Bitcoin Forum
November 21, 2017, 06:31:15 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Signed messages login. Your opiion guys.  (Read 722 times)
lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 03:23:43 AM
 #1

I am working on a small VPN service that accept Bitcoin (Almost done. Wish me luck guys). Anyway I just had an idea that will minimize the amount of information I would be requiring like emails and it is just got me interested so I though I would ask you guys about your opinion.

The idea is the following:

          - Customer selects a VPN subscription
          - Customer pays with Bitcoin
          - Record added in the database of a Bitcoin address paying for subscription
            (As soon as the tx has a certain amount of confirmations the account is automatically activated)


Now the login to the service using the client:

          - The client asks for a server address from the main server
          - The server replies with a vpn server address and a random string (periodically changing one)
          - The client login with the Bitcoin addresss as the username and the password is the signature of a signed message with the random string as the message body.


Do you think this is a sound idea?

1511245875
Hero Member
*
Offline Offline

Posts: 1511245875

View Profile Personal Message (Offline)

Ignore
1511245875
Reply with quote  #2

1511245875
Report to moderator
1511245875
Hero Member
*
Offline Offline

Posts: 1511245875

View Profile Personal Message (Offline)

Ignore
1511245875
Reply with quote  #2

1511245875
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511245875
Hero Member
*
Offline Offline

Posts: 1511245875

View Profile Personal Message (Offline)

Ignore
1511245875
Reply with quote  #2

1511245875
Report to moderator
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
April 09, 2013, 03:33:44 AM
 #2

There is no From: address in bitcoin.  Never has been, never will be.  Have them get an address from their wallet, submit it on the order form.  In your database, attach their chosen address to a payment address that you create.  Once the payment comes in, ignore where it came from.

After that, the challenge/response using bitcoin signatures scheme on a random cookie is very secure.  You just need to get the signing address out of band.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:37:02 AM
 #3

I think it's a great idea but *how* is the message signing exactly going to take place (i.e. are you expecting that they have bitcoind running in order to use your VPN)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 03:43:00 AM
 #4

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

@
No need for a "full node" Electrum can do signing just fine.

CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:47:17 AM
 #5

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Zeilap
Full Member
***
Offline Offline

Activity: 154


View Profile
April 09, 2013, 03:50:13 AM
 #6

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).

http://brainwallet.org/#sign

1GLeSqooAPe8PfWbJecnL3AteDac2B3cqj
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 03:54:47 AM
 #7


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
DannyHamilton
Legendary
*
Offline Offline

Activity: 1974



View Profile
April 09, 2013, 03:54:54 AM
 #8

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

EDIT: As of 2013-04-17 BitFloor has ceased all operations.

Zeilap
Full Member
***
Offline Offline

Activity: 154


View Profile
April 09, 2013, 03:59:40 AM
 #9


I am familiar with brainwallet but how is that going to be useful/practical for "signing in" to a VPN?


Save a local copy?

1GLeSqooAPe8PfWbJecnL3AteDac2B3cqj
lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 04:04:17 AM
 #10

- snip -
isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

Not if I send the bitcoins from my mtGox wallet.  Or from one of the "change" addresses in my Bitcoin-Qt wallet (in which case the client doesn't provide a way to sign messages). Or if I used a mixing service or blockchain.info's shared-send service.  Or if I sent the bitcoins from my BitFloor wallet. Or my Coinbase wallet.

What happens when the previous output requires multi-sig?

All valid problems which a warning could solve. Besides most id not all services warn the users from paying Bitcoins using a withdrawal request.

lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 04:06:28 AM
 #11

No need for a "full node" Electrum can do signing just fine.

Hmm... so as I don't *have* Electrum it would be that either I have to start using it *or* run bitcoind in order to use your VPN... I would find that to be a little limiting (especially if I was using a laptop on holidays for example).



ah yes of course! and it also means each user connected to my servers got a hot wallet on their machines. definitely a problem....

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 09, 2013, 04:06:55 AM
 #12

If you want to use a signed message login, just use GPG keys.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 04:08:53 AM
 #13

Thank you guys for showing me the errors of my way  Cheesy

lophie
Hero Member
*****
Offline Offline

Activity: 924


Unlimited Free Crypto


View Profile
April 09, 2013, 04:09:48 AM
 #14

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 09, 2013, 04:12:18 AM
 #15

If you want to use a signed message login, just use GPG keys.

But the idea to to exchange "less" information -_-!

But if your exchanging GPG keys then it is encrypted and you can in turn send more information just for you and the costumer.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
April 09, 2013, 12:46:35 PM
 #16

@kjj
I am confused a bit  Huh. isn't the input for a tx is to be considered as the "from"? for multiple inputs to the same address and tx I could just save the first one in a record.

There still is no concept of a from: address in the bitcoin system.  People show up here nearly every day hoping to pretend that there is, but there isn't.  A quick search should reveal dozens, if not hundreds, of threads on that subject.

What is so hard about asking the user for an address that they know that they can use for signing?  Surely you already have to collect some information from the user, what is wrong with also collecting a bit of text at the same time?

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
April 09, 2013, 12:53:28 PM
 #17

Although gweedo and myself do not agree on the simplicity of GPG (I think it is just too much for an average user) I do think that it is a more suitable tool than Bitcoin is for this particular job (as I think trying to use Bitcoin to accomplish this would actually end up being even harder).

The use of ECDSA for logging in is interesting idea (i.e. I like it) but I don't think that it will take off via Bitcoin as being the software to do it (i.e. it wasn't *designed* for this purpose at all and in fact the ability to sign messages was really an afterthought).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!