Bitcoin Forum
November 11, 2024, 08:33:58 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Signed messages login. Your opiion guys.  (Read 852 times)
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 03:23:43 AM
 #1

I am working on a small VPN service that accept Bitcoin (Almost done. Wish me luck guys). Anyway I just had an idea that will minimize the amount of information I would be requiring like emails and it is just got me interested so I though I would ask you guys about your opinion.

The idea is the following:

          - Customer selects a VPN subscription
          - Customer pays with Bitcoin
          - Record added in the database of a Bitcoin address paying for subscription
            (As soon as the tx has a certain amount of confirmations the account is automatically activated)


Now the login to the service using the client:

          - The client asks for a server address from the main server
          - The server replies with a vpn server address and a random string (periodically changing one)
          - The client login with the Bitcoin addresss as the username and the password is the signature of a signed message with the random string as the message body.


Do you think this is a sound idea?

Will take me a while to climb up again, But where is a will, there is a way...
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
April 09, 2013, 03:33:44 AM
 #2

There is no From: address in bitcoin.  Never has been, never will be.  Have them get an address from their wallet, submit it on the order form.  In your database, attach their chosen address to a payment address that you create.  Once the payment comes in, ignore where it came from.

After that, the challenge/response using bitcoin signatures scheme on a random cookie is very secure.  You just need to get the signing address out of band.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:37:02 AM
 #3

I think it's a great idea but *how* is the message signing exactly going to take place (i.e. are you expecting that they have bitcoind running in order to use your VPN)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 03:43:00 AM
 #4

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

@
No need for a "full node" Electrum can do signing just fine.

Will take me a while to climb up again, But where is a will, there is a way...
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:47:17 AM
 #5

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Zeilap
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 09, 2013, 03:50:13 AM
 #6

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

http://brainwallet.org/#sign
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:54:47 AM
 #7


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4832



View Profile
April 09, 2013, 03:54:54 AM
Last edit: April 17, 2013, 11:20:47 PM by DannyHamilton
 #8

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

EDIT: As of 2013-04-17 BitFloor has ceased all operations.
Zeilap
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 09, 2013, 03:59:40 AM
 #9


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?


Save a local copy?
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 04:04:17 AM
 #10

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

All valid problems which a warning could solve. Besides most id not all services warn the users from paying Bitcoins using a withdrawal request.

Will take me a while to climb up again, But where is a will, there is a way...
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 04:06:28 AM
 #11

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).



ah yes of course! and it also means each user connected to my servers got a hot wallet on their machines. definitely a problem....

Will take me a while to climb up again, But where is a will, there is a way...
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 04:08:53 AM
 #12

Thank you guys for showing me the errors of my way  Cheesy

Will take me a while to climb up again, But where is a will, there is a way...
lophie (OP)
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
April 09, 2013, 04:09:48 AM
 #13

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

Will take me a while to climb up again, But where is a will, there is a way...
gweedo
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
April 09, 2013, 04:12:18 AM
 #14

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

But if your exchanging GPG keys then it is encrypted and you can in turn send more information just for you and the costumer.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
April 09, 2013, 12:46:35 PM
 #15

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

There still is no concept of a from: address in the bitcoin system.  People show up here nearly every day hoping to pretend that there is, but there isn't.  A quick search should reveal dozens, if not hundreds, of threads on that subject.

What is so hard about asking the user for an address that they know that they can use for signing?  Surely you already have to collect some information from the user, what is wrong with also collecting a bit of text at the same time?

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 12:53:28 PM
 #16

Although gweedo and myself do not agree on the simplicity of GPG (I think it is just too much for an average user) I do think that it is a more suitable tool than Bitcoin is for this particular job (as I think trying to use Bitcoin to accomplish this would actually end up being even harder).

The use of ECDSA for logging in is interesting idea (i.e. I like it) but I don't think that it will take off via Bitcoin as being the software to do it (i.e. it wasn't *designed* for this purpose at all and in fact the ability to sign messages was really an afterthought).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!