How does SAFE login work after RFC 0000?

I have some questions about how RFC 0000 affects account logins. As I understand it, when an account is created, the client makes a PUT request for StructuredData and stores the account information. This account information is encrypted with the user’s password and stored in the data slot of Hash(Hash(keyword + pin) + 0). And then this data is stored in on the network where anyone with the pin + keyword + tag_type can get it.


  1. What happens when an account already exists?
  2. What happens when a user tries to perform a brute force attack on the network? Before I believe that the network just returned a blob of random data that is indistinguishable from actual encrypted information. Does the network still do this?
  3. RFC 0001 adds a public key to all StructureData. Does this mean that an attacker can see if the blob of data returned is a valid account or not?

Answers (to be added):

I would also like to point out an interesting thing you can do with RFC 0001. If you create an account and save the private key used to create the account, then you can use this key on another computer to create a delayed automatic account delete. For example, if I wanted my account to be deleted after X amount of days, I could use a third party such as a server, friend’s computer, or even a raspberry pi somewhere to automatically delete the account without giving up the password used to encrypted the account data.


Good questions. Made me realize self-authentication documentation is rather incomplete right now. For example, the paper on self-authentication describes a somewhat different algorithm compared to the system docs.

It does a GET first. If the GET succeeds I suppose the algorithm returns and the client implementation can prompt a message.

I’ve never seen any implementation details concerning this mechanism. Frankly, I have no clue how this is going to work on SAFE. As far as I know a GET simply fails if no value is stored under the specified key.

1 Like

I think you forget the PBKDF2 in the account creation.
By the way, there are a task in Sprint3 who modify the PBKDF2 implementation:

This task in Sprint3 have the same concern.

1 Like