Bitcoin Forum
November 18, 2018, 01:24:33 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Signed messages login. Your opiion guys.  (Read 731 times)
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 03:23:43 AM
 #1

I am working on a small VPN service that accept Bitcoin (Almost done. Wish me luck guys). Anyway I just had an idea that will minimize the amount of information I would be requiring like emails and it is just got me interested so I though I would ask you guys about your opinion.

The idea is the following:

          - Customer selects a VPN subscription
          - Customer pays with Bitcoin
          - Record added in the database of a Bitcoin address paying for subscription
            (As soon as the tx has a certain amount of confirmations the account is automatically activated)


Now the login to the service using the client:

          - The client asks for a server address from the main server
          - The server replies with a vpn server address and a random string (periodically changing one)
          - The client login with the Bitcoin addresss as the username and the password is the signature of a signed message with the random string as the message body.


Do you think this is a sound idea?

Will take me a while to climb up again, But where is a will, there is a way...
1542547473
Hero Member
*
Offline Offline

Posts: 1542547473

View Profile Personal Message (Offline)

Ignore
1542547473
Reply with quote  #2

1542547473
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542547473
Hero Member
*
Offline Offline

Posts: 1542547473

View Profile Personal Message (Offline)

Ignore
1542547473
Reply with quote  #2

1542547473
Report to moderator
1542547473
Hero Member
*
Offline Offline

Posts: 1542547473

View Profile Personal Message (Offline)

Ignore
1542547473
Reply with quote  #2

1542547473
Report to moderator
1542547473
Hero Member
*
Offline Offline

Posts: 1542547473

View Profile Personal Message (Offline)

Ignore
1542547473
Reply with quote  #2

1542547473
Report to moderator
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1001



View Profile
April 09, 2013, 03:33:44 AM
 #2

There is no From: address in bitcoin.  Never has been, never will be.  Have them get an address from their wallet, submit it on the order form.  In your database, attach their chosen address to a payment address that you create.  Once the payment comes in, ignore where it came from.

After that, the challenge/response using bitcoin signatures scheme on a random cookie is very secure.  You just need to get the signing address out of band.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:37:02 AM
 #3

I think it's a great idea but *how* is the message signing exactly going to take place (i.e. are you expecting that they have bitcoind running in order to use your VPN)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 03:43:00 AM
 #4

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

@
No need for a "full node" Electrum can do signing just fine.

Will take me a while to climb up again, But where is a will, there is a way...
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:47:17 AM
 #5

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Zeilap
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 09, 2013, 03:50:13 AM
 #6

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

http://brainwallet.org/#sign

1GLeSqooAPe8PfWbJecnL3AteDac2B3cqj
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:54:47 AM
 #7


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1385



View Profile
April 09, 2013, 03:54:54 AM
 #8

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

EDIT: As of 2013-04-17 BitFloor has ceased all operations.

Zeilap
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 09, 2013, 03:59:40 AM
 #9


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?


Save a local copy?

1GLeSqooAPe8PfWbJecnL3AteDac2B3cqj
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 04:04:17 AM
 #10

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

All valid problems which a warning could solve. Besides most id not all services warn the users from paying Bitcoins using a withdrawal request.

Will take me a while to climb up again, But where is a will, there is a way...
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 04:06:28 AM
 #11

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).



ah yes of course! and it also means each user connected to my servers got a hot wallet on their machines. definitely a problem....

Will take me a while to climb up again, But where is a will, there is a way...
gweedo
Legendary
*
Offline Offline

Activity: 1246
Merit: 1000


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 09, 2013, 04:06:55 AM
 #12

If you want to use a signed message login, just use GPG keys.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 04:08:53 AM
 #13

Thank you guys for showing me the errors of my way  Cheesy

Will take me a while to climb up again, But where is a will, there is a way...
lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000

Unlimited Free Crypto


View Profile
April 09, 2013, 04:09:48 AM
 #14

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

Will take me a while to climb up again, But where is a will, there is a way...
gweedo
Legendary
*
Offline Offline

Activity: 1246
Merit: 1000


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 09, 2013, 04:12:18 AM
 #15

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

But if your exchanging GPG keys then it is encrypted and you can in turn send more information just for you and the costumer.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1001



View Profile
April 09, 2013, 12:46:35 PM
 #16

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

There still is no concept of a from: address in the bitcoin system.  People show up here nearly every day hoping to pretend that there is, but there isn't.  A quick search should reveal dozens, if not hundreds, of threads on that subject.

What is so hard about asking the user for an address that they know that they can use for signing?  Surely you already have to collect some information from the user, what is wrong with also collecting a bit of text at the same time?

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1000


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 12:53:28 PM
 #17

Although gweedo and myself do not agree on the simplicity of GPG (I think it is just too much for an average user) I do think that it is a more suitable tool than Bitcoin is for this particular job (as I think trying to use Bitcoin to accomplish this would actually end up being even harder).

The use of ECDSA for logging in is interesting idea (i.e. I like it) but I don't think that it will take off via Bitcoin as being the software to do it (i.e. it wasn't *designed* for this purpose at all and in fact the ability to sign messages was really an afterthought).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!