Replacing Sign in with Facebook using a digital signature solution

in #bitnation9 years ago

Full title describing purpose:
Avoiding insecure password transmission by using a local signature solution to digitally sign a random one-time challenge.
(A signature solution for authentication using Bitnation ID key pair)

Problem statement:
Sending passwords over internet connections is not without security risks. Most sites today use https to protect the user from man-in-the-middle attacks and hostile access nodes.
Those security measures are a good start, but most of the time the user still enters a password to authenticate with the server and/or site. Sending passwords should be avoided as far as possible, and that is the problem we address.
By using a local signature solution to digitally sign a random one-time challenge from the server, the user can prove to the server/site that they are in possession of the “password” - that is - the secret key.

How to use the Bitnation ID keys for secure authentication.

Define BID keys:
Bitnation ID contains an asymmetric key pair that can be used with the Bitnation Public Notary. By pasting their keys and entering password, the users digitally sign the document.

Solution:
Here we demonstrate how to use the key pair to authenticate by sending a unique signature to the server. This signature can only be verified with the public key matching the secret key that was used to create the signature. By using the public key much as a username, a server, or other client, can confirm that the person requesting access has in possession the matching secret key. The concept described is a manual process, but this can also be automated to create a “social sign in button”. A more direct use can be in-app digital signature of arbitrary data, document hashes or short texts.

Technical approach:
The keys are Elliptic Curve generated with javascript functions using ed22519 curve.
The signature process is ECDSA.

Step description:

Step 1: The user selects the ID key pair to use for authenticating or signing.
Step 2: Client quietly supplies the public key. Server assumes public key is the user.
Step 3: A random numerical 4-digit code is presented to the user, by the server.
Step 4: The user enters the number shown on screen. This is stored for next step.
Step 5: User enters the password to decrypt the private key.
Step 6: Client sends signature to server. Server uses the public key to validate.
Step 7: Server accepts client. The end.