Keybase

Last updated
Keybase
Keybase logo official.svg
The Keybase logo
Type of site
Encrypted social networking service
Available inEnglish
Owner Zoom Video Communications (2020)
Created byChris Coyne, Max Krohn, others
URL keybase.io
RegistrationRequired for membership
Users 407,163 (as of 2019-08-22)
LaunchedFebruary 14, 2014;10 years ago (2014-02-14)
Written inGo, JavaScript, Electron, React [1]

Keybase is a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner. [2] Additionally it offers an end-to-end encrypted chat and cloud storage system, [3] [4] called Keybase Chat and the Keybase Filesystem respectively. Files placed in the public portion of the filesystem are served from a public endpoint, [4] as well as locally from a filesystem mounted by the Keybase client. [5]

Contents

Keybase supports publicly connecting Twitter, GitHub, Reddit, and Hacker News identities, including websites and domains under one's control, to encryption keys. It also supports Bitcoin, Zcash, Stellar, and QRL wallet addresses. [6] [3] [7] [8] [9] [10] Keybase has supported Coinbase identities since initial public release, but ceased to do so on March 17, 2017, when Coinbase terminated public payment pages. [11] In general, Keybase allows for any service with public identities to integrate with Keybase. [9] [12]

On May 7, 2020, Keybase announced it had been acquired by Zoom, [13] as part of Zoom's "plan to further strengthen the security of [its] video communications platform". [14]

Identity proofs

Keybase allows users to prove a link between certain online identities (such as a Twitter or Reddit account) and their encryption keys. Instead of using a system such as OAuth, identities are proven by posting a signed statement as the account a user wishes to prove ownership of. This makes identity proofs publicly verifiable – instead of having to trust that the service is being truthful, a user can find and check the relevant proof statements themselves, and the Keybase client does this automatically.

App

In addition to the web interface, Keybase offers a client application for Windows, [15] [16] Mac, [15] [16] Android, [17] [16] iOS, [16] and most desktop Linux distributions, [16] written in Go with an Electron front end. The app offers additional features to the website, such as the end-to-end encrypted chat, teams feature, and the ability to add files to and access private files in their personal and team Keybase Filesystem storage. Each device running the client app is authorized by a signature made either by another device or the user's PGP key. Each device is also given a per-device NaCl (pronounced "salt") key to perform cryptographic operations.

Chat

Keybase Chat is an end-to-end encrypted chat built in to Keybase launched in February 2017. A distinguishing feature of Keybase Chat is that it allows Keybase users to send messages to someone using their online aliases (for example a reddit account), even if they haven't signed up to Keybase yet. [3]

If the recipient (the online alias owner) has an account on Keybase, they will seamlessly receive the message. If the recipient doesn't have a Keybase account, and later signs up and proves the link between the online account and their devices, the sender's device will rekey the message for the recipient based on the public proof they posted, allowing them to read the message. Since the Keybase app checks the proof, it avoids trust on first use. [18]

Keybase Filesystem (KBFS)

Keybase screenshot showing a user's keys Meekwire Keybase - James Gordon Meek.png
Keybase screenshot showing a user's keys

Keybase allows users to store up to 250 GB [19] of files in a cloud storage called the Keybase Filesystem for free. There are no storage upgrades available, but paid plans allowing for more data are planned. [20] The filesystem is divided into three parts: public files, private files, and team files. On Unix-like machines, the filesystem is mounted to /keybase, and on Microsoft Windows systems it is usually mounted to the K drive. [21] Currently, mobile versions of the Keybase client can only download files from kbfs, and can not mount it. However, they do support operations such as rekeying files as necessary. In October 2017 Keybase brought out end-to-end encrypted Git repositories. [22]

Public files

Public files are stored in /public/username, and are publicly visible. All files in the public filesystem are automatically signed by the client. [5] Only the user who the folder is named after can edit its contents, however, a folder may be named after a comma-separated list of users (e.g. a folder /public/foo,bar,three would be editable by the users foo, bar, and three). [5]

Public files can be accessed by any user. Single user folders are displayed at keybase.pub and are also accessible by opening the directory in the mounted version of the filesystem. Multi user folders (such as /public/foo,bar,three) are only accessible through the mounted version of the system.

Private files

Private files are stored in /private/username, and are only visible to username. Private folders, like public folders, can be named after more than one user (e.g. a folder /private/foo,bar,three would be readable and editable by the users foo, bar, and three). Private files can also be read only for users after "#" (e.g. a folder /private/writer1,writer2,#reader1,reader2 would be readable and editable by the users writer1 and writer2 but only readable for reader1 and reader2). [5] Unlike public files, all private files are both encrypted and signed before being uploaded, making them end-to-end encrypted. [4]

Team files

Team files are stored in /team/teamname, and are publicly visible to team members. All files in the team filesystem are automatically encrypted and signed by the client. [5] Only users who are marked as writers can edit its contents, however, any readers can access the files stored there. [23]

Teams

In September 2017, Keybase launched Keybase Teams. [24] A team is described as "...a named group of people." [25] Each team has a private folder in the Keybase filesystem, and a number of chat channels (similar to Slack). Teams can also be divided into "subteams" by placing a . in the team name. For example, wikipedia.projects would be a subteam of wikipedia, while wikipedia.projects.foobar would be a subteam of wikipedia.projects (and therefore, also of wikipedia).

Team administration

Teams are largely administered by adding signatures to a chain. Each signature can add, remove, or change the membership of a user in a team, as well as when changes are made to subteams.

Each chain starts with a signature made by the team owner, with subsequent actions signed on by team admins or users. [26] This ensures that every action is made by an authorized user, and that actions can be verified by anyone in possession of the public key used.

Related Research Articles

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse.

Filesystem in Userspace (FUSE) is a software interface for Unix and Unix-like computer operating systems that lets non-privileged users create their own file systems without editing kernel code. This is achieved by running file system code in user space while the FUSE module provides only a bridge to the actual kernel interfaces.

Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.

EncFS is a Free (LGPL) FUSE-based cryptographic filesystem. It transparently encrypts files, using an arbitrary directory as storage for the encrypted files.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Filesystem-level encryption, often called file-based encryption, FBE, or file/folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself.

Skype is a Voice over Internet Protocol (VoIP) system developed by Skype Technologies S.A. It is a peer-to-peer network where voice calls pass over the Internet rather than through a special-purpose network. Skype users can search for other users and send them messages.

This is a comparison of online backup services.

Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the endpoint's identifier, usually either the public identity key of the endpoint, or the fingerprint of said identity key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database. If in a subsequent connection a different identifier is received from the opposing endpoint, the client software will consider it to be untrusted.

<span class="mw-page-title-main">Cryptocat</span> Open source encrypted chat application

Cryptocat is a discontinued open-source desktop application intended to allow encrypted online chatting available for Windows, OS X, and Linux. It uses end-to-end encryption to secure all communications to other Cryptocat users. Users are given the option of independently verifying their buddies' device lists and are notified when a buddy's device list is modified and all updates are verified through the built-in update downloader.

<span class="mw-page-title-main">Mega (service)</span> Cloud storage and file hosting service

MEGA is a file hosting service offered by MEGA CLOUD SERVICES LIMITED, a company based in Auckland, New Zealand. The service is offered through web-based apps. MEGA mobile apps are also available for Android and iOS.

<span class="mw-page-title-main">Telegram (software)</span> Cross-platform encrypted instant messaging service

Telegram Messenger, commonly known as Telegram, is a cloud-based, cross-platform, encrypted instant messaging (IM) service. It was originally launched for iOS on 14 August 2013 and Android in October 2013. It allows users to exchange messages, share media and files, hold private and group voice or video calls, as well as public livestreams. It is available for Android, iOS, Windows, macOS, Linux, and web browsers. Telegram also offers end-to-end encryption in voice and video calls, and in optional private chats, which Telegram calls Secret Chats.

TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email address for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.

<span class="mw-page-title-main">Signal (software)</span> Privacy-focused encrypted messaging app

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is a secure and encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by ContactOffice Group, which has been operating an online collaboration suite for universities and other organizations since 1999.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

References

  1. "keybase/client", Github, 2014-12-12 The Keybase client Github repository.
  2. "Sigchain | Keybase Docs". keybase.io. Retrieved 2019-06-09.
  3. 1 2 3 Dalton, Andrew (2017-09-02). "Keybase's encrypted chat works with accounts you already have". Engadget. Retrieved 2017-06-05.
  4. 1 2 3 Russell, Jon (2016-05-02). "Keybase Introduces End-To-End Encrypted File Sharing Service". TechCrunch. Retrieved 2017-05-06.
  5. 1 2 3 4 5 "Understanding the Keybase filesystem". Keybase. Retrieved 2017-09-26.
  6. Fleishman, Glenn. "Keybase Wants To Make Serious Encryption Accessible To Mere Mortals". Fast Company. Retrieved 5 June 2017.
  7. "Keybase chooses Zcash". The Keybase Blog. Retrieved 2018-02-06.
  8. "Stellar wallets for all Keybase users". The Keybase Blog. Retrieved 2019-09-16.
  9. 1 2 "Keybase ♥'s Mastodon, and how to get your site on Keybase". keybase.io. Retrieved 2019-06-08.
  10. "QRL and Keybase". www.theqrl.org. 2019-04-24. Retrieved 2021-04-06.
  11. "Abrupt Termination of Coinbase Support". The Keybase Blog. Keybase, Inc. Retrieved 5 June 2017.
  12. "Proof Integration Guide | Keybase Docs". keybase.io. Archived from the original on 2019-06-08. Retrieved 2019-06-08.
  13. "Keybase joins Zoom". keybase.io. Retrieved 2020-05-07.
  14. "Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering". Zoom Blog (Press release). 2020-05-07. Retrieved 2020-05-07.
  15. 1 2 Fleishman, Glenn (Feb 15, 2017). "Keybase offers encrypted chat where you control all the pieces". Macworld. Retrieved June 8, 2017.
  16. 1 2 3 4 5 Dunn, John E (May 31, 2017). "Keybase adds end-to-end encryption to messages on the web". Naked Security. Retrieved June 8, 2017.
  17. Hoff, John (May 12, 2017). "Keybase encrypted chat now available on Android". androidcommunity.com. Retrieved June 8, 2017.
  18. "Introducing Keybase Chat". The Keybase Blog. Keybase, Inc. Retrieved February 12, 2018.
  19. "FYI - we changed the default KBFS plan to 250GB instead of just 10GB. Very few people are hitting the limit so it's less work to let them go past it than deal with UX around upgrading right now". Keybase (via Wayback Machine). Archived from the original on 2017-12-22. Retrieved June 11, 2018.
  20. "Keybase". keybase.io. Retrieved 2019-02-10.
  21. "Introducing the Keybase filesystem". Keybase. Retrieved 2017-09-26.
  22. "Keybase launches encrypted git". The Keybase Blog. Keybase, Inc. Retrieved June 11, 2018.
  23. "KBFS - Understanding KBFS | Keybase Docs". keybase.io. Retrieved 2019-06-09.
  24. Hackett, Robert (18 September 2017). "First They Made OkCupid and SparkNotes. Now They're Taking on Slack". Fortune Tech. Retrieved 21 September 2017.
  25. "Teams for Keybase". Keybase.io. Archived from the original on October 27, 2018. Retrieved September 21, 2017.
  26. "Teams: Naming, Merkle Tree Integration, And Signature Chains". Keybase. Retrieved 2017-09-26.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.