Main Area and Open Discussion > Living Room

BitPay introduces "BitAuth" - New authentication technology

(1/2) > >>

Renegade:
This is some pretty exciting stuff!

http://blog.bitpay.com/2014/07/01/bitauth-for-decentralized-authentication.html

BitAuth is a way to do secure, passwordless authentication using the same elliptic-curve cryptography as Bitcoin. Instead of using a shared secret, the client signs each request using a private key and the server checks to make sure the signature is valid and matches the public key. A nonce is used to prevent replay attacks and provide sequence enforcement.
--- End quote ---

And how it works:


How BitAuth Works

The general flow of using BitAuth to authenticate a request is as follows.


* Key generation: generate a keypair using ECDSA, on the secp256k1 curve.
* SIN construction: with public key k1, concatenate the SIN version byte and hashed public key, then encode this in the base58check format.
* SIN sharing: register your SIN with the remote service using a mechanism of your choosing—generally, this takes place with client registration.
* Submitting Requests: requests are made over HTTP, with the x-signature header:
* generate a unique, higher-than-previous nonce
* include nonce in the body of your request
* concatenate and sign URI + BODY with your private key, and provide it in x-signature
The server will now verify the signature against the public key you’ve provided and the SIN you’ve shared previously, confirm that the signed nonce is greater than this SIN’s previous nonces (preventing replay attacks), and subsequently authenticate the request.


--- End quote ---

More at the link.

ewemoa:
So will it be possible to sign up at DC forums using this? :)

Renegade:
So will it be possible to sign up at DC forums using this? :)
-ewemoa (July 02, 2014, 03:44 AM)
--- End quote ---

It's possible, but probably not worthwhile.

ewemoa:
Hmm, I thought this kind of scheme might be useful in providing a small number of authentication "tokens" (possibly down to one) for reuse across many systems -- but without some of the downsides of existing systems which claim to provide a sort of single-sign-on system.

Renegade:
Hmm, I thought this kind of scheme might be useful in providing a small number of authentication "tokens" (possibly down to one) for reuse across many systems -- but without some of the downsides of existing systems which claim to provide a sort of single-sign-on system.
-ewemoa (July 02, 2014, 05:17 AM)
--- End quote ---

Yes - it is like that.

But for mouser to go and implement it as an additional authentication mechanism probably is too much work. The current one here works already.

That system is a more robust and secure, but it's not the kind of thing that people normally use, so there's a learning curve for it. It's probably not worthwhile for "normal" sites (e.g. forums, etc.) to use quite yet. If it becomes widely adopted in other areas, then it might make sense for "normal" sites to use it.

In my own experience, SSO is horribly broken. I want to tear my eyeballs out and ram broken glass bottles through my eye-sockets whenever I even think of SSO. That would be less painful.

Navigation

[0] Message Index

[#] Next page