Thursday, July 16, 2015

Introducing Keybase + cryptography primer

First, visit: 

Why is this significant?
It marries social identities with public key cryptography and makes it accessible for all. And they just raised a $10M round from Andreessen Horowitz ;)

What's the catch?
It stores your private keys on their server based on a pass-phrase.

Primer stuff (really basic 'how does this work?' stuff):
Cryptography relies on mathematics to ensure that two entities can have a trusted communication, which is the critical bedrock of all things digital and requiring trust. 
What's all this talk about public and private keys?
Assume that both of us have two keys each: One called the private key and the other called the public key. Also only you can see and use your private key but your public key is visible to all.

Just like physical keys are used to lock down and restrict access to physical assets, these digital keys help lock down and provide access to assets that are digital. A text message I send to you could be that digital asset that I need to protect. Unlike the physical world where we touch/ see/ hear each other and can simply talk to each other, in the digital world, we may be continents apart and there are no cues that can really help trust anything and everything digital can be easily manipulated.

So, assume really I need to send you a super secret message (eg: 'OMG. Pluto's on Pluto!') that ONLY you can read, I will first get YOUR public key, then use it to encrypt MY message and send it to you. By now the message will look like garbage for everyone else (eg: "23nfn32323n32djksgdsgdad3").

However, YOU and only you can use your private key and decrypt the gibberish into the original message ('OMG. Pluto's on Pluto!'). So, presto! I was able to send you a message to you that only you could read!

Cool, but you still don't trust me, what else can we do?
Now, when you read the message, there are two problems: 
One: How can you be really sure that the message was not changed by someone in transit?
Two: How can you be really sure that it was I who sent it? 

Maths to the rescue again!
There is a cryptographic tool called hashing. Hash is a function that provides one way conversion of any text into a unique signature. For example, 'Hello' hashed may look like '2nwfd3232'. If I make ANY change to my message eg: change 'Hello' to 'HellO' the hash will also change. Unlike encryption, hashes are one way. That is, it is not computationally easy to get back to Hello from just its hash.

So assume that instead of a plain and simple Hello, the text was a legal agreement that I sent to you. So once you receive it, all you need to do is to again hash the legal agreement and check if the hash provided by me was exactly the same as the one that you derived yourself using the agreement text. If both the hashes match, it proves mathematically that no changes were made to the document after I had hashed it.

What about problem Two mentioned above?
Just a little more of the same mathematical tools above should help here. Remember the hash that I just created a short while ago? I will encrypt that hash with my private key and send this as my digital signature along with the encrypted message to you. So, for you to verify that it was indeed I who sent the message, you decrypt it with my public key and then do the hash comparison as explained in the previous paragraph. If the hashes don't match, it means either that the message was tampered OR that it was not really sent by me.

So, a lot of mathematics and two pair of keys is what it takes for us to have a trusted, non-repudiable digital communication with each other. However, what was lacking was a robust and a simple set of tools that could hide all this complexity and make this ubiquitous in the digital world. Keybase seems to be a step in that direction!