SIP - Recovery Authority

in #steemit8 years ago

 The purpose of this change is to enable enhanced security on all blockchain accounts and eliminate the potential instantaneous and permanent compromise of most accounts.

Background

All Steem accounts currently have three authority levels: owner, active, and posting. These authorities are each capable of hierarchical, threshold multisig. The owner authority is designed to be kept in cold-storage by the account holder and to be used to reset active and/or posting authorities in the event the account is compromised.

The Problem

In the event an owner key is compromised there is no recourse. Furthermore, most users are unable or unwilling to properly secure their owner keys. In the event of a compromise there are two or more people who have access to the owner key. This means the blockchain has no easy way to decide which owner is the real owner.

The Solution

We are going to add a Recovery Account authority to every blockchain account. The default Recovery authority will be the account which created a new account (funding it with Steem Power). For most users this will be the website operator who registered the account.Mined accounts will have any active (top 19) witness as the recovery account authority until they change it.

Limits of Recovery Authority

The recovery authority has no ability to access the funds nor unilaterally change the owner key. This means that this change is fully opt-in. If the account creator or a witness didn’t have access to your account before, they will not have access to your account under this proposal unless they also have access to an owner key used by the account in the past 30 days.For the purposes of this discussion key is synonymous with “multisig authority”.

Selling Accounts

Selling accounts by updating the owner authority will no longer be sufficient to transfer control. This is because the action is indistinguishable from a hack.To complete an account transfer the new owner must be confident that the recovery authority will respect the transfer. This means either notifying the recovery authority or requesting that the recovery authority be changed to one you trust.The owner key can be used to request a change in the recovery authority. The change will take effect after 30 days unless it is canceled. Once the recovery authority has been changed the new owner will have taken possession of the account in an irreversible manner.

Side Effects

The side effect of this change is to make buying and selling Steem Power by transferring accounts much slower and much more complex.

The Implementation

This change will be implemented with three new blockchain operations.

struct request_recovery_operation {
    string      recovery_account          <— requires signature of active authority 
    string      account_to_recover
    authority new_owner_authority  
}

struct recover_account {
    string account_to_recover
    authority new_owner_authority    <— required signatures 
    authority recent_owner_authority  <— with in past 30 days, required signatures
}

struct change_recovery_operation {
    string account_to_recover  <— requires owner authority 
    
    string new_recovery_account  
    bool   allow_password_reset_on_recovery_expiration = false <— for future consideration
}

Explanation

The recovery method relies on the ability of a recovery account to be able to verify the identity of an account holder. When wanting to recover an account the account holder shares a public key with the recovery account as a future sign of their identity. The recovery account creates the request when they are certain the account holder is who they say they are. In order to confirm the request and recover the account, the account holder must satisfy both a recently used owner authority and the new authority shared with the recovery account within 24 hours of the creation of the request. This proves possession of the account in the past and their current identity to the blockchain before recovering the account. Because the owner authority secret on the recovered account is never known by the recovery account, the recovery account can never change the owner authority of a liable account without permission of the account holder and therefore never has access to their owner, posting, or active keys, funds, and reputation on Steem.Any account can be listed as a recovery account which allows for a multitude of recovery schemes such as Steemit.com supported recovery, private recovery, and multisig consortium recovery. Setting a recovery account to another account you own, or the null account, effectively opts out of recovery altogether.

Retroactive Change

Because this change does not reduce the security of existing accounts it can be applied retroactively. Those who do not wish to use this feature can simply ignore it and their account will be secure.

Impact on Sold Accounts

We know that all accounts can trace their parentage to accounts there mined. This means that the ultimate source of all account recovery and dispute resolution will become the elected witnesses. There are two cases to consider:transfer of a mined account
transfer of a created account

Transfer of a Mined Account

The transfer of a mined account will retain witness recovery and have the same security profile as all mined accounts.

Transfer of a Created Account

If you purchased an account that was not mined, then the account creator will have the ability to recall the account and reverse any transfer made if it was done after July 14th. Any account transfers after July 14th should not be considered ‘final’ until 30 days has past unless you trust the Recovery Authority.

Conclusion

With this change we believe we have created a system that is far more secure and usable than any that have gone before. It can significantly increase security without adding any extra levels of trust that did not exist before.