Title: An idea; bitidentity, passwordless secure login Post by: Nite69 on September 29, 2013, 08:49:31 AM Got this idea from bitmessage; these bitmessage addresses could be used for passwordless anonymous login to any system. Or there could be another blockchain delivering bitidentity messages..
Use case, bulletin board: - user sends a identity request to the page's bitidentity address. For every bitidentity address, there will be a new private key. - one gets a sessionkey as a reply (maybe direct https - link) which one could use to login to the page and configure nickname etc. Very secure, no passwords, anonymous identity. Title: Re: An idea; bitidentity, passwordless secure login Post by: virtualmaster on September 29, 2013, 09:08:38 AM Namecoin already has an identity system implemented:
http://dot-bit.org/Namespace:Identity Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on September 29, 2013, 11:23:59 AM Namecoin already has an identity system implemented: http://dot-bit.org/Namespace:Identity Yes, but that is a public identity (nickname connected to some connection info), not a login credentials. With bitidentity you could securely log in to any supporting www-page without a password. And all those identities would be non-trackable, ie not connected to each other. Title: Re: An idea; bitidentity, passwordless secure login Post by: virtualmaster on September 29, 2013, 11:48:55 AM Namecoin already has an identity system implemented: http://dot-bit.org/Namespace:Identity Yes, but that is a public identity (nickname connected to some connection info), not a login credentials. With bitidentity you could securely log in to any supporting www-page without a password. And all those identities would be non-trackable, ie not connected to each other. Based on this identity check you could make login to any website(if implemented - actually nowhere supported). A user friendly website identification system(an OpenID alternative) based on the Namecoin Identity is planned to be implemented. https://nameid.org/?view=faq https://nameid.org/?name=daniel Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on September 29, 2013, 02:08:53 PM Well, that's something what I had in mind..
I tried to create a nameid with my namecoin id (nite69 (I think we have exchanced some message?)), but without success. Just wondering what did I do wrong? Your page just says incorrect signatuer. I assume you can see the logs from my attempts? Edit: I think I can show these data: Code: Id: nite69 Edit2: Let me guess; I should use some other key? I only have 2 keys on my wallet visible, but of course, the client might have generated some other keys for transaction change. Maybe you should also show the key which should be used for the signature? Edit3: browsed the blockchain, tried with both name_new and name_firstupdate transaction's keys, no luck :-( Edit4: Ok, now it works. I had to sign with the key from the *output* of OP_NAME_FIRSTUPDATE . However, this key was not visible in namecoin-qt wallet, so I had to dig it from the blockchain based on the transaction id from my wallet. I suggest you display the key which should be used for the signature? At least namecoin-qt let me enter the key even if it was not visible. Edit5: Actually, that makes sense. But the namecoin-qt should show that address as the 'owner' of the identity and should offer that key for signing. Title: Re: An idea; bitidentity, passwordless secure login Post by: phelix on September 29, 2013, 10:09:24 PM Quote from: nameId website Please use namecoind signmessage with the address corresponding to your identity to sign the following message: With the GUI you can use the debug console's signmessage command. Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on September 30, 2013, 05:32:55 AM Quote from: nameId website Please use namecoind signmessage with the address corresponding to your identity to sign the following message: With the GUI you can use the debug console's signmessage command. With the GUI, you can also use the GUI signing window :-): File - sign message. But the window gives you two options to enter the signing key: either you can write the key on the text box OR you can choose it from your addressbook. Unfortunately generated addresses are not in addressbook, so you have to find the correct signing address from the blockchain and copypaste the key. It should also give a listbox including only the keys that owns some id/ or d/ records. Title: Re: An idea; bitidentity, passwordless secure login Post by: phelix on September 30, 2013, 07:44:50 AM Quote from: nameId website Please use namecoind signmessage with the address corresponding to your identity to sign the following message: With the GUI you can use the debug console's signmessage command. With the GUI, you can also use the GUI signing window :-): File - sign message. Quote But the window gives you two options to enter the signing key: either you can write the key on the text box OR you can choose it from your addressbook. Unfortunately generated addresses are not in addressbook, so you have to find the correct signing address from the blockchain and copypaste the key. Well, you can go to the manage names tab and copy it from there before opening the sign dialog. I agree it would be nice to see the registered names displayed on the addressbook or be able to choose "sign message" directly from the manage names tab.It should also give a listbox including only the keys that owns some id/ or d/ records. Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on September 30, 2013, 08:18:43 AM Well, you can go to the manage names tab and copy it from there before opening the sign dialog. I agree it would be nice to see the registered names displayed on the addressbook or be able to choose "sign message" directly from the manage names tab. No I cannot. The key is not there. There is only "Name", "Value" and "Expires" tabs, but not the key which owns the name.When namecoin makes NAME_FIRSTUPDATE transaction, it generates a new keypair (or uses previous generated) keys, *which you cannot access anywhere* from the client. As I said, the only way to find out what key was the owner of the identity was 1) check the name_firstupdate transaction id 2) browse the blockchain to find that transaction 3) copy the public address from the transaction output. Use that copied key to sign the message (private key will be on your wallet). The key must be somewhere in my wallet, but i cannot find or access it from the GUI. Neither is it anyway assosiated to the id which the key owns. Title: Re: An idea; bitidentity, passwordless secure login Post by: phelix on September 30, 2013, 08:54:17 PM Well, you can go to the manage names tab and copy it from there before opening the sign dialog. I agree it would be nice to see the registered names displayed on the addressbook or be able to choose "sign message" directly from the manage names tab. No I cannot. The key is not there. There is only "Name", "Value" and "Expires" tabs, but not the key which owns the name.When namecoin makes NAME_FIRSTUPDATE transaction, it generates a new keypair (or uses previous generated) keys, *which you cannot access anywhere* from the client. As I said, the only way to find out what key was the owner of the identity was 1) check the name_firstupdate transaction id 2) browse the blockchain to find that transaction 3) copy the public address from the transaction output. Use that copied key to sign the message (private key will be on your wallet). The key must be somewhere in my wallet, but i cannot find or access it from the GUI. Neither is it anyway assosiated to the id which the key owns. Title: Re: An idea; bitidentity, passwordless secure login Post by: snailbrain on September 30, 2013, 09:58:55 PM Well, you can go to the manage names tab and copy it from there before opening the sign dialog. I agree it would be nice to see the registered names displayed on the addressbook or be able to choose "sign message" directly from the manage names tab. No I cannot. The key is not there. There is only "Name", "Value" and "Expires" tabs, but not the key which owns the name.When namecoin makes NAME_FIRSTUPDATE transaction, it generates a new keypair (or uses previous generated) keys, *which you cannot access anywhere* from the client. As I said, the only way to find out what key was the owner of the identity was 1) check the name_firstupdate transaction id 2) browse the blockchain to find that transaction 3) copy the public address from the transaction output. Use that copied key to sign the message (private key will be on your wallet). The key must be somewhere in my wallet, but i cannot find or access it from the GUI. Neither is it anyway assosiated to the id which the key owns. old version like Phelix said.. in manage names there is an address field.. also you can use console window: name_show <name> when you do name_update the key for the name will change.. not sure if that effects what you are doing (probably not) Title: Re: An idea; bitidentity, passwordless secure login Post by: favdesu on October 01, 2013, 11:34:05 AM If you need connection to a blockchain (which you'll need I guess), make it possible via a lightwight client like multibit / electrum.
no one will ever use this if you have to download a full chain and keep it synched Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on October 02, 2013, 08:12:58 PM old version like Phelix said.. in manage names there is an address field.. also you can use console window: name_show <name> when you do name_update the key for the name will change.. not sure if that effects what you are doing (probably not) Well, I did according to these instructions: http://dot-bit.org/BuildNamecoinQTFromSource and true, it seems to compile version 0.3.64. How do I compile the latest version? checkout master does not seem to compile at all in linux? Edit: Well, made git clone from another repository (https://github.com/namecoinq/namecoinq) and now I have 0.3.71 and also that missing addr tab. Thank you! Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on December 15, 2013, 10:57:59 AM Got this idea from bitmessage; these bitmessage addresses could be used for passwordless anonymous login to any system. Or there could be another blockchain delivering bitidentity messages.. Use case, bulletin board: - user sends a identity request to the page's bitidentity address. For every bitidentity address, there will be a new private key. - one gets a sessionkey as a reply (maybe direct https - link) which one could use to login to the page and configure nickname etc. Very secure, no passwords, anonymous identity. Well, here it is. On 08.12.2013 00:24, Nite69 wrote: > Hi all! > > First; I was really astonished when I read about SQRL from news; I > have been working on very much similar QR code log in system for a > couple of months. This is getting quite much ready for tests and initial source code (it is still quite ugly, will clean it up when I get a version control) release. The source code can be found from following links: BitLogin CryptoID Android client v0.1.0 (binary package): https://mega.co.nz/#!hwpRnKiB!Nly8jTVhPgNlyurw6Pk1Y2IT1olDLvUcOvYxjp5h8xI Source code for BitLogin CryptoID Android client v0.1.0 (binary package): https://mega.co.nz/#!loQ20JrR!NKBT5hUKh46uqgBXcaWmNh-20UZ3nKlit8udP0MZlv4 Server source code (Java): https://mega.co.nz/#!l8hGRTJB!d6fNhiDuNK2LXb-31GZshTf6N7xUmrEgxKvy4e92CkE You also need this (BitcoinECKey, all code extracted from bitcoin java sources): https://mega.co.nz/#!0lp0Eb6R!NujAJiYXO8uA_OuPHTfHvRN7GA16dluOvodREih407A Other libraries needed for compile: - spongycastle crypto library - zxinglib This code is free to use (part of it might have some GPL licenses), either for improving SQRL or used as is. I will try to get a sample server running today. The princible (and differencies) to SQRL are: - server is identified by it's cryptography keys, the actual URL can be anything (I think piratebay likes this Good thing is that you can use the same userbase on any number of servers/services. Bad thing is that you *must not* lose the master key. - master key is used to sign microcertificates (uCert). The sample server creates a new uCert every 10 minutes. - server offers a sessionid (server is free to generate timestamped and/or SSLID etc sessionkey) for the client, client identifies the user by signing the sessionkey with identity's secret key. Server finds the public key from the signature and logs the user in. - Client generates a new keypair for every server/username combination. - Messages are very simple: Login QR code: bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj Where l=login, B32CB9DE862FAC3D98A04621D605DA45=sessionid, 1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj = server public key (format is standard bitcoin address) Reply: 192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45&signature=IAiEp1YaQgKOYDyXFTiFCvp-iasTZszt2GFmDK6eQiSeRYpD-pwq3ZSj7s8x5xLP51qnOpf_mRIw-cgY6p8xOWs. Server finds the identity's public key from the signature and logs the user in. Registering QR code: bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj Response: 192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser&signature=ILDIgZibEr9Onqm_q7yPNC0wgaBRTpFl8d_mDww_maOrOqELTUfCCyLovpj_uyqaDlVnJU0qZ4cTxxv8-hwaxgY. When replying, server identifies itself with uCert (would make the qr code very big, so it is sent back with http response): {"message":{"20131215124151+0200~testuser~B32CB9DE862FAC3D98A04621D605DA45"},"signature":"H_lbcQSWrvkBhH09PII4pQmTKaIGHCn3HmzxkJZp8UerfLOLBFLCAaU6GD8U6tMzVPjRoAakNQlekLp KDeVltFE."},{"uCert":{"key":"1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9","expires":"20131215125151+0200"},"signature":"H0gdU_8FYaGNpCZncwcfws2XvL6PKe8AskJFeCia7-OTFliAAVi5eIkMIr2QUAqgM80XBSYzJVDQRZ1AcN2v-Kg."} Logged in : testuser:14Gv4XffXoUnQ3sb4eNTgGu4fgjtTidqCu From the message signature, client finds the server online public key, 1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9, which is certified in the uCert with the server's master key (which matches the QR code server key). best regards, Nite69 Title: Re: An idea; bitidentity, passwordless secure login Post by: Voodah on December 15, 2013, 08:38:36 PM How is different from what NameId is supposed to be?
(not sarcastic, just want to know) Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on December 16, 2013, 02:30:33 PM How is different from what NameId is supposed to be? (not sarcastic, just want to know) Use case 1: login to fusebook: 1) go to fusebook.com 2) Read the 2D QR code with your android application Use case 2: register to embarrasingchatpage.com: 1) go to embarrasingchatpage.com 2) Click register, enter wanted username "Santaclaus" 3) Read the QR code with your android application With this, instead of *typing* your usename and password (if you remember it..) you do one thing: read a barcode. You never need to enter a password, you only need to enter your username once, that's when you register in. Server only need to have a public key connected to the username. Of course, it could also have email addresses etc., if the site likes to ask those.. Which do you lose more often: a password or your smartphone? Would it be in the news, if adobe had lost 160 million *public keys* instead of 160 million passwords? Try it on https://cave.dy.fi or http://cave.dy.fi But about the question: difference is that in NameId, the identity is a kind of 'wordwide', if someone registers a name, it is reserved wordwide. With bitid, the identity is reserved for that site only (well, the comany behind the service could use the same userbase for other services also). Search for SQRL, it is doing a similar work. This is quite much the same, but just done with bitcoin cryptography. Title: Re: An idea; bitidentity, passwordless secure login Post by: altoz on December 17, 2013, 04:11:52 PM Hey there. I just came across this and I'd like to get your thoughts on using this with bitcoin addresses instead of bit-message addresses.
I finished a system for encrypting/decrypting using bitcoin addresses.: https://bitcointalk.org/index.php?topic=374085.0 It seems to me that we could do the exact same thing you're doing with the bitcoin blockchain. I was planning to build something very similar (challenge-response login mechanism using QR codes on a phone), but I conveniently found this. Let me know if you're interested in collaborating. Title: Re: An idea; bitidentity, passwordless secure login Post by: Nite69 on December 25, 2013, 12:53:22 PM Sources on github:
Sources on github: https://github.com/Nite69/BitLogin https://github.com/Nite69/BitcoinECKey https://github.com/Nite69/CryptoIDDemo Merry Christmas! |