Keybase last week announced the alpha release of the Keybase app for the iPhone with a cryptographically secure file mount.
Users can write data in an automatically created folder in this format: /keybase/public/username. Files written in the folder are signed automatically and appear as plain text files on computers.
The folder prevents server-side and man-in-the-middle attacks, according to Keybase.
Files stream in on demand; there is no syncing as there is in Dropbox, Google Drive and Box.
Shared folders are encrypted using keys specific to the device of the person sharing them. If the device is lost, so is the private data.
Until the phone app is ready, users have to make a paper key, which is a full-powered private key that can be used to provision and rekey.
Participation is by invitation only.
The system “is a lot less complex than PGP keys and far harder to compromise, particularly with man-in-the-middle exploits,” observed Rob Enderle, principal analyst at the Enderle Group.
However, sync products “are generally more convenient, particularly if you’re offline a lot,”.
About Keybase Servers
Keybase servers don’t have private keys that can read users’ data. Because they can’t inject any public keys into the process, users can’t be tricked into encrypting for third parties, the company said.
Key additions and removals are signed into a public Merkle tree, which in turn is hashed into the Bitcoin block chain. That prevents attackers from commandeering and forking the server so different versions of server state are served up to different people, according to Keybase.
The server signs and publishes the root of the Merkle tree with every new user signature. Any changes in the Bitcoin blockchain can be traced back to see who changed them, making sneak attacks difficult, the company said.
“For code sharing, this could have a huge advantage over the alternatives,” Enderle said.
Leveraging Social Media
Sharing data with others is made easy because Keybase acquires public keys and public announcements of public keys from social media.
“Smack-dab in the middle of a public Reddit or … Twitter conversation, you should be able to say ‘Hey, I threw those gifs/libraries/whatever in our encrypted keybase folder’ without ever asking for more identifying info,” said Keybase cofounder Chris Coyne. Other participants in the conversation can join Keybase to access the data without having to trust Keybase servers.
“When you track someone on Keybase, you sign a portable summary of their identity, as you saw and verified it,” he said. When they use someone’s Keybase username in future, everything in the tracker statement must remain valid.
“I think enterprises will be interested in this, especially if it can be made somewhat more user-friendly,” said Mike Jude, program manager, Stratecast/Frost & Sullivan.
“I see it as a nifty way to encrypt business communications, where the point isn’t absolute security but temporary security … defined by business needs,”.
Keybase Business Model
All users will get 10 GB of storage free. Enterprise users, and those who want more storage, may have to pay for it.
Keybase will be ad-free and will not sell users’ data, Coyne said.
“There is currently no pay model, and we’re not trying to make money,” he asserted. “We’re testing a product right now, and we’d like to bring public keys to the masses.”
However, “this system can’t even be explained in less than a page of prose,” Jude pointed out. “Getting everyone to use it, unless it’s built into the background, is a tad optimistic.”
Pros and Cons
Keybase “will need to think hard about how they allow others to use this app,” Jude suggested. “For example, does Keybase have any liability if their system turns out to be hackable? Would they recommend its use for HIPAA or financial transactions?”
Users will get a “far more secure file exchange platform” with the Keybase app, Enderle said. However, “on the downside, you’ll likely get flagged by law enforcement as a potential terrorist or criminal.”