Secure messaging app – Keybase
There are already lots of secure messaging applications to use for end to end encryption of messaging. Applications such as WhatsApp or Messages from Apple are easy to use and you don’t have to think about the encryption side of things. Wire is another secure messaging app. Then there is Telegram which also encrypts all data to provide security. So I had to wonder why there was any reason to sign up for another application doing the same sort of thing. At the moment there is a disadvantage of using Keybase as your main messaging application because it’s only available on desktop computers. According to the information on the website for the application there are mobile applications coming soon. So I set up Keybase to get a feel for what it can do and see what it’s like in real time use. Keybase claims it’s faster and that may be the case but I’ve never been worried about the speed of other applications used so far. It has built-in encrypted chat, but then so do the other applications already mentioned. Keybase gives you built-in encrypted file sharing and I can already do that with using the GPG Tools. I just have to use the services menu in Finder to encrypt a file with the public key of my recipient. I then send it as a mail attachment, or by whatever the means I deem suitable. Keybase gives us cryptographic commands in the command line. For most people that’s not really going to be much of an advantage. Most users don’t use the command line and have no idea how to even open up Terminal. It is also true to say normal users would be scared of using command lines and the Terminal. The Keybase application does have one big advantage that would be that it doesn’t take the word of the app for granted and it checks every identity proof. When you are conversing with somebody you really want to know that the person at the other end is who they say they are. The checking of identity and proving it cryptographically is where Keybase really shines as a secure messaging app.
Like a block chain – Proofs and revocations
When you set up your Keybase identity, the thing to do is to connect it to your other proven online profiles. You connect it to your Twitter account by posting a tweet which is then verified by Keybase. Do the same with Facebook, Reddit, Coinbase, your websites and with a bitcoin address. All of this is put into a block chain record of what you have done with your Keybase account. Starting off with creating a fresh Keybase account and adding your first key, then adding what they call a paper key, followed by a PGP fingerprint and then maybe claiming ownership of your Twitter account. In the Keybase web application you can see the chain which checks all of these social proofs, gists and you can even see a visual graph of how all of this fits together. This is all public information so someone can see you are who you say you are. This block chain file is tamperproof and if somebody tried to mess with it it would be seen. So you would know if somebody was trying to pretend to be you. Keybase shows you if someones identity has been compromised. Other people would know if they should be wary of a message sent appearing to be from you because they’d be able to see if someone had interfered with your identity. This is in comparison to the other end to end encrypted messaging services where you just put your trust in the system. You have to just believe that the message you have received from somebody is from that person. You need to believe the encryption put in place is unbreakable. You’ve no way of checking or proving somebody’s identity as you can with Keybase.
Who needs this level of security?
For most of us we just need to send an encrypted text message once in awhile. We know the person we are in contact with or we know enough about the person so we can be sure who we are talking to. Using the sort of system as provided by Keybase will be more for a group of people coming together for the first time. Maybe in a business situation where there is sensitive information which need to be kept private. It could be something like a group of lawyers working together on a case requiring this sort of security solution. We are living in an information world and data has value. You could have scientists working on a project and they want to keep information out of the hands of people who could damage the project. There are all sorts of reasons why we should encrypt our communications.
[thrive_2step id=’27419′]Get the PGP Cheatsheet – Click Me[/thrive_2step]
For instance, when Joe wants to establish a connection to an identity on Twitter, he would sign a statement of the first form, and then post that statement both on Twitter and Keybase. Outside observers can then reassure themselves that the accounts Joe on Keybase and MrJoe on Twitter are controlled by the same person. This person is usually the intended keyholder, but of course could be an attacker who broke into both accounts.
Keybase is not just for messaging
You can use Keybase secure messaging app to send encrypted files. Just put the file into the proper folder for the connection between you and your contact. Your contact will have protected access to that file.
What it is like to use?
You make keys for yourself, for the computer devices you use and for the connections you make. They suggest making 2 paper keys and I still have not really worked out why you need the ‘Paper Keys’?? The more things you connect to the Keybase identity, the more you prove who you are. Here is my Sig Chain to show you what I have done so far.
If you can find a friend willing to use Keybase it is easy for sending chat messages. Use like any other secure messaging app after you have set it up. Confirming my ownership of Twitter and Facebook accounts was easy. I made a post/tweet and Keybase was able to verify. Coinbase was a little more tricky but I worked it out in the end.
Verifying myself: I am a20q on Keybase.io. qUQ8q2j_m2AVAu0IYPBgMUaKFZQNgoKq5Adx / https://t.co/E48PVQuUq9
— David Allen (@A20Q) February 25, 2017
It’s possible to have a private key put onto Keybase and then you can use it to sign encryptions or to decrypt on the web page. Otherwise you need to use the command line to do some tasks. The command line is easy and you can do some tasks either that way or in the secure messaging app on your desktop computer.
Attach files and send them in the chat window or click on the Folders icon in the left panel and then click on Open Folder. all you have to do then is to drop files in the folder and they are dispatched to the recipient after being encrypted.
There’s documentation on the website and for most users it will just cause brain ache. Explanations of DDOS plus other attacks and what Keybase is doing to make everything secure.
Keybase really needs the mobile version to round out the service and make it properly useful. An easy way to encrypt on iOS would be nice. Otherwise you might use the web application of this secure messaging app.
Now the message is encrypted.
Fill out the form below to get access to more Encryption information
Keybase and PGP
I am a long-term user of the Pretty Good Privacy PGP in the form of GPG and it’s not at all difficult for me to send encrypted emails or receive encrypted emails. It’s also easy to encrypt any file whether it be an image file or a document of any sort using GPG. I fully understand how some people do find it difficult to understand the concept of the public and private key pair. I have tutored a number of people in a practical way how to send and receive encrypted messages. I have found it takes a while for people to get used to the idea that to send an encrypted email to a friend you need to have that friends public key. For that friend to send you an encrypted email he or she needs to have your public key. The public key is exactly that, public – so they can be used by whoever needs to send the owner of it an encrypted email. The private key on the other hand is to be kept a secret and not allowed out into the wild. It is this private key which you used to decrypt a message encrypted by its public twin key.
On whatever system, you go to GPG tools and use it to store your public and private keys. In the same tool you store the public keys of any of your friends to whom you wish to send encrypted emails or encrypted files. The easiest way to send these encrypted emails is by using a plug-in for whichever email client you use. I have plug-ins which work with Apple Mail, a plug-in which works with Thunderbird or Postbox and the plug-in which works with my favourite email client at the moment, Airmail 3.
Another way to encrypt or decrypt text is to use services from GPG Tools which you have set up to use from your services menu. Select a portion of text, right click on it and from the services choose to encrypt. You only have to follow the instructions in the following windows to choose the public key you going to use. You’ll be presented with a pile of undecipherable gobbledygook which you can send as an email or text message to the recipient.
Another way to encrypt something ready to send would be to save the text as a file. It could easily be a markdown, text, rich text format, Word document or whatever type of file. In the finder you select the file, do the right click and choose the GPG service to encrypt the file. Follow the steps and you’ll have an encrypted file you can send as an attachment in an email or by whatever other method you want.
The web of trust for your encryption
In general use of encryption key pairs between a couple of friends on the Internet to send encrypted messages it’s easy to trust the way it works in the basic form. When the first message comes from my friend with whom I’ve been chatting on Twitter, Facebook, email or by whatever means and I know the message I’ve just got actually comes from that person. We were just talking about it, or as we are talking about it, the message arrives and I know it can only be from my friend. I am 100% sure that the encrypted message is from who I expect it to be from.
If you are in contact with a lot of people using encryption for business purposes you may need to take more care. It isn’t impossible for someone to steal your friends private key and to start sending messages to you. This third person may have nefarious intentions. In this sort of situation you need to take extra precautions. One of the traditional ways of doing this with Pretty Good Privacy PGP would be a face-to-face meeting of the people using the encryption. You would take whatever precautions necessary at the time to confirm the identity of the person giving you the public key and you would sign it with your own private key. This key could also be signed by other people at the meeting and the more signatures the better.