Hello community,
I just made a proof of concept prototype of PKI authentication of any cryptocurrency. The idea is simple : when user access a http(s) website, The site ask he prove that he is somebody at some cryptocurrency blockchain. Take Alice@steem for Example. The proof contains two steps. At step 1, the browser on behalf of user, send a claim to server: I am Alice@steem. server checks the blockchain, and find that there is an Account that is Alice, then replies an Challange to browser. At step 2, user calculate an signature with his posting wif and send the signature to server, then the server can verify the signature with the public key which comes from the Steem blockchain. I made two repos on github, this is a Express app that demostrate the Steem login process, and this is a HTML page that helps to calculate the signature.
For security reason, I think this approach is more safe than OAuth because:
1 It drops third party , just rely on blockchain itself.
2. User don't need to provide password/private key to the site he will be authenticated, makes stealing attack impossible.
And it is useful, as:
1. user doesn't to register on many sites when this method spread
2. it can be used by site admin to authenticate real account on public blockchain, to evaluate some real value about the acount, I.E reputation.
3. promote blockchain tech to more common user base.
For now, I want to listen to you: is this idea good enough ?
各位:
我刚刚完成了一个概念性的原型,基于任意加密货币的公私钥身份验证。思路很简单:用户访问一个http(s)网站的时候,网站要求用户证明他拥有某个区块链上的一个帐号。拿 Alice@Steem来举例,证明分为两步,第一步,浏览器代表用户向服务器发送“我就是 Alice@Steem”,服务器去区块链上看看到底有没有Alice帐号,如果有,发送一个挑战给用户。第二步,用户用自己的posting私钥给挑战签名,并发回服务器,服务器通过Alice的posting公钥验证身份。我开源了两个库, 这里 是一个基于Express的应用程序,演示了Steem帐号的登录过程, 这里 是一个HTML网页,可以完成签名计算。
从安全性角度来说,这种方法比OAuth更好,因为
1. 没有第三方,只依赖区块链
2.用户无须向网站提供密码/私钥,使得窃取私钥攻击不可能
并且这很有用,因为
1. 这种方法大量流行后,用户无须到每个网站注册
2. 站点管理者可以通过这种方法直接认证共有链上的真实帐号,这样可以评估用户的某些真实价值,例如声望。
3. 促进区块链技术实用化。
现在我想听听各位的建议和意见,这个思路足够好吗?
Interesting idea and I like to learn more, but it needs some rewording and rephrasing I think.
Thank you @nutela , how should I reword or rephrase ? Do I need to emphrase the pain of registering every this and that sites and the security issue of OAuth ?
No no altough maybe just this sentence for people who are not aware, the rest they can find out themselves. No I don't speak Chinese? but I would find someone who can better explain what you mean?
OK, I may misunderstood you. So you mean I need some rewording and rephrasing ON THE TWO REPOS BUT NOT THIS ARTICLE ? if yes I agree with you. Now I deployed the two repos to heroku and githubpages. Maybe it can help you. Thanks again !
I will take a look!