1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <bitcoingrant@gmx.com>) id 1VcTLM-000653-BF
for bitcoin-development@lists.sourceforge.net;
Sat, 02 Nov 2013 05:01:52 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmx.com
designates 74.208.4.200 as permitted sender)
client-ip=74.208.4.200; envelope-from=bitcoingrant@gmx.com;
helo=mout.gmx.net;
Received: from mout.gmx.net ([74.208.4.200])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128)
(Exim 4.76) id 1VcTLK-0003Tj-Qx
for bitcoin-development@lists.sourceforge.net;
Sat, 02 Nov 2013 05:01:52 +0000
Received: from mailout-us.gmx.com ([172.19.198.48]) by mrigmx.server.lan
(mrigmxus001) with ESMTP (Nemesis) id 0Lfjxe-1W18pn0w7W-00pJaz for
<bitcoin-development@lists.sourceforge.net>;
Sat, 02 Nov 2013 06:01:45 +0100
Received: (qmail 20016 invoked by uid 0); 2 Nov 2013 05:01:45 -0000
Received: from 98.116.3.138 by rms-us017 with HTTP
Content-Type: multipart/alternative;
boundary="========GMXBoundary5851383368504828585"
Date: Sat, 02 Nov 2013 01:01:43 -0400
From: bitcoingrant@gmx.com
Message-ID: <20131102050144.5850@gmx.com>
MIME-Version: 1.0
To: bitcoin-development@lists.sourceforge.net
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: b+IGci1j3zOl2JpasXwhmyN+IGRvb4BQ
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(bitcoingrant[at]gmx.com)
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
no trust [74.208.4.200 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information. [URIs: bitcoingrant.org]
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1VcTLK-0003Tj-Qx
Subject: [Bitcoin-development] Message Signing based authentication
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 05:01:52 -0000
--========GMXBoundary5851383368504828585
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Passwords are inefficient by design: frequently we hear news from Sony, Square Enix, Adobe, and various others about passwords being compromised, databases being copied and stolen. This story remains true in the Bitcoin space. In light of the recent Bitcointalk forum breach echoes an increasing need for passwords to become a thing of the past.
In celebration of the 5 year anniversary of the Bitcoin whitepaper, we are delighted to introduce the Message Signing based authentication method.
In brief, the authentication work as follows:
Server provides a token for the client to sign.
client passes the signed message and the bitcoin address back to the server.
server validates the message and honors the alias (optional) and bitcoin address as identification.
http://forums.bitcoingrant.org/
Above is a proof of concept forum that utilize this authentication method. Following Kerckhoffs's principle, this forum only stores the signed message and bitcoin address the users provide the first time they use the site, both are public information. In addition, there is no database, everything is simply an RSS feed. For the sake of usability we have included a redis for the sessions, at the cost of additional exposure to potential risks: users no longer need to sign a token every time they wish to post.
All source code will be available on github in the next few days.
We welcome any feedback or suggestions.
--========GMXBoundary5851383368504828585
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<span style=3D'font-family:Verdana'><span style=3D'font-size:12px'><p dir=
=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span=
style=3D"font-size:12px;font-family:Verdana;color:#000000;background-color=
:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-=
decoration:none;vertical-align:baseline;white-space:pre-wrap;">Passwords ar=
e inefficient by design: frequently we hear news from Sony, Square Enix, Ad=
obe, and various others about passwords being compromised, databases being =
copied and stolen. This story remains true in the Bitcoin space. In light o=
f the recent Bitcointalk forum breach echoes an increasing need for passwor=
ds to become a thing of the past.</span></p><p style=3D"margin:0px; padding=
:0px;" >=C2=A0</p><p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;m=
argin-bottom:0pt;"><span style=3D"font-size:12px;font-family:Verdana;color:=
#000000;background-color:transparent;font-weight:normal;font-style:normal;f=
ont-variant:normal;text-decoration:none;vertical-align:baseline;white-space=
:pre-wrap;">In celebration of the 5 year anniversary of the Bitcoin whitepa=
per, we are delighted to introduce the Message Signing based authentication=
method.</span></p><p style=3D"margin:0px; padding:0px;" >=C2=A0</p><p dir=
=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span=
style=3D"font-size:12px;font-family:Verdana;color:#000000;background-color=
:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-=
decoration:none;vertical-align:baseline;white-space:pre-wrap;">In brief, th=
e authentication work as follows:</span></p><p style=3D"margin:0px; padding=
:0px;" >=C2=A0</p><p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;m=
argin-bottom:0pt;"><span style=3D"font-size:12px;font-family:Verdana;color:=
#000000;background-color:transparent;font-weight:normal;font-style:normal;f=
ont-variant:normal;text-decoration:none;vertical-align:baseline;white-space=
:pre-wrap;">Server provides a token for the client to sign.</span></p><p di=
r=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><spa=
n style=3D"font-size:12px;font-family:Verdana;color:#000000;background-colo=
r:transparent;font-weight:normal;font-style:normal;font-variant:normal;text=
-decoration:none;vertical-align:baseline;white-space:pre-wrap;">client pass=
es the signed message and the bitcoin address back to the server.</span></p=
><p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt;=
"><span style=3D"font-size:12px;font-family:Verdana;color:#000000;backgroun=
d-color:transparent;font-weight:normal;font-style:normal;font-variant:norma=
l;text-decoration:none;vertical-align:baseline;white-space:pre-wrap;">serve=
r validates the message and honors the alias (optional) and bitcoin address=
as identification.</span></p><p style=3D"margin:0px; padding:0px;" >=C2=A0=
</p><p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0=
pt;"><span style=3D"font-size:12px;font-family:Verdana;color:#000000;backgr=
ound-color:transparent;font-weight:normal;font-style:normal;font-variant:no=
rmal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap;">ht=
tp://forums.bitcoingrant.org/</span></p><p style=3D"margin:0px; padding:0px=
;" >=C2=A0</p><p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margi=
n-bottom:0pt;"><span style=3D"font-size:12px;font-family:Verdana;color:#000=
000;background-color:transparent;font-weight:normal;font-style:normal;font-=
variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre=
-wrap;">Above is a proof of concept forum that utilize this authentication =
method. Following Kerckhoffs's principle, this forum only stores the signed=
message and bitcoin address the users provide the first time they use the =
site, both are public information. In addition, there is no database, every=
thing is simply an RSS feed. For the sake of usability we have included a r=
edis for the sessions, at the cost of additional exposure to potential risk=
s: users no longer need to sign a token every time they wish to post.</span=
></p><p style=3D"margin:0px; padding:0px;" >=C2=A0</p><p dir=3D"ltr" style=
=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><span style=3D"font=
-size:12px;font-family:Verdana;color:#000000;background-color:transparent;f=
ont-weight:normal;font-style:normal;font-variant:normal;text-decoration:non=
e;vertical-align:baseline;white-space:pre-wrap;">All source code will be av=
ailable on github in the next few days. </span></p><p style=3D"margin:0px; =
padding:0px;" >=C2=A0</p><p dir=3D"ltr" style=3D"line-height:1.15;margin-to=
p:0pt;margin-bottom:0pt;"><span style=3D"font-size:12px;font-family:Verdana=
;color:#000000;background-color:transparent;font-weight:normal;font-style:n=
ormal;font-variant:normal;text-decoration:none;vertical-align:baseline;whit=
e-space:pre-wrap;">We welcome any feedback or suggestions.</span></p><p sty=
le=3D"margin:0px; padding:0px;" ><br />=C2=A0</p></span></span>
--========GMXBoundary5851383368504828585--
|
