Authenticating, the Safe way

Apps
1

One thing I’m looking forward to is being able to authenticate to any services using my Safe credentials. Here’s a simple way I think an app developper could handle that.

  • Upon registration ask for the user public key.
  • When logging in, ask the user to encrypt a random word using their private key, this is done in a local app. A feature of the Safe App Launcher maybe?
  • Decrypt the word using the user public key. If the decrypted word matches the random one giving, the user is succesfully authenticated.

What I like is that it’s straight forward to implement and it’s safe because your private key stays on your computer. Thoughts?

2 Likes
2

Can be even easier.

  1. Got to a site with our id (public known or anonymous), encrypted with the services public key
  2. Service gets your public key from network (PKI part)
  3. Encrypt all data back to you using that key
  4. conversation is then encrypted back and forth

[variants allow you signing for access request etc.)

Then you are confirmed as you, otherwise you could not read the data. Your entry is also hidden as it’s encrypted to the service (if they are corrupt it really does not matter, they will be caught via the social web)

[ edit, my intent is there is no registration, no typing just push an access button, session info can be saved. As you have a unique identifier which is all any service should need, unless they also need delivery info etc.]

9 Likes
3

How does the site, or app, knows my public id? Is it because it would use the Safe App Launcher API?

EDIT I see you mention, PKI, I think the answer is in there, I found this pdf that explains it, I’ll read it now, thx.

2 Likes
4

I’m reading the doc on PKI and I’m confused, it says:

Suppose person A wishes to send a message M to person B.
We equip person A with a key-pair consisting of a private key
Kpriv and a public key Kpub, the latter of which is publicly
available for person B to use. It is in the interests of both
parties for person B to be able to ensure that the message M
was definitely sent by person A and to detect if it has been
changed during its transmission. To facilitate this, person A
can hash the message M and then decrypt it using their private
key; the result of these operations is called the digital signature
of the message M. Person A then sends both M and its digital
signature to person B. To check that the message M has arrived
intact and unchanged, person B does three things: firstly, he
encrypts the digital signature using person A’s public key to
recover the hash of message M; secondly, person B hashes
the message he received. Finally, person B compares these two
hashes - if they differ, either the message M or its signature has
been altered. If the hashes are the same, the message received
by person B is cryptographically guaranteed to be the piece
of data to which the signature refers, and therefore it is the
message M which person A sent.

Are decrypt and encrypt reversed, or do I not get what they mean?

EDIT: I understand now, this link helped me understand why it seems mixed up.

For the curious:
(Crypto gurus, correct me if I’m wrong)

Both the public and the private key can be used to scramble data, but you can only call this process “encryption” when it’s done using the public key. Understand that the function you use to scramble the data is the same. The only difference between a private and a public key is that you decided to share one and keep the other for yourself, it could be either of them.

So since they are the same and use the same method to scramble the data why can’t you say you are encrypting with the private key? The reason is in the definition of the word “encryption”. When you encrypt something it means that you scramble the data and that only a secret key can decrypt it. So when you scramble with a public key, only the private key can descramble it, the private key is a secret so it matches the definition. But when you scramble with a private key, it’s the public key that is required to descramble it, but since the public key is not a secret, it doesn’t fit the definition of “encryption”.

So what do you call the process of scrambling data with a private key? In the text, they use decrypt, which confused me. Another term you can use is “to sign”. And the term you use to descrambled data with a public is “to verify”. Because the reason you would use a private key to scramble data is to prove to someone that you are the owner of the private key matching the public key. You are, signing, and they are verifying.

The more you know. :slight_smile:

4 Likes