From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VclZR-0002iJ-1Y for bitcoin-development@lists.sourceforge.net; Sun, 03 Nov 2013 00:29:37 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.212.175 as permitted sender) client-ip=209.85.212.175; envelope-from=allen.piscitello@gmail.com; helo=mail-wi0-f175.google.com; Received: from mail-wi0-f175.google.com ([209.85.212.175]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1VclZO-0005lt-U7 for bitcoin-development@lists.sourceforge.net; Sun, 03 Nov 2013 00:29:37 +0000 Received: by mail-wi0-f175.google.com with SMTP id hm4so2446455wib.14 for ; Sat, 02 Nov 2013 17:29:28 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.200.100 with SMTP id jr4mr7212582wjc.37.1383438568717; Sat, 02 Nov 2013 17:29:28 -0700 (PDT) Received: by 10.194.85.112 with HTTP; Sat, 2 Nov 2013 17:29:28 -0700 (PDT) In-Reply-To: <527573DA.7010203@monetize.io> References: <20131102050144.5850@gmx.com> <52756B2E.7030505@corganlabs.com> <527573DA.7010203@monetize.io> Date: Sat, 2 Nov 2013 19:29:28 -0500 Message-ID: From: Allen Piscitello To: Mark Friedenbach Content-Type: multipart/alternative; boundary=047d7bb03e1e75050904ea3ae463 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (allen.piscitello[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: doubleclick.net] 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1VclZO-0005lt-U7 Cc: Bitcoin Development Subject: Re: [Bitcoin-development] Message Signing based authentication X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2013 00:29:37 -0000 --047d7bb03e1e75050904ea3ae463 Content-Type: text/plain; charset=ISO-8859-1 This was one of my concerns when implementing a scheme where you sign a refund transaction before the original transaction is broadcast. I originally tried to pass a hash and have the server sign it. However, I had no way to know that what I was signing wasn't a transaction that was spending my coins! So I changed the code to require sending the full transaction, not just the hash. The other way to mitigate this is through not having any unspent outputs from this key. For authentication, you could have both a user-generated and server-generated portion, so that you signed something that clearly had data from you, so even if the server-data was a hash of $EVIL_DOCUMENT, you have clear plausible deniability in that your data that is also signed is "ATTEMPTING LOGIN TO XYZ.COM Hash($EVIL_DOCUMENT)". On Sat, Nov 2, 2013 at 4:51 PM, Mark Friedenbach wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Or SIGHASH of a transaction spending those coins or updating the SIN... > > On 11/2/13 2:14 PM, Johnathan Corgan wrote:> On 11/01/2013 10:01 PM, > bitcoingrant@gmx.com wrote: > > > >> Server provides a token for the client to sign. > > > > Anyone else concerned about signing an arbitrary string? Could be > > a hash of $EVIL_DOCUMENT, no? I'd want to XOR the string with my > > own randomly generated nonce, sign that, then pass the nonce and > > the signature back to the server for verification. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJSdXPaAAoJEAdzVfsmodw4+m8P/1Ce/PwZOYfiFuFJ8pmT2tb2 > ro7tw7zSr12RSTvs+qRl7lDzJzQ6BDXOdXZCkcU0Vj3TDm8fdrrXN/iw3iQYU/5Y > 3K7hj2mGqQUMovCLw0CbrMWrMvor7FhO6MZsRwe0+VxDV/dDrX5f5vSEhnkR26be > NrzOFU4hqGM3R4eLq8Bmw5rVD/VCrRzKoXXAvJb1EwM1+fQPjKi+bNMJu3reyfXU > 5eMbbiM6tUMmPXy9M6vZrN+6ad53x3KUVP6+/hXxsrnfPp57WQzRZlvwTo/qdJ1C > Oxl71m6o2zkXbLTFmg1xmK/A4V1BPTLD6nLDIsw+wTBBfdn22pfDv6Q8d3VRctrd > 6x+PMkwysoMjhemmkXCY/7G9GD6AGsrYSqIShSULd9QO5WxAFzRO01ewiRUCUFHi > Dn0LEjy8/R/CWK3jvj9uL3vQh9DLdOtqf/X7cEtjF3LThVP+stFTsmXObhTh/8Ai > YYjpnwOFG5ZtDzRZfP3OCwyhqlsaMlNgN4xnyR4GPaoJRP3a0zllblIbTWzg6nhY > jbON5Ec9N9txGhagYOoAvcQYqGyJdffkBzW82CRUsFYuYYmW2oLUQXPhAGDBIzzj > g/7RjMlM1OEp3qctxMZQlrTj7VJmhD768PRLh2XvEDmEC5Qb8Tcq28Nq5t85/O/6 > i3+pzT5rMuiIZWLx7Msv > =tAUY > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --047d7bb03e1e75050904ea3ae463 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
This was one of my concerns when implementing a scheme whe= re you sign a refund transaction before the original transaction is broadca= st. =A0I originally tried to pass a hash and have the server sign it. =A0Ho= wever, I had no way to know that what I was signing wasn't a transactio= n that was spending my coins! =A0So I changed the code to require sending t= he full transaction, not just the hash. =A0The other way to mitigate this i= s through not having any unspent outputs from this key.

For authentication, you could have both a user-generated and= server-generated portion, so that you signed something that clearly had da= ta from you, so even if the server-data was a hash of $EVIL_DOCUMENT, you h= ave clear plausible deniability in that your data that is also signed is &q= uot;ATTEMPTING LOGIN TO XYZ.COM Hash($EVIL_D= OCUMENT)".


On Sat,= Nov 2, 2013 at 4:51 PM, Mark Friedenbach <mark@monetize.io> = wrote:
-----BEGIN PGP SIGNED MESS= AGE-----
Hash: SHA1

Or SIGHASH of a transaction spending those coins or updating the SIN.= ..

On 11/2/13 2:14 PM, Johnathan Corgan wrote:> On 11/01/2013 10:01 PM,
bitcoingrant@gmx.= com wrote:
>
>> Server provides a token for the client to sign.
>
> Anyone else concerned about signing an arbitrary string? =A0Could be > a hash of $EVIL_DOCUMENT, no? =A0I'd want to XOR the string with m= y
> own randomly generated nonce, sign that, then pass the nonce and
> the signature back to the server for verification.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http:= //gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSdXPaAAoJEAdzVfsmodw4+m8P/1Ce/PwZOYfiFuFJ8pmT2tb2
ro7tw7zSr12RSTvs+qRl7lDzJzQ6BDXOdXZCkcU0Vj3TDm8fdrrXN/iw3iQYU/5Y
3K7hj2mGqQUMovCLw0CbrMWrMvor7FhO6MZsRwe0+VxDV/dDrX5f5vSEhnkR26be
NrzOFU4hqGM3R4eLq8Bmw5rVD/VCrRzKoXXAvJb1EwM1+fQPjKi+bNMJu3reyfXU
5eMbbiM6tUMmPXy9M6vZrN+6ad53x3KUVP6+/hXxsrnfPp57WQzRZlvwTo/qdJ1C
Oxl71m6o2zkXbLTFmg1xmK/A4V1BPTLD6nLDIsw+wTBBfdn22pfDv6Q8d3VRctrd
6x+PMkwysoMjhemmkXCY/7G9GD6AGsrYSqIShSULd9QO5WxAFzRO01ewiRUCUFHi
Dn0LEjy8/R/CWK3jvj9uL3vQh9DLdOtqf/X7cEtjF3LThVP+stFTsmXObhTh/8Ai
YYjpnwOFG5ZtDzRZfP3OCwyhqlsaMlNgN4xnyR4GPaoJRP3a0zllblIbTWzg6nhY
jbON5Ec9N9txGhagYOoAvcQYqGyJdffkBzW82CRUsFYuYYmW2oLUQXPhAGDBIzzj
g/7RjMlM1OEp3qctxMZQlrTj7VJmhD768PRLh2XvEDmEC5Qb8Tcq28Nq5t85/O/6
i3+pzT5rMuiIZWLx7Msv
=3DtAUY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------= ---
Android is increasing in popularity, but the open development platform that=
developers love is also attractive to malware creators. Download this white=
paper to learn more about secure code signing practices that can help keep<= br> Android apps secure.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D65839951&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

--047d7bb03e1e75050904ea3ae463--