public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Message Signing based authentication
@ 2013-11-02  5:01 bitcoingrant
  2013-11-02  5:54 ` Luke-Jr
                   ` (3 more replies)
  0 siblings, 4 replies; 23+ messages in thread
From: bitcoingrant @ 2013-11-02  5:01 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 1415 bytes --]

Passwords are inefficient by design: frequently we hear news from Sony, Square Enix, Adobe, and various others about passwords being compromised, databases being copied and stolen. This story remains true in the Bitcoin space. In light of the recent Bitcointalk forum breach echoes an increasing need for passwords to become a thing of the past.
In celebration of the 5 year anniversary of the Bitcoin whitepaper, we are delighted to introduce the Message Signing based authentication method.
In brief, the authentication work as follows:
Server provides a token for the client to sign.
client passes the signed message and the bitcoin address back to the server.
server validates the message and honors the alias (optional) and bitcoin address as identification.
http://forums.bitcoingrant.org/
Above is a proof of concept forum that utilize this authentication method. Following Kerckhoffs's principle, this forum only stores the signed message and bitcoin address the users provide the first time they use the site, both are public information. In addition, there is no database, everything is simply an RSS feed. For the sake of usability we have included a redis for the sessions, at the cost of additional exposure to potential risks: users no longer need to sign a token every time they wish to post.
All source code will be available on github in the next few days. 
We welcome any feedback or suggestions.

[-- Attachment #2: Type: text/html, Size: 4824 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02  5:01 [Bitcoin-development] Message Signing based authentication bitcoingrant
@ 2013-11-02  5:54 ` Luke-Jr
  2013-11-02 13:02 ` Mike Hearn
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 23+ messages in thread
From: Luke-Jr @ 2013-11-02  5:54 UTC (permalink / raw)
  To: bitcoin-development

On Saturday, November 02, 2013 5:01:43 AM bitcoingrant@gmx.com wrote:
> In celebration of the 5 year anniversary of the Bitcoin whitepaper, we are
> delighted to introduce the Message Signing based authentication method. In
> brief, the authentication work as follows:
> Server provides a token for the client to sign.
> client passes the signed message and the bitcoin address back to the
> server. server validates the message and honors the alias (optional) and
> bitcoin address as identification. http://forums.bitcoingrant.org/
> Above is a proof of concept forum that utilize this authentication method.

Congratulations! You've reinvented what Eligius and Bitcoin-OTC have been 
doing for years! :)

There's no reason to ask the user to provide the address every time, though...

Luke



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02  5:01 [Bitcoin-development] Message Signing based authentication bitcoingrant
  2013-11-02  5:54 ` Luke-Jr
@ 2013-11-02 13:02 ` Mike Hearn
  2013-11-02 13:16   ` Melvin Carvalho
  2013-11-02 13:19   ` Hannu Kotipalo
  2013-11-02 21:14 ` Johnathan Corgan
  2013-11-02 21:57 ` slush
  3 siblings, 2 replies; 23+ messages in thread
From: Mike Hearn @ 2013-11-02 13:02 UTC (permalink / raw)
  To: bitcoingrant; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 435 bytes --]

On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:

> In brief, the authentication work as follows:
>
>
>
> Server provides a token for the client to sign.
>
> client passes the signed message and the bitcoin address back to the
> server.
>
> server validates the message and honors the alias (optional) and bitcoin
> address as identification.
>

http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/

[-- Attachment #2: Type: text/html, Size: 2017 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 13:02 ` Mike Hearn
@ 2013-11-02 13:16   ` Melvin Carvalho
  2013-11-02 13:19   ` Hannu Kotipalo
  1 sibling, 0 replies; 23+ messages in thread
From: Melvin Carvalho @ 2013-11-02 13:16 UTC (permalink / raw)
  To: Mike Hearn; +Cc: bitcoingrant, Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 2035 bytes --]

On 2 November 2013 14:02, Mike Hearn <mike@plan99.net> wrote:

> On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:
>
>> In brief, the authentication work as follows:
>>
>>
>>
>> Server provides a token for the client to sign.
>>
>> client passes the signed message and the bitcoin address back to the
>> server.
>>
>> server validates the message and honors the alias (optional) and bitcoin
>> address as identification.
>>
>
> http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/
>

I actually use client certificates for almost all of my authentication.

It's true that the browser manufacturers have created an UX which is not
ideal, and very little effort is made to improve it.  But it is possible.
See this project from Mozilla labs.

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

Unfortunately this got killed :(

More popular is the trusted third party model like OAuth or Persona.
There's a conflict of interest as well, because browser manufacturers are
often identity providers too, so there is an incentive to push TTP
technology.

There's two elements here.  One is paswordless login (which I love).  The
other is who controls your identity.  I like to control my own identity (in
my browser) using PKI.  But facebook and the big webmail providers have a
lions share of the market.

The way to shift the balance is to offer the right incentives.


>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 4698 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 13:02 ` Mike Hearn
  2013-11-02 13:16   ` Melvin Carvalho
@ 2013-11-02 13:19   ` Hannu Kotipalo
  2013-11-02 16:26     ` Mike Hearn
  1 sibling, 1 reply; 23+ messages in thread
From: Hannu Kotipalo @ 2013-11-02 13:19 UTC (permalink / raw)
  To: bitcoin-development

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02.11.2013 15:02, Mike Hearn wrote:
> 
> http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/
>
> 
Maybe this is a bit off-topic, but the *real* answer to the question
"why-is-nobody-using-ssl-client-certificates" is that it would force
www pages to be encrypted and would make it a lot more difficult for
NSA to log www-trafic. So they have been made not-user-friendly by
default.

But what you think about this:
"White paper on passwordless secure login (based on bitcoin/bitmessage
technology)"
https://bitcointalk.org/index.php?topic=323360.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ0+/cACgkQvafo1Ths1Sw5FwCgxdJB/lazDzxRos1ogSfJQo0V
El4AnjyHxWjOXG6qjcTcWvccty+03xRa
=BikE
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 13:19   ` Hannu Kotipalo
@ 2013-11-02 16:26     ` Mike Hearn
  2013-11-02 16:26       ` Mike Hearn
  2013-11-02 16:52       ` Melvin Carvalho
  0 siblings, 2 replies; 23+ messages in thread
From: Mike Hearn @ 2013-11-02 16:26 UTC (permalink / raw)
  To: Hannu Kotipalo; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

Guys, identity systems for the web are off-topic for this list. Other than
the anonymous passports/SINs/fidelity bond ideas, Bitcoin doesn't have any
relevance to it.

On Sat, Nov 2, 2013 at 2:19 PM, Hannu Kotipalo <hannu.kotipalo@iki.fi>wrote:

> Maybe this is a bit off-topic, but the *real* answer to the question
> "why-is-nobody-using-ssl-client-certificates" is that it would force
> www pages to be encrypted and would make it a lot more difficult for
> NSA to log www-trafic.
>

No, it wouldn't. You can log a user in using SSL and then redirect the user
back to an encrypted page, using cookies for the rest of the session.
Please don't clutter up this list with conspiracy theories. The brutal
reality is that identity is a hard problem.

[-- Attachment #2: Type: text/html, Size: 1101 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 16:26     ` Mike Hearn
@ 2013-11-02 16:26       ` Mike Hearn
  2013-11-02 16:52       ` Melvin Carvalho
  1 sibling, 0 replies; 23+ messages in thread
From: Mike Hearn @ 2013-11-02 16:26 UTC (permalink / raw)
  To: Hannu Kotipalo; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 147 bytes --]

> No, it wouldn't. You can log a user in using SSL and then redirect the
user back to an encrypted page

sorry, I meant unencrypted page of course

[-- Attachment #2: Type: text/html, Size: 199 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 16:26     ` Mike Hearn
  2013-11-02 16:26       ` Mike Hearn
@ 2013-11-02 16:52       ` Melvin Carvalho
  2013-11-02 17:08         ` Jeff Garzik
  1 sibling, 1 reply; 23+ messages in thread
From: Melvin Carvalho @ 2013-11-02 16:52 UTC (permalink / raw)
  To: Mike Hearn; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 1988 bytes --]

On 2 November 2013 17:26, Mike Hearn <mike@plan99.net> wrote:

> Guys, identity systems for the web are off-topic for this list. Other than
> the anonymous passports/SINs/fidelity bond ideas, Bitcoin doesn't have any
> relevance to it.
>
> On Sat, Nov 2, 2013 at 2:19 PM, Hannu Kotipalo <hannu.kotipalo@iki.fi>wrote:
>
>> Maybe this is a bit off-topic, but the *real* answer to the question
>> "why-is-nobody-using-ssl-client-certificates" is that it would force
>> www pages to be encrypted and would make it a lot more difficult for
>> NSA to log www-trafic.
>>
>
> No, it wouldn't. You can log a user in using SSL and then redirect the
> user back to an encrypted page, using cookies for the rest of the session.
> Please don't clutter up this list with conspiracy theories. The brutal
> reality is that identity is a hard problem.
>

Identity need not be a hard problem.  In my view it is a solved problem.

You have a real world entity translated to a digital format.  Yes that can
be slightly ambiguous at time, naming is hard, and people do get this wrong
frequently.

The most common problem is to name something in a way that does not scale.
The solution to this problem is rather easy, and that is to use a URI to
name something, which makes it global and scalable.

In the case of bitcoin you could have use the bitcion URI scheme

bitcion:1fhdjkfhjksf...


>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 3232 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 16:52       ` Melvin Carvalho
@ 2013-11-02 17:08         ` Jeff Garzik
  2013-11-02 17:16           ` Hannu Kotipalo
  0 siblings, 1 reply; 23+ messages in thread
From: Jeff Garzik @ 2013-11-02 17:08 UTC (permalink / raw)
  To: Melvin Carvalho; +Cc: Bitcoin Dev

On Sat, Nov 2, 2013 at 12:52 PM, Melvin Carvalho
<melvincarvalho@gmail.com> wrote:
> Identity need not be a hard problem.  In my view it is a solved problem.


Yes:  https://en.bitcoin.it/wiki/Identity_protocol_v1



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 17:08         ` Jeff Garzik
@ 2013-11-02 17:16           ` Hannu Kotipalo
  0 siblings, 0 replies; 23+ messages in thread
From: Hannu Kotipalo @ 2013-11-02 17:16 UTC (permalink / raw)
  To: Jeff Garzik, Melvin Carvalho; +Cc: Bitcoin Dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02.11.2013 19:08, Jeff Garzik wrote:
> On Sat, Nov 2, 2013 at 12:52 PM, Melvin Carvalho 
> <melvincarvalho@gmail.com> wrote:
>> Identity need not be a hard problem.  In my view it is a solved
>> problem.
> 
> 
> Yes:  https://en.bitcoin.it/wiki/Identity_protocol_v1
> 

Well in the view of an average internet browser, it is not a solved
problem neither does this identity protocol solve it.

But Mike is correct, this is a wrong place to discuss about it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ1M30ACgkQvafo1Ths1SxypQCgor9LQTyKnlr0gByMPPJRQF6U
LpIAnRMj/udBSDJOK+2JP0hhiG1Bk81d
=tcpx
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02  5:01 [Bitcoin-development] Message Signing based authentication bitcoingrant
  2013-11-02  5:54 ` Luke-Jr
  2013-11-02 13:02 ` Mike Hearn
@ 2013-11-02 21:14 ` Johnathan Corgan
  2013-11-02 21:51   ` Mark Friedenbach
                     ` (2 more replies)
  2013-11-02 21:57 ` slush
  3 siblings, 3 replies; 23+ messages in thread
From: Johnathan Corgan @ 2013-11-02 21:14 UTC (permalink / raw)
  To: bitcoingrant, bitcoin-development


[-- Attachment #1.1: Type: text/plain, Size: 461 bytes --]

On 11/01/2013 10:01 PM, bitcoingrant@gmx.com wrote:

> Server provides a token for the client to sign.

Anyone else concerned about signing an arbitrary string?  Could be a
hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my own
randomly generated nonce, sign that, then pass the nonce and the
signature back to the server for verification.

-- 
Johnathan Corgan, Corgan Labs
SDR Training and Development Services
http://corganlabs.com

[-- Attachment #1.2: johnathan.vcf --]
[-- Type: text/x-vcard, Size: 335 bytes --]

begin:vcard
fn:Johnathan Corgan
n:Corgan;Johnathan
org:Corgan Enterprises LLC dba Corgan Labs
adr:;;6081 Meridian Ave. Suite 70-111;San Jose;CA;95120;United States
email;internet:johnathan@corganlabs.com
title:Managing Partner
tel;work:+1 408 463 6614
x-mozilla-html:FALSE
url:http://corganlabs.com
version:2.1
end:vcard


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 21:14 ` Johnathan Corgan
@ 2013-11-02 21:51   ` Mark Friedenbach
  2013-11-03  0:29     ` Allen Piscitello
  2013-11-03  6:23   ` Timo Hanke
  2013-11-06  3:38   ` Melvin Carvalho
  2 siblings, 1 reply; 23+ messages in thread
From: Mark Friedenbach @ 2013-11-02 21:51 UTC (permalink / raw)
  To: bitcoin-development

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Or SIGHASH of a transaction spending those coins or updating the SIN...

On 11/2/13 2:14 PM, Johnathan Corgan wrote:> On 11/01/2013 10:01 PM,
bitcoingrant@gmx.com wrote:
> 
>> Server provides a token for the client to sign.
> 
> Anyone else concerned about signing an arbitrary string?  Could be
> a hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my
> own randomly generated nonce, sign that, then pass the nonce and
> the signature back to the server for verification.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSdXPaAAoJEAdzVfsmodw4+m8P/1Ce/PwZOYfiFuFJ8pmT2tb2
ro7tw7zSr12RSTvs+qRl7lDzJzQ6BDXOdXZCkcU0Vj3TDm8fdrrXN/iw3iQYU/5Y
3K7hj2mGqQUMovCLw0CbrMWrMvor7FhO6MZsRwe0+VxDV/dDrX5f5vSEhnkR26be
NrzOFU4hqGM3R4eLq8Bmw5rVD/VCrRzKoXXAvJb1EwM1+fQPjKi+bNMJu3reyfXU
5eMbbiM6tUMmPXy9M6vZrN+6ad53x3KUVP6+/hXxsrnfPp57WQzRZlvwTo/qdJ1C
Oxl71m6o2zkXbLTFmg1xmK/A4V1BPTLD6nLDIsw+wTBBfdn22pfDv6Q8d3VRctrd
6x+PMkwysoMjhemmkXCY/7G9GD6AGsrYSqIShSULd9QO5WxAFzRO01ewiRUCUFHi
Dn0LEjy8/R/CWK3jvj9uL3vQh9DLdOtqf/X7cEtjF3LThVP+stFTsmXObhTh/8Ai
YYjpnwOFG5ZtDzRZfP3OCwyhqlsaMlNgN4xnyR4GPaoJRP3a0zllblIbTWzg6nhY
jbON5Ec9N9txGhagYOoAvcQYqGyJdffkBzW82CRUsFYuYYmW2oLUQXPhAGDBIzzj
g/7RjMlM1OEp3qctxMZQlrTj7VJmhD768PRLh2XvEDmEC5Qb8Tcq28Nq5t85/O/6
i3+pzT5rMuiIZWLx7Msv
=tAUY
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02  5:01 [Bitcoin-development] Message Signing based authentication bitcoingrant
                   ` (2 preceding siblings ...)
  2013-11-02 21:14 ` Johnathan Corgan
@ 2013-11-02 21:57 ` slush
  2013-11-06  3:01   ` Melvin Carvalho
  3 siblings, 1 reply; 23+ messages in thread
From: slush @ 2013-11-02 21:57 UTC (permalink / raw)
  To: bitcoingrant; +Cc: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 3085 bytes --]

Glad to see that there are more and more people wanting to replace
passwords with digital signatures.

Although such method has been already used on other websites like Eligius
or bitcoin-otc, I dont think theres any standard way to doing so yet.

Two comments to your proposal:

A) message-to-be-signed need to be carefully composed to be both structured
and human readable. It should contain at least:
Desired username/identity handler
Server identifier (url)
Timestamp to prevent replay attack
Server challenge

Then the user can see what he's signing, instead of signing some binary
blob which can contain some evil data.

B)
Same structured data should be a part of html page in some header tag,
ideally signed by server certificate to confirm that the request is valid.
Then the login request can be processed by machine automatically, without a
need of copy&paste by a user.

Slush


On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:

> Passwords are inefficient by design: frequently we hear news from Sony,
> Square Enix, Adobe, and various others about passwords being compromised,
> databases being copied and stolen. This story remains true in the Bitcoin
> space. In light of the recent Bitcointalk forum breach echoes an increasing
> need for passwords to become a thing of the past.
>
>
>
> In celebration of the 5 year anniversary of the Bitcoin whitepaper, we are
> delighted to introduce the Message Signing based authentication method.
>
>
>
> In brief, the authentication work as follows:
>
>
>
> Server provides a token for the client to sign.
>
> client passes the signed message and the bitcoin address back to the
> server.
>
> server validates the message and honors the alias (optional) and bitcoin
> address as identification.
>
>
>
> http://forums.bitcoingrant.org/
>
>
>
> Above is a proof of concept forum that utilize this authentication method.
> Following Kerckhoffs's principle, this forum only stores the signed message
> and bitcoin address the users provide the first time they use the site,
> both are public information. In addition, there is no database, everything
> is simply an RSS feed. For the sake of usability we have included a redis
> for the sessions, at the cost of additional exposure to potential risks:
> users no longer need to sign a token every time they wish to post.
>
>
>
> All source code will be available on github in the next few days.
>
>
>
> We welcome any feedback or suggestions.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 7484 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 21:51   ` Mark Friedenbach
@ 2013-11-03  0:29     ` Allen Piscitello
  2013-11-03  0:33       ` Luke-Jr
  0 siblings, 1 reply; 23+ messages in thread
From: Allen Piscitello @ 2013-11-03  0:29 UTC (permalink / raw)
  To: Mark Friedenbach; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 3050 bytes --]

This was one of my concerns when implementing a scheme where you sign a
refund transaction before the original transaction is broadcast.  I
originally tried to pass a hash and have the server sign it.  However, I
had no way to know that what I was signing wasn't a transaction that was
spending my coins!  So I changed the code to require sending the full
transaction, not just the hash.  The other way to mitigate this is through
not having any unspent outputs from this key.

For authentication, you could have both a user-generated and
server-generated portion, so that you signed something that clearly had
data from you, so even if the server-data was a hash of $EVIL_DOCUMENT, you
have clear plausible deniability in that your data that is also signed is
"ATTEMPTING LOGIN TO XYZ.COM Hash($EVIL_DOCUMENT)".


On Sat, Nov 2, 2013 at 4:51 PM, Mark Friedenbach <mark@monetize.io> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Or SIGHASH of a transaction spending those coins or updating the SIN...
>
> On 11/2/13 2:14 PM, Johnathan Corgan wrote:> On 11/01/2013 10:01 PM,
> bitcoingrant@gmx.com wrote:
> >
> >> Server provides a token for the client to sign.
> >
> > Anyone else concerned about signing an arbitrary string?  Could be
> > a hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my
> > own randomly generated nonce, sign that, then pass the nonce and
> > the signature back to the server for verification.
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSdXPaAAoJEAdzVfsmodw4+m8P/1Ce/PwZOYfiFuFJ8pmT2tb2
> ro7tw7zSr12RSTvs+qRl7lDzJzQ6BDXOdXZCkcU0Vj3TDm8fdrrXN/iw3iQYU/5Y
> 3K7hj2mGqQUMovCLw0CbrMWrMvor7FhO6MZsRwe0+VxDV/dDrX5f5vSEhnkR26be
> NrzOFU4hqGM3R4eLq8Bmw5rVD/VCrRzKoXXAvJb1EwM1+fQPjKi+bNMJu3reyfXU
> 5eMbbiM6tUMmPXy9M6vZrN+6ad53x3KUVP6+/hXxsrnfPp57WQzRZlvwTo/qdJ1C
> Oxl71m6o2zkXbLTFmg1xmK/A4V1BPTLD6nLDIsw+wTBBfdn22pfDv6Q8d3VRctrd
> 6x+PMkwysoMjhemmkXCY/7G9GD6AGsrYSqIShSULd9QO5WxAFzRO01ewiRUCUFHi
> Dn0LEjy8/R/CWK3jvj9uL3vQh9DLdOtqf/X7cEtjF3LThVP+stFTsmXObhTh/8Ai
> YYjpnwOFG5ZtDzRZfP3OCwyhqlsaMlNgN4xnyR4GPaoJRP3a0zllblIbTWzg6nhY
> jbON5Ec9N9txGhagYOoAvcQYqGyJdffkBzW82CRUsFYuYYmW2oLUQXPhAGDBIzzj
> g/7RjMlM1OEp3qctxMZQlrTj7VJmhD768PRLh2XvEDmEC5Qb8Tcq28Nq5t85/O/6
> i3+pzT5rMuiIZWLx7Msv
> =tAUY
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

[-- Attachment #2: Type: text/html, Size: 4119 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-03  0:29     ` Allen Piscitello
@ 2013-11-03  0:33       ` Luke-Jr
  2013-11-03  1:19         ` Allen Piscitello
  0 siblings, 1 reply; 23+ messages in thread
From: Luke-Jr @ 2013-11-03  0:33 UTC (permalink / raw)
  To: bitcoin-development

On Sunday, November 03, 2013 12:29:28 AM Allen Piscitello wrote:
> This was one of my concerns when implementing a scheme where you sign a
> refund transaction before the original transaction is broadcast.  I
> originally tried to pass a hash and have the server sign it.  However, I
> had no way to know that what I was signing wasn't a transaction that was
> spending my coins!  So I changed the code to require sending the full
> transaction, not just the hash.  The other way to mitigate this is through
> not having any unspent outputs from this key.

Well, there's no use case to sign with an address that has already been sent 
coins. The main problem with enforcing this is that you can't exactly stop 
someone from sending to an "identity" address.

Luke



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-03  0:33       ` Luke-Jr
@ 2013-11-03  1:19         ` Allen Piscitello
  2013-11-03  1:27           ` Luke-Jr
  0 siblings, 1 reply; 23+ messages in thread
From: Allen Piscitello @ 2013-11-03  1:19 UTC (permalink / raw)
  To: Luke-Jr; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

I actually had a use case in my case where it was possible, and that was
the check I used to get around it, just configured it so that I always
generated a new key when I needed to set up a 2 of 2 Multisig Refund Tx.
 It was either that or making sure I had no unspent outputs.  The use case
of doing it was laziness in just creating a single key.


On Sat, Nov 2, 2013 at 7:33 PM, Luke-Jr <luke@dashjr.org> wrote:

> On Sunday, November 03, 2013 12:29:28 AM Allen Piscitello wrote:
> > This was one of my concerns when implementing a scheme where you sign a
> > refund transaction before the original transaction is broadcast.  I
> > originally tried to pass a hash and have the server sign it.  However, I
> > had no way to know that what I was signing wasn't a transaction that was
> > spending my coins!  So I changed the code to require sending the full
> > transaction, not just the hash.  The other way to mitigate this is
> through
> > not having any unspent outputs from this key.
>
> Well, there's no use case to sign with an address that has already been
> sent
> coins. The main problem with enforcing this is that you can't exactly stop
> someone from sending to an "identity" address.
>
> Luke
>

[-- Attachment #2: Type: text/html, Size: 1667 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-03  1:19         ` Allen Piscitello
@ 2013-11-03  1:27           ` Luke-Jr
  2013-11-03  1:36             ` Allen Piscitello
  0 siblings, 1 reply; 23+ messages in thread
From: Luke-Jr @ 2013-11-03  1:27 UTC (permalink / raw)
  To: Allen Piscitello; +Cc: Bitcoin Development

On Sunday, November 03, 2013 1:19:51 AM Allen Piscitello wrote:
> I actually had a use case in my case where it was possible, and that was
> the check I used to get around it, just configured it so that I always
> generated a new key when I needed to set up a 2 of 2 Multisig Refund Tx.
>  It was either that or making sure I had no unspent outputs.  The use case
> of doing it was laziness in just creating a single key.

Use cases mean an actual use, not mere laziness. Bitcoin as a system has 
always required a unique EC key (and address) for each transaction.

Luke



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-03  1:27           ` Luke-Jr
@ 2013-11-03  1:36             ` Allen Piscitello
  0 siblings, 0 replies; 23+ messages in thread
From: Allen Piscitello @ 2013-11-03  1:36 UTC (permalink / raw)
  To: Luke-Jr; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 941 bytes --]

Required vs. strongly recommended is an important distinction.  Satoshi
Dice reuses EC Keys for every single transaction.  Exchanges will have the
same address you deposit in over and over, which gets reused.  This is a
best practice argument rather than a protocol requirement.


On Sat, Nov 2, 2013 at 8:27 PM, Luke-Jr <luke@dashjr.org> wrote:

> On Sunday, November 03, 2013 1:19:51 AM Allen Piscitello wrote:
> > I actually had a use case in my case where it was possible, and that was
> > the check I used to get around it, just configured it so that I always
> > generated a new key when I needed to set up a 2 of 2 Multisig Refund Tx.
> >  It was either that or making sure I had no unspent outputs.  The use
> case
> > of doing it was laziness in just creating a single key.
>
> Use cases mean an actual use, not mere laziness. Bitcoin as a system has
> always required a unique EC key (and address) for each transaction.
>
> Luke
>

[-- Attachment #2: Type: text/html, Size: 1363 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 21:14 ` Johnathan Corgan
  2013-11-02 21:51   ` Mark Friedenbach
@ 2013-11-03  6:23   ` Timo Hanke
  2013-11-06  3:38   ` Melvin Carvalho
  2 siblings, 0 replies; 23+ messages in thread
From: Timo Hanke @ 2013-11-03  6:23 UTC (permalink / raw)
  To: Johnathan Corgan; +Cc: bitcoingrant, bitcoin-development

On Sat, Nov 02, 2013 at 02:14:22PM -0700, Johnathan Corgan wrote:
> On 11/01/2013 10:01 PM, bitcoingrant@gmx.com wrote:
> 
> > Server provides a token for the client to sign.
> 
> Anyone else concerned about signing an arbitrary string?  Could be a
> hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my own
> randomly generated nonce, sign that, then pass the nonce and the
> signature back to the server for verification.

There were several replies like this, suggesting the client should
modify or add something to the token, or should give the token some
structure. But signing a token is not what the client should do in the
first place. At least not if the client's key is (EC)DSA. The standard
way is a challenge-response protocol in the form of the Diffie-Hellman
key exchange, which avoids producing any unintentional signatures.

Say the clients wants to prove he owns private key p, belonging to
public key P. P=p*G and G is the "base" of the (EC)DSA signature system.
The server generates a new keypair (a,A), a is private, A is public, and
sends A to the client as a challenge. The client computes and sends p*A
back. The server verifies whether p*A = a*P.

Only "public keys" are exchanged here, there's nothing that can be
mistaken for a (EC)DSA signature.

Timo

> -- 
> Johnathan Corgan, Corgan Labs
> SDR Training and Development Services
> http://corganlabs.com

> begin:vcard
> fn:Johnathan Corgan
> n:Corgan;Johnathan
> org:Corgan Enterprises LLC dba Corgan Labs
> adr:;;6081 Meridian Ave. Suite 70-111;San Jose;CA;95120;United States
> email;internet:johnathan@corganlabs.com
> title:Managing Partner
> tel;work:+1 408 463 6614
> x-mozilla-html:FALSE
> url:http://corganlabs.com
> version:2.1
> end:vcard
> 




-- 
Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB  631D 1BB5 D6E3 AB96 7DA8



^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 21:57 ` slush
@ 2013-11-06  3:01   ` Melvin Carvalho
  2013-11-06  6:41     ` slush
  0 siblings, 1 reply; 23+ messages in thread
From: Melvin Carvalho @ 2013-11-06  3:01 UTC (permalink / raw)
  To: slush; +Cc: bitcoingrant, bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 5121 bytes --]

On 2 November 2013 22:57, slush <slush@centrum.cz> wrote:

> Glad to see that there are more and more people wanting to replace
> passwords with digital signatures.
>
> Although such method has been already used on other websites like Eligius
> or bitcoin-otc, I dont think theres any standard way to doing so yet.
>
> Two comments to your proposal:
>
> A) message-to-be-signed need to be carefully composed to be both
> structured and human readable. It should contain at least:
> Desired username/identity handler
> Server identifier (url)
> Timestamp to prevent replay attack
> Server challenge
>
> Then the user can see what he's signing, instead of signing some binary
> blob which can contain some evil data.
>
> B)
> Same structured data should be a part of html page in some header tag,
> ideally signed by server certificate to confirm that the request is valid.
> Then the login request can be processed by machine automatically, without a
> need of copy&paste by a user.
>
But where are the private keys stored?  Crypto in the browser with help,
but although they will expose ECC via the NSS, I dont think bitcoin's
particular curve will be supported, because it's not NIST approved.  If the
use case was presented though, they may add it.

This can actually be done today using client side certificates.  Two
methods.

Method 1:

In your client side certificate, put in your bitcoin address in the
subjectAlternativeName field.  This is a field that lets you tell the
server "I have another identity"

From the bitcoin address look up via a ".well-known" key server some items
previously uploaded.  This would normally be a signed value of the key
used, or a signed value of the the certificate.  The server checks this and
logs you in.

Method 2:

In your client side certificate, put in an HTTP address.  That HTTP address
contains your bitcoin address and a signed copy of your cert public key or
the cert itself.

The advantage here is that you dont need a key server.


Both methods work, I've been doing this kind of thing for 5 years+, and I'd
never go back to passwords on anything I build.

I'm all for recreating this UI in javascript too, but I just wonder how to
protect the private keys ...


> Slush
>
>
> On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:
>
>> Passwords are inefficient by design: frequently we hear news from Sony,
>> Square Enix, Adobe, and various others about passwords being compromised,
>> databases being copied and stolen. This story remains true in the Bitcoin
>> space. In light of the recent Bitcointalk forum breach echoes an increasing
>> need for passwords to become a thing of the past.
>>
>>
>>
>> In celebration of the 5 year anniversary of the Bitcoin whitepaper, we
>> are delighted to introduce the Message Signing based authentication method.
>>
>>
>>
>> In brief, the authentication work as follows:
>>
>>
>>
>> Server provides a token for the client to sign.
>>
>> client passes the signed message and the bitcoin address back to the
>> server.
>>
>> server validates the message and honors the alias (optional) and bitcoin
>> address as identification.
>>
>>
>>
>> http://forums.bitcoingrant.org/
>>
>>
>>
>> Above is a proof of concept forum that utilize this authentication
>> method. Following Kerckhoffs's principle, this forum only stores the signed
>> message and bitcoin address the users provide the first time they use the
>> site, both are public information. In addition, there is no database,
>> everything is simply an RSS feed. For the sake of usability we have
>> included a redis for the sessions, at the cost of additional exposure to
>> potential risks: users no longer need to sign a token every time they wish
>> to post.
>>
>>
>>
>> All source code will be available on github in the next few days.
>>
>>
>>
>> We welcome any feedback or suggestions.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Android is increasing in popularity, but the open development platform
>> that
>> developers love is also attractive to malware creators. Download this
>> white
>> paper to learn more about secure code signing practices that can help keep
>> Android apps secure.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 10544 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-02 21:14 ` Johnathan Corgan
  2013-11-02 21:51   ` Mark Friedenbach
  2013-11-03  6:23   ` Timo Hanke
@ 2013-11-06  3:38   ` Melvin Carvalho
  2 siblings, 0 replies; 23+ messages in thread
From: Melvin Carvalho @ 2013-11-06  3:38 UTC (permalink / raw)
  To: Johnathan Corgan; +Cc: bitcoingrant, Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 1907 bytes --]

On 2 November 2013 22:14, Johnathan Corgan <johnathan@corganlabs.com> wrote:

> On 11/01/2013 10:01 PM, bitcoingrant@gmx.com wrote:
>
> > Server provides a token for the client to sign.
>
> Anyone else concerned about signing an arbitrary string?  Could be a
> hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my own
> randomly generated nonce, sign that, then pass the nonce and the
> signature back to the server for verification.
>

Good point.

There are actually times you may want to sign a transaction.

There's a little know HTTP code, 402, "Payment Required".  We should really
start using this at some point ...

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Reserved for future use.[2] The original intention was that this code might
be used as part of some form of digital cash or micropayment scheme, but
that has not happened, and this code is not usually used. As an example of
its use, however, Apple's defunct MobileMe service generated a 402 error if
the MobileMe account was delinquent.[citation needed] In addition, YouTube
uses this status if a particular IP address has made excessive requests,
and requires the person to enter a CAPTCHA.


>
> --
> Johnathan Corgan, Corgan Labs
> SDR Training and Development Services
> http://corganlabs.com
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 3064 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-06  3:01   ` Melvin Carvalho
@ 2013-11-06  6:41     ` slush
  2013-12-06 10:44       ` Melvin Carvalho
  0 siblings, 1 reply; 23+ messages in thread
From: slush @ 2013-11-06  6:41 UTC (permalink / raw)
  To: Melvin Carvalho; +Cc: bitcoin-development, bitcoingrant

[-- Attachment #1: Type: text/plain, Size: 319 bytes --]

> But where are the private keys stored? Crypto in the browser with help,
but although they will expose ECC via the NSS, I dont think bitcoin's
particular curve will be supported, because it's not NIST approved. If the
use case was presented though, they may add it.

Trezor, my friend.

Slush

Sent from mobile phone.

[-- Attachment #2: Type: text/html, Size: 362 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

* Re: [Bitcoin-development] Message Signing based authentication
  2013-11-06  6:41     ` slush
@ 2013-12-06 10:44       ` Melvin Carvalho
  0 siblings, 0 replies; 23+ messages in thread
From: Melvin Carvalho @ 2013-12-06 10:44 UTC (permalink / raw)
  To: slush; +Cc: bitcoin-development, bitcoingrant

[-- Attachment #1: Type: text/plain, Size: 526 bytes --]

On 6 November 2013 07:41, slush <slush@centrum.cz> wrote:

> > But where are the private keys stored? Crypto in the browser with help,
> but although they will expose ECC via the NSS, I dont think bitcoin's
> particular curve will be supported, because it's not NIST approved. If the
> use case was presented though, they may add it.
>
> Trezor, my friend.
>

Looking forward to the trezor release, best of luck.

This may be an interesting read too:

https://www.grc.com/sqrl/sqrl.htm


> Slush
>
> Sent from mobile phone.
>

[-- Attachment #2: Type: text/html, Size: 1141 bytes --]

^ permalink raw reply	[flat|nested] 23+ messages in thread

end of thread, other threads:[~2013-12-06 10:44 UTC | newest]

Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-02  5:01 [Bitcoin-development] Message Signing based authentication bitcoingrant
2013-11-02  5:54 ` Luke-Jr
2013-11-02 13:02 ` Mike Hearn
2013-11-02 13:16   ` Melvin Carvalho
2013-11-02 13:19   ` Hannu Kotipalo
2013-11-02 16:26     ` Mike Hearn
2013-11-02 16:26       ` Mike Hearn
2013-11-02 16:52       ` Melvin Carvalho
2013-11-02 17:08         ` Jeff Garzik
2013-11-02 17:16           ` Hannu Kotipalo
2013-11-02 21:14 ` Johnathan Corgan
2013-11-02 21:51   ` Mark Friedenbach
2013-11-03  0:29     ` Allen Piscitello
2013-11-03  0:33       ` Luke-Jr
2013-11-03  1:19         ` Allen Piscitello
2013-11-03  1:27           ` Luke-Jr
2013-11-03  1:36             ` Allen Piscitello
2013-11-03  6:23   ` Timo Hanke
2013-11-06  3:38   ` Melvin Carvalho
2013-11-02 21:57 ` slush
2013-11-06  3:01   ` Melvin Carvalho
2013-11-06  6:41     ` slush
2013-12-06 10:44       ` Melvin Carvalho

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox