Hi! We all are very frustrated to be forced to generate a new nickname and password for every site on internet. Here is a white paper on an idea of passwordless site login:
https://mega.co.nz/#!QxwEyAyB!FkX6R0uoE ... pRgSxpXvYc
To make it simple; when you want to log in to a site, you just 1) go to the site on any internet terminal. 2) read the 2D barcode 3) you are in. Securely.
What do you think? This could be implemented with co-existent nameid login implementation.
Idea: passwordless secure login
Forum rules
Warning !
Avoid using binary softwares from untrusted users.
Prefer compiling it yourself and verify sources.
Warning !
Avoid using binary softwares from untrusted users.
Prefer compiling it yourself and verify sources.
Re: Idea: passwordless secure login
As discussed already on email a bit, I think this is a very interesting idea. In particular, I can very well imagine combining ideas there with NameID to build an even better and more flexible identity and login system.
- Work out a real protocol for login signatures, since NameID currently just uses its own "home grown" and proof-of-concept protocol.
- Allow both global, human-readable names (nicknames) which bind to a public key in the Namecoin blockchain, just like id/ names to, as well as throw-away names which are like Namecoin addresses themselves (i. e., a more-or-less direct representation of the public key, without needing a name-value database at all).
- Login possible with a variety of different methods, one being a browser extension as I have it with NameID for now, and another one the bar-code scanning idea.
- Extend the NameID server so that it provides an OpenID for all of those, as well as code third-party sites can integrate directly.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
Re: Idea: passwordless secure login
You can test it here:
http://cave.dy.fi
or
https://cave.dy.fi
On 08.12.2013 00:24, Nite69 wrote:
> Hi all!
>
> First; I was really astonished when I read about SQRL from news; I
> have been working on very much similar QR code log in system for a
> couple of months.
This is getting quite much ready for tests and initial source code (it
is still quite ugly, will clean it up when I get a version control)
release. The source code can be found from following links:
BitLogin CryptoID Android client v0.1.0 (binary package):
https://mega.co.nz/#!hwpRnKiB!Nly8jTVhP ... vYxjp5h8xI
Source code for BitLogin CryptoID Android client v0.1.0 (binary package):
https://mega.co.nz/#!loQ20JrR!NKBT5hUKh ... 8udP0MZlv4
Server source code (Java):
https://mega.co.nz/#!l8hGRTJB!d6fNhiDuN ... Kvy4e92CkE
You also need this (BitcoinECKey, all code extracted from bitcoin java
sources):
https://mega.co.nz/#!0lp0Eb6R!NujAJiYXO ... odREih407A
Other libraries needed for compile:
- spongycastle crypto library
- zxinglib
This code is free to use (part of it might have some GPL licenses),
either for improving SQRL or used as is.
I will try to get a sample server running today.
The princible (and differencies) to SQRL are:
- server is identified by it's cryptography keys, the actual URL can
be anything (I think piratebay likes this Good thing is that you
can use the same userbase on any number of servers/services. Bad thing
is that you *must not* lose the master key.
- master key is used to sign microcertificates (uCert). The sample
server creates a new uCert every 10 minutes.
- server offers a sessionid (server is free to generate timestamped
and/or SSLID etc sessionkey) for the client, client identifies the
user by signing the sessionkey with identity's secret key. Server
finds the public key from the signature and logs the user in.
- Client generates a new keypair for every server/username combination.
- Messages are very simple:
Login QR code:
bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj
Where l=login, B32CB9DE862FAC3D98A04621D605DA45=sessionid,
1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj = server public key (format is
standard bitcoin address)
Reply:
192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45&signature=IAiEp1YaQgKOYDyXFTiFCvp-iasTZszt2GFmDK6eQiSeRYpD-pwq3ZSj7s8x5xLP51qnOpf_mRIw-cgY6p8xOWs.
Server finds the identity's public key from the signature and logs the
user in.
Registering QR code:
bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj
Response:
192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser&signature=ILDIgZibEr9Onqm_q7yPNC0wgaBRTpFl8d_mDww_maOrOqELTUfCCyLovpj_uyqaDlVnJU0qZ4cTxxv8-hwaxgY.
When replying, server identifies itself with uCert (would make the qr
code very big, so it is sent back with http response):
{"message":{"20131215124151+0200~testuser~B32CB9DE862FAC3D98A04621D605DA45"},"signature":"H_lbcQSWrvkBhH09PII4pQmTKaIGHCn3HmzxkJZp8UerfLOLBFLCAaU6GD8U6tMzVPjRoAakNQlekLpKDeVltFE."},{"uCert":{"key":"1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9","expires":"20131215125151+0200"},"signature":"H0gdU_8FYaGNpCZncwcfws2XvL6PKe8AskJFeCia7-OTFliAAVi5eIkMIr2QUAqgM80XBSYzJVDQRZ1AcN2v-Kg."}
Logged in : testuser:14Gv4XffXoUnQ3sb4eNTgGu4fgjtTidqCu
From the message signature, client finds the server online public key,
1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9, which is certified in the uCert
with the server's master key (which matches the QR code server key).
best regards,
Nite69
http://cave.dy.fi
or
https://cave.dy.fi
Ok, here it is:Nite69 wrote:Hi! We all are very frustrated to be forced to generate a new nickname and password for every site on internet. Here is a white paper on an idea of passwordless site login:
https://mega.co.nz/#!QxwEyAyB!FkX6R0uoE ... pRgSxpXvYc
To make it simple; when you want to log in to a site, you just 1) go to the site on any internet terminal. 2) read the 2D barcode 3) you are in. Securely.
What do you think? This could be implemented with co-existent nameid login implementation.
On 08.12.2013 00:24, Nite69 wrote:
> Hi all!
>
> First; I was really astonished when I read about SQRL from news; I
> have been working on very much similar QR code log in system for a
> couple of months.
This is getting quite much ready for tests and initial source code (it
is still quite ugly, will clean it up when I get a version control)
release. The source code can be found from following links:
BitLogin CryptoID Android client v0.1.0 (binary package):
https://mega.co.nz/#!hwpRnKiB!Nly8jTVhP ... vYxjp5h8xI
Source code for BitLogin CryptoID Android client v0.1.0 (binary package):
https://mega.co.nz/#!loQ20JrR!NKBT5hUKh ... 8udP0MZlv4
Server source code (Java):
https://mega.co.nz/#!l8hGRTJB!d6fNhiDuN ... Kvy4e92CkE
You also need this (BitcoinECKey, all code extracted from bitcoin java
sources):
https://mega.co.nz/#!0lp0Eb6R!NujAJiYXO ... odREih407A
Other libraries needed for compile:
- spongycastle crypto library
- zxinglib
This code is free to use (part of it might have some GPL licenses),
either for improving SQRL or used as is.
I will try to get a sample server running today.
The princible (and differencies) to SQRL are:
- server is identified by it's cryptography keys, the actual URL can
be anything (I think piratebay likes this Good thing is that you
can use the same userbase on any number of servers/services. Bad thing
is that you *must not* lose the master key.
- master key is used to sign microcertificates (uCert). The sample
server creates a new uCert every 10 minutes.
- server offers a sessionid (server is free to generate timestamped
and/or SSLID etc sessionkey) for the client, client identifies the
user by signing the sessionkey with identity's secret key. Server
finds the public key from the signature and logs the user in.
- Client generates a new keypair for every server/username combination.
- Messages are very simple:
Login QR code:
bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj
Where l=login, B32CB9DE862FAC3D98A04621D605DA45=sessionid,
1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj = server public key (format is
standard bitcoin address)
Reply:
192.168.7.15:8080/CryptoIDDemo/cid?id=l~B32CB9DE862FAC3D98A04621D605DA45&signature=IAiEp1YaQgKOYDyXFTiFCvp-iasTZszt2GFmDK6eQiSeRYpD-pwq3ZSj7s8x5xLP51qnOpf_mRIw-cgY6p8xOWs.
Server finds the identity's public key from the signature and logs the
user in.
Registering QR code:
bitid:192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser~1PHDDf5b8rexRSyn2mvY5ziuSLPrXWGyQj
Response:
192.168.7.15:8080/CryptoIDDemo/cid?id=c~873FEAA9328A766120BD861AF87D07C8~testuser&signature=ILDIgZibEr9Onqm_q7yPNC0wgaBRTpFl8d_mDww_maOrOqELTUfCCyLovpj_uyqaDlVnJU0qZ4cTxxv8-hwaxgY.
When replying, server identifies itself with uCert (would make the qr
code very big, so it is sent back with http response):
{"message":{"20131215124151+0200~testuser~B32CB9DE862FAC3D98A04621D605DA45"},"signature":"H_lbcQSWrvkBhH09PII4pQmTKaIGHCn3HmzxkJZp8UerfLOLBFLCAaU6GD8U6tMzVPjRoAakNQlekLpKDeVltFE."},{"uCert":{"key":"1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9","expires":"20131215125151+0200"},"signature":"H0gdU_8FYaGNpCZncwcfws2XvL6PKe8AskJFeCia7-OTFliAAVi5eIkMIr2QUAqgM80XBSYzJVDQRZ1AcN2v-Kg."}
Logged in : testuser:14Gv4XffXoUnQ3sb4eNTgGu4fgjtTidqCu
From the message signature, client finds the server online public key,
1HWHJaisNUnm33EXtKJ5CM7KUrq9pDfEt9, which is certified in the uCert
with the server's master key (which matches the QR code server key).
best regards,
Nite69
Re: Idea: passwordless secure login
Sources on github:
https://github.com/Nite69/BitLogin
https://github.com/Nite69/BitcoinECKey
https://github.com/Nite69/CryptoIDDemo
Merry Christmas!
https://github.com/Nite69/BitLogin
https://github.com/Nite69/BitcoinECKey
https://github.com/Nite69/CryptoIDDemo
Merry Christmas!