Prominent security experts and systems designers Moxie Marlinspike and Matthew Green both wrote essays a few months apart recently arguing that the venerable message encryption system known as PGP (originally short for Pretty Good Privacy) has run its course.
Which is why it might seem odd that two of the founders of SparkNotes and OkCupid launched Keybase.io several months ago to help spread PGP further. They have a plan that could open up highly secure cryptography to a larger number of users than ever before, without making anyone master any arcane details. Keybase is currently free and in an invitation-only stage, with plans to open up to more users later this year.
Right now, the most secure messaging systems—the ones that governments regularly complain about—are walled gardens. A single company controls them, allowing only users of the same software to communicate securely. Keybase does away with that, creating the potential for messaging services that are both open and secure. But it’s also about identity. The service leverages Twitter, domain names, websites, Facebook, Github, Bitcoin, and more as anchors across time and virtual space to let you prove who you are.
It all starts with a key.
PGP: THE 1990S BREAKTHROUGH
PGP is a nifty system designed 25 years ago by Silent Circle founder Phil Zimmermann. He had the notion that the way to aid people around the world opposing tyranny would be to provide strong encryption that governments would be unable to foil, and which didn’t rely on a central point of failure. In addition, such a system would be resistant to man-in-the-middle attacks. (PGP is also now widely called GPG—GNU Privacy Guard—for the free-software alternative that now dominates.)
Phil Zimmermann, creator of PGP
At the time Zimmermann devised PGP, public-key cryptography (PK for short) was used primarily in corporate settings for highly specific needs, in part because it was too computationally taxing for garden-variety computers. Instead of using PK for everything, Zimmermann relied on it just as a method of securing a strong encryption key that was optimized for speed and encrypting runs of text or data.
Public-key cryptography relies on generating a public/private key pair using an algorithm that involves very large prime numbers that aren’t susceptible to cracking. The private key must be kept secret; the public key may be freely distributed. The Bitcoin virtual currency system is entirely based on PK: the private keys are essentially the currency, and public keys are “addresses” at which money can be received.
A message encrypted with a public key can only be decrypted by someone who possesses a private key. A message signed with a private key can only have been validated by the possessor of the private key. When encrypting data with PGP, a strong symmetrical key—used both to encrypt and decrypt—is itself encrypted with one or more recipients’ public keys. Then only valid receivers can decrypt the data, no matter how it’s disseminated, including on publicly available websites.
In PGP, users creates their own key pair, and then distribute the public key widely—people even put them in their email signatures or Twitter profiles. When possible, other users who have already established a web of trust with someone validate such public keys—in the past, at public key-signing parties, where people would hand around drivers’ licenses or other documents.
THE QUEST FOR SOMETHING SIMPLER
From a cryptographic standpoint, PGP is rock solid. In practice, using it is very messy. Its complexity has deterred the vast majority of people who might otherwise benefit from using encryption.
The first problem is establishing a valid identity, especially with other people located oceans away. The second is distributing public keys without nefarious types posting alternative keys that appear to be registered to the same person.
PGP IS NERDY AND FRAGILE ON DESKTOPS, AND BARELY PRESENT AT ALL ON MOBILE DEVICES.
For instance, Keybase’s cofounder Chris Coyne says that when he first downloaded Bitcoin code to examine, he wanted to check that it was a legitimate distribution, signed by Gavin Andresen, a key figure in that community anointed by its pseudonymous creator, Satoshi Nakamoto. When Coyne went to validate Andresen’s PGP key, he found what he estimates were 500 entries for him at keyservers.
The third issue is getting people to install and use PGP software. It’s available in somewhat nerdy, fragile form on the desktop, and barely present at all on mobile devices.
Other proprietary systems work around these difficulties by controlling the entire ecosystem. Communications services such as Skype, WhatsApp, and Apple’s iMessage have their own PK infrastructure, and make various use of other forms of encryption. They distribute keys to users, manage certificates, handle updates, and offer multiplatform software. It’s transparent to users. But these systems only encrypt their own communications.
Keybase set out to fix all three of public-key cryptography’s problems at once. Even if it only solves the issue of confirming provable identities, it could have an impact.
WE KNOW WHO YOU ARE
People now have online identities scattered all over, most of which individually provide no reassurance that someone is who they say they are. Supposedly real names associated with accounts may not be accurate. And even if they are, a given account could be hijacked at any point.
Keybase pairs cryptographic proofs with social networks and other online “property,” like domain names, Bitcoin, and websites to create a nexus that’s also tracked for integrity over time. Keybase doesn’t even ask that users trust it: it uses a variety of methods to publish its verifications.
Coyne and his partner Max Krohn built the open-source codebase on top of all the authentication that people already have in their lives. After creating a Keybase account, you upload or generate a public/private key pair associated with the account.
A user profile at Keybase’s site
It may seem odd to store the private key—the one you must be careful about securing—on a remote server. But Keybase protects it with a passphrase—like a password, but longer. Whenever you use its site—or, in the future, apps from Keybase itself or third parties—the encrypted private key is retrieved and only decrypted locally when the passphrase is entered. The passphrase is never transmitted.
When you verify your identity with Keybase, it uses your private key to create and sign a cryptographic proof that only that private key’s possessor could make. The site currently lets you verify via Twitter (posting a tweet), Github, Reddit (via a message posted on a special subreddit), Coinbase.com, Hacker News, one or more websites, DNS, and Bitcoin.
EACH ADDITIONAL VERIFICATION MAKES IT THAT MUCH HARDER FOR AN ATTACKER TO TRY TO SPOOF WHO YOU ARE.
Some of these methods are geekier than others. But each additional form of verification makes it that much harder for an attacker to try to spoof who you are. In order to publish a new key on Keybase, for instance, an attacker would have to also generate proofs that are then published and verified on every system you’ve already authenticated against with Keybase.
Further, Keybase tracks and publishes all changes to verifications. Any sudden change in your proofs would show up in a variety of ways to anyone who uses Keybase to interact with your identity, including automated systems. Keybase even bakes parts of its records into the Bitcoin blockchain, making any updates both public and quickly irreversible.
An attacker could simply obtain your passphrase to unlock your private key, but that’s an existing problem with public-key cryptography—and all messaging systems, too. (Some messaging systems support two-step or second-factor authentication, which typically requires someone has both your password or passphrase and physical access to you or some device you typically have in your possession, such as your smartphone.)
A Keybase-verified identity can be used manually, as when someone wants to find your public key to send you a message, and with third-party software and websites for logins or transactions. It could be used in place of a Twitter or OpenID login, with a higher degree of reliability.
BREAKING DOWN THE WALLED GARDENS
Outside of PGP, there’s no reliable way to send a secure message between two parties on the Internet without advance, often risky coordination except by using proprietary, walled-garden systems. The Electronic Frontier Foundation (EFF) rated many messaging systems last year, and gave its highest marks to several, including CryptoCat, Signal/RedPhone, and Silent Phone. Bigger names, such as FaceTime, Skype, and Yahoo Messenger, didn’t fare nearly as well.
The original problem that PGP set out to solve remains a problem. Of the three specific challenges that I cited at the beginning of this article, Keybase can solve identity and key distribution. It also plans to introduce native apps later this year. Its web app has a fairly lovely user interface, and if it brings the same simplicity and hidden power to a native client, that could help get more people to adopt it.
There’s work left to be done, such as integrating Keybase with email clients. Its creators say that they plan to offer broader features in releases later this year that they’re not quite ready to talk about yet. For now, their brainchild remains an interesting and well-executed idea, but one that’s still bound by some of the same shackles that kept PGP from achieving wide adoption. We’ll see if it can break free.