I have recently been invited to keybase.io, and to increase my understanding of how this works, I will try to accomplish the same as keybase provides, but manually using the gpg commandline.;/p>
The goal of keybase.io is to create links between public keys and online identities. For example, I have a public pgp key which can be downloaded from here:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDC82662DC1136424
To fetch my key into your gpg keyring, use:
gpg --recv-keys 0xdc82662dc1136424
This key is combined with a certificate where I claim that my email-address i rolf.ness(at)pvv.org. Using gpg you can check that this claim was made by someone controlling the private part of the key referred above. However, you cannot check if this claim is actually true. I'll get back to this later, but some other examples first.
Let's take a look at this blogspot account and make some claims about this:
My name is Rolf Rander Næss
I control the blogspot-account: rolfn.blogspot.no (a.k.a. rolfn.blogspot.com)
I have a pgp-key with id: 0xdc82662dc1136424
The key fingerprint is: 5D18 257C 9F45 7108 DFA6 AD51 DC82 662D C113 6424
This message is signed with this key
Now I can sign this message, proving possession of the corresponding private key, and by posting it here, I also prove that I control this blogspot account.
The signed message is below, it is formatted in binary (and the converted to ascii with base64) to avoid errors due to formatting, charset or copy-paste-errors.
-----BEGIN PGP MESSAGE-----
owGbwMvMwMF4pylN96BwigrjWka1JOGknPz04oL8Et3knMTM3GK9koqSELXqSt9K
hbzE3FSFzGKFoPycNIWgxLyU1CIFv8PLiot5uTwVkvPzSorycxRKMlIV4EYkJifn
l+aVWCkAZdLy9GDienn5ChqJetl6iXroMsn5uZog4zISy1IVEhUK0gt0s1MrFcoz
SzIUMlOsFAwqUpItjMzMjFKSDQ2NzUyMTHi5QoBWghSlZealpxYVFGXmlQCdaaVg
6mJooWBkau6sYOlmYqpgbmhgoeDi5mimoODoYmqo4OJsYaQANMlFwRlolALMLKAH
c1OLixPTwX4tzkzPS02B2F8CkgNaxMvVySjDwsDIwcDGygQKGwYuTgFYIPacZP/v
c2u1XP3Nswc5AyZaG/LpZ+Yc8xD5MO191gTXzY4zmd51SU8pcVy3z+XE8m7vI64f
LnQuLHlXv3plwM74Q/JWi5ZvMtYP9uHtbWivjLppy5ju9Obw39AQz5WxPFrSSne4
mW91sE7SiJZYZWZ49sn+XcVC8VN+yy7rfPbQNeJkxnROef6TqbLmXW/awurnJT6N
NDtdr1c3J0zf2I7H5OFaS3lNQ5u/npddpmTuWuS6y9PGwvOMbm+XemJX3DktZaFl
ESuvqKkVCvw+oHmcWSb2Z7OmZdUGFbZmjhNOYf5+/yY9ct4xW2nqo4Tgiz8KX6ZM
EL1ZPrX3YNTWtjax/19OZ+gfu88qKr7v19ovegA=
=DCLD
-----END PGP MESSAGE-----
So, by posting this here, I have created a two-way link between my blogspot-account and my private key. (However, in this particular case it is not worth much, because blogspot doesn't support https, so a man-in-the-middle could change this message before it reached your browser).
If you have my key imported, you can paste this message (including "BEGIN" and "END") into gpg, and gpg will tell you that the signature is good (i.e., that it was made by someone controlling the key). You should check that the fingerprint in the message and the fingerprint reported by gpg match.
Lets try the same for twitter, which is slightly more useful. Here is a statement with a similar set of claims:
My name is Rolf Rander Næss
I control the twitter-account: @rolfrander
I have a pgp-key with id: 0xdc82662dc1136424
The key fingerprint is: 5D18 257C 9F45 7108 DFA6 AD51 DC82 662D C113 6424
This message is signed with this key
The binary-encoded, signed, ascii-armoured version is:
-----BEGIN PGP MESSAGE-----
owGbwMvMwMF4pylN96BwigrjWkamJKGS8sySktQi3eScxMzcYr2SipIQtZo+30qF
vMTcVIXMYoWg/Jw0haDEvJTUIgW/w8uKi3m5PBWS8/NKivJzFEoyUhVgJiQmJ+eX
5pVYKTgAZdKKwDpAajMSy1IVEhUK0gt0s1MrFYCqMxQyU6wUDCpSki2MzMyMUpIN
DY3NTIxMeLlCgOaBFKVl5qWnFhUUZeaVAN1gpWDqYmihYGRq7qxg6WZiqmBuaGCh
4OLmaKag4Ohiaqjg4mxhpAA0yUXBGWiUAswsoOtzU4uLE9PBHinOTM9LTYHYXwKS
A1rEy9XJKMPCwMjBwMbKBPI4AxenACyANixj/ytd1Xtd8ZtSfORNsTlL+Z+r+7+I
+iWw+n+TvLKiRvl1dnOW8JSHhY16IV7vfocJep8+udOGK9Ot8NmJJPsuA+XFjRu/
Bjy5emDeDzW5l643dpStSGqe1fX106JVCyvqn5qJ6x7+o3dzmUvYm3aGH+Gzsia4
7zk9+XjC5L2T5ae7fX9y75fHtNjT3V9ykkSO7enZZaJ3QoZJcp7BFRWn/Uv/Fr+z
jNvw1aznhGYgn/Ax1o+q/x+F+G3nzf1z0ni595Tfth8uJSw9MsXRbgI/X7lw+Myu
fvllK+/VTreZdMBYX/LCUh8Jq43+za5GiUw+AcqW/n+aXm4PCT4lblXKsHHLyl6l
CrUfu3asltS8/R4A
=pG8g
-----END PGP MESSAGE-----
As before, this proves that the person making these claims possess the private part of the key with this fingerprint. Now, if I could post this to twitter, I would also prove that I control the twitter account and thus provide a two-way link. However, twitter only allows 140 chars, so the message above is to large. To get around this, I only post a hash of this message to twitter. The hash must be constructed from the binary encoded message, again to avoid formatting or cut-and-paste issues. Starting with the pgp-message, the hash can be obtained by piping the message into this command:
gpg 2>/dev/null | openssl sha256 -binary | openssl base64
which returns NMTiZ2clKwsuQnRFQjFxuL1oTL6NE+R2doBG3ohPThA=
now chech twitter: https://twitter.com/rolfrander/status/515794922851827712
since twitter use https, you can trust (within reason) that no man-in-the-middle has changed this message before it reached your browser.
Now, there are some pieces of software and quite a few organizations you need to trust to be able to trust this key, but I'll get back to that in a later post...
So, given the steps (and caveats) above, you have now established, within reasonable doubt, that:
- the person controlling the private part of key 0xdc82662dc1136424
- also controls the address rolfn.blogspot.no
- and controls the twitter-account @rolfrander
However, what you have not done, is to prove anything about who I really am. To do that, you have to meet me in person (and possible check some government issued ID, depending on your usecase). If we meet, I can provide some data which enables you to connect my real-life identity to my key. Previously this would mean me giving you a hash of my key, which you could check. However, now that we have established a connection between my twitter-handle and my key, I only need to give you my twitter-handle, which is much easier for you to remember.
This is basically what keybase.io does, but it is wrapped in a nice user interface and with a tool which makes it easier to handle. I addition, they have the added functionality of "tracking", I will get back to that later.
Edit: I just realized that the command for computing the hash above really just hash the message, not the signature, which keybase hash message+signature. I don't think this has any security implications, but there could be some corner case I havent seen yet.
Anyway, the message signed by keybase includes other security measures as well, such as the current time, so I really recommend using keybase as opposed to doing this yourself.
And I am on keybase as well: https://keybase.io/rolfn
Edit 2: oh, and one more thing: I promised to get back to the email example. My pgp-key (as posted on keybase and on the network of public keyservers) contain one or more email-addresses. How can you be sure that these are accurate? First of all, we need a precise formulation of what this is:
- The key contains a claim about my email-address
- This claim is signed with my private key (verifiable with the public key), thus it contains proof that I posess the private key
Now, what we want to check is that I also control the email-address. This can be done using challenge-response authentication. For example, if you email me some unique data (such as a random number), encrypted with my public key, I need access to my private key to decrypt. Then I can sign this number with my private key and return to you. If I was able to decrypt correctly and sign verifiably, this proves that I have the correct private key. Since this was done through my email address, it also proves that I control the email-address.
But do note that you still don't know for sure who I am, you just know that the email-address and the private key are controled by the same entity. To prove you are talking to me, we need to meet in person.