybase lets you prove your identity by posting “proofs” to various places: as tweets, as a public Facebook message, on a website you control, connected to a Bitcoin address, and so on. The more proofs, the more likely another person could trust that you’re in control of the key associated with the profile with your name on Keybase. For someone to spoof your identity, they’d have to hijack a number of different accounts you own with different protections. (I wrote about one aspect of this in using the free GPGTools encryption software with Apple Mail in 2015.)
Keybase has now extended this to chat, currently available for Windows and macOS. Mobile versions are the next priority. The interface is nice and simple, and in my testing worked just fine.
These chats differ significantly from every other ecosystem of any scale out there, because you absolutely control the keys used, and all associations for proof are ones you choose and can revoke at will, breaking your proof of who you are, which in turn lets everyone chatting or engaged in any interaction with you know.
Every other system generates cryptographic information for you and maintains associations, such as with a phone number. In the recent security issue misreported about WhatsApp, the valid issue was raised that if a user turned off security warnings and someone was able to take over a phone number belonging to a party with whom you chatted, that someone would seamlessly continue a conversation. (They wouldn’t be able to see earlier messages, however.)
The Signal apps don’t allow that kind of warning to be disabled, but do let someone register a new device with the same phone number. That will alert any party in conversation, but the phone number remains the single point of verification.
Signal and WhatsApp aren’t worse, by any means, but Keybase’s chat offers a reasonable set of different validation and syncing options.
How Keybase differs
With Signal and WhatsApp (with archiving disabled), forward secrecy is the watchword: once a message is received by a given recipient, that message can never be decrypted again by anyone else, even if they obtain access to account information and hijack a phone number. (iMessage doesn’t have forward secrecy, and it also stores transcripts all over the place in iOS and macOS.)
Keybase doesn’t rely on PGP for chats, as PGP is unwieldy for messaging and large-scale use. Rather, it generates a different kind of public/private paired key that’s unique for each device. Keybase tracks devices added and posts an online, uh, paper trail for transparency, and you can revoke any device from your account. When you add a device, you also get an offline key for recovery, keeping encryption under your control.
Using Keybase allows a history and sync across devices, but doesn’t sync or store the data in a cloud service, nor are any messages stored in a way that it or another firm could read. Even the transcripts stored on your devices are encrypted, and require the app, your key, and your passphrase to unlock. (If Keybase shut down, you could still use other encryption software to decrypt them, too, since you have all the necesary keys.)
Krohn says the company is considering a mode that would offer Signal-like protections, effectively locking a message to a single device and be able to “burn” them later, rendering them irretrievable.
But it’s definitely a weakness that’s known about PGP and other static public-key systems in general and Keybase in particular: another party obtaining your private key can read all messages ever encrypted with it. As a result, you can make different choices about what you protect, whether files or messages, using Keybase.
Keybase has other plans in the works to expand the use of its core system. It launched an extended beta of an encrypted filesystem about a year ago that’s nearing a full production launch. The Keybase filesystem creates an encrypted on-demand path on your desktop device, and placing anything in there automatically encrypts and syncs it in encrypted form to the cloud. Files are loaded and cached as needed, instead of always being synced as with Dropbox and similar systems. (The initial version is free and comes with 10GB of storage; paid storage will come after a full release.)
This is kind of a mess to pull off in any other fashion on a Mac, especially with the demise a few years ago of an alternative to encrypted disk images. Dropbox doesn’t allow user-controlled encrypted directories, and disk images are a messy way to manage this. Keybase is the only reasonable solution I’ve found, and I look forward to this moving into full release.
Another excellent part of the filesystem option, though, is being able to share encrypted directories with other people—this is how chat transcripts and associated files are stored—and access publicly shared directories from verified people.
Keybase is definitely a glimpse of a user-centric cryptographic future that requires less training to use, less dependence on infrastructure that’s proprietary and limited, and more ownership of your secure pieces.
Right now, it remains in a semi-invitation mode. Keybase routinely opens up access to new accounts, but to avoid spammers taking advantage of free storage, you might not always be offered a chance to create an account. Look for people with existing Keybase accounts, like yours truly, if you need an invitation.
Correction: This column originally stated Keybase used PGP for its chat system and encrypting filesystems, but it’s a different public-private key algorithm, linked to the same Keybase core identity.