Keybase api4/9/2023 In the context of this product, an attack like that would require collusion between the Keybase server and a current (or former, depending on the specifics) member of the team. a different entryKey or a previous revision). One of the main risks of signing-then-encrypting a message is what happens if someone who is able to decrypt the outer layer can then reencrypt the signed message for some other purpose (e.g. We do this to mitigate several possible attacks that might otherwise be available to the server. We use authenticated encryption with associated metadata (AEAD), a construct that allows the inclusion of associated data (in our case, a bunch of metadata) as part of what is signed then encrypted. Here are some of the distinguishing details. The security tradeoffs are modeled after and are extremely similar to chat. This ensures that the server cannot read or forge an entryValue, nor prove any of the metadata it knows about it. EntryValues, however, are signed by the device key of the writer and then encrypted for a specific team. ![]() Much of the metadata, including namespaces, entryKeys, as well as database access patterns, is known to the Keybase server. ![]() you have two different bots that absolutely need to share and update the same entries concurrently), you can pass in a revision and your Keybase client will use it.įor example, assuming that this entry has not been inserted previously, the following command will insert an entry with revision 1: keybase kvstore api -m '' If, however, you would like to manage your own revisions (e.g. This complexity is hidden from the API because you probably don't need it. When you put a new entry or update an existing one (deleting works this way too), your Keybase client will first run a get for that entry so it knows exactly what revision the server is expecting (e.g. The Keybase server keeps track of the latest revision number for each entry, and it requires the client to specify the correct revision number on every update request. _whatever), it will be undiscoverable from the corresponding list endpoint. If you prepend a namespace or entryKey with double-underscores (e.g. Namespaces and entryKeys are in cleartext, and the Keybase client service will encrypt and sign the entryValue on the way in (as well as decrypt and verify on the way out) so Keybase servers cannot see it or forge it. You cannot fetch old versions of your data if you've put a new revision or deleted it. myawesometeam.passwords)Ī team has many namespaces, a namespace has many entryKeys, and an entryKey has one current entryValue.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |