topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday December 7, 2024, 3:25 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: BitPay introduces "BitAuth" - New authentication technology  (Read 4963 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
This is some pretty exciting stuff!

http://blog.bitpay.c...-authentication.html

BitAuth is a way to do secure, passwordless authentication using the same elliptic-curve cryptography as Bitcoin. Instead of using a shared secret, the client signs each request using a private key and the server checks to make sure the signature is valid and matches the public key. A nonce is used to prevent replay attacks and provide sequence enforcement.

And how it works:


How BitAuth Works

The general flow of using BitAuth to authenticate a request is as follows.

  • Key generation: generate a keypair using ECDSA, on the secp256k1 curve.
  • SIN construction: with public key k1, concatenate the SIN version byte and hashed public key, then encode this in the base58check format.
  • SIN sharing: register your SIN with the remote service using a mechanism of your choosing—generally, this takes place with client registration.
  • Submitting Requests: requests are made over HTTP, with the x-signature header:
    • generate a unique, higher-than-previous nonce
    • include nonce in the body of your request
    • concatenate and sign URI + BODY with your private key, and provide it in x-signature

The server will now verify the signature against the public key you’ve provided and the SIN you’ve shared previously, confirm that the signed nonce is greater than this SIN’s previous nonces (preventing replay attacks), and subsequently authenticate the request.


More at the link.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #1 on: July 02, 2014, 03:44 AM »
So will it be possible to sign up at DC forums using this? :)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #2 on: July 02, 2014, 04:14 AM »
So will it be possible to sign up at DC forums using this? :)

It's possible, but probably not worthwhile.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #3 on: July 02, 2014, 05:17 AM »
Hmm, I thought this kind of scheme might be useful in providing a small number of authentication "tokens" (possibly down to one) for reuse across many systems -- but without some of the downsides of existing systems which claim to provide a sort of single-sign-on system.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #4 on: July 02, 2014, 08:42 AM »
Hmm, I thought this kind of scheme might be useful in providing a small number of authentication "tokens" (possibly down to one) for reuse across many systems -- but without some of the downsides of existing systems which claim to provide a sort of single-sign-on system.

Yes - it is like that.

But for mouser to go and implement it as an additional authentication mechanism probably is too much work. The current one here works already.

That system is a more robust and secure, but it's not the kind of thing that people normally use, so there's a learning curve for it. It's probably not worthwhile for "normal" sites (e.g. forums, etc.) to use quite yet. If it becomes widely adopted in other areas, then it might make sense for "normal" sites to use it.

In my own experience, SSO is horribly broken. I want to tear my eyeballs out and ram broken glass bottles through my eye-sockets whenever I even think of SSO. That would be less painful.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,022
    • View Profile
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #5 on: July 02, 2014, 08:26 PM »
Nice.  Now if it would take the place of Oauth 2.0, I know a few people who would be a lot happier...

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: BitPay introduces "BitAuth" - New authentication technology
« Reply #6 on: July 02, 2014, 09:44 PM »
Patience is a virtue?