elective-stereophonic
elective-stereophonic
two factor auth
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: [1] 2 3  All

Author Topic: two factor auth  (Read 7861 times)

benjyz

  • Hero Member
  • *****
  • Karma: +71/-4
  • Offline Offline
  • Posts: 508
    • View Profile
two factor auth
« on: June 20, 2014, 07:04:53 pm »

I believe it should be pretty straight forward to build 2-factor authentication into Nxt. The user could set a threshold, so that large transfers require a One-time-Password.

When I think about it, it is surprising that Bitcoin has not implemented this. There was a discussion here:

https://gist.github.com/gavinandresen/5616606
http://www.reddit.com/r/Bitcoin/comments/1j676d/gavin_suggests_twofactor_protection_of_wallet/

RFC for HOTP
http://tools.ietf.org/html/rfc4226
Logged

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: two factor auth
« Reply #1 on: June 20, 2014, 07:09:42 pm »

I believe it should be pretty straight forward to build 2-factor authentication into Nxt. The user could set a threshold, so that large transfers require a One-time-Password.

When I think about it, it is surprising that Bitcoin has not implemented this. There was a discussion here:

https://gist.github.com/gavinandresen/5616606
http://www.reddit.com/r/Bitcoin/comments/1j676d/gavin_suggests_twofactor_protection_of_wallet/

RFC for HOTP
http://tools.ietf.org/html/rfc4226
NXT doesnt have multisig yet, but even assuming it does, wouldnt there need to be a centralized server?
If you can decentralize the storing of the TOTP key securely, then I think nice bounty for solution

I have been told repeatedly it is impossible to do this in a decentralized way. Can you prove them wrong?

James
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #2 on: June 20, 2014, 07:14:25 pm »

Well, the problem here is to define what exactly 2-factor-auth mean. Ideas?
Logged

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: two factor auth
« Reply #3 on: June 20, 2014, 07:20:09 pm »

Well, the problem here is to define what exactly 2-factor-auth mean. Ideas?
That's simple.
It means I can use google authenticator to come up with the PIN code to input into the wallet and if I dont, the large tx doesnt happen

so the entire blockchain would need to be able to verify the PIN code

Hmm. Actually it is possible if we stored the hash of something for the blockchains to match and the forging node would complete a referenced TX based on this

Something like that.

James
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

benjyz

  • Hero Member
  • *****
  • Karma: +71/-4
  • Offline Offline
  • Posts: 508
    • View Profile
Re: two factor auth
« Reply #4 on: June 20, 2014, 07:20:35 pm »

hmm, true, doing it in a decentralized way seems going back to standard problems. Gavin's suggestion as always was just to use Google's service. I was thinking about implementing this on top of Twillio. So this will be 2FA for my service and I could opensource the project to make it easy for others to use. With Twillio one can SMS worldwide for a few cents via their API. vbuterin made some comments in the link above about such a setup.
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #5 on: June 20, 2014, 07:21:06 pm »

Well, the problem here is to define what exactly 2-factor-auth mean. Ideas?
That's simple.
It means I can use google authenticator to come up with the PIN code to input into the wallet and if I dont, the large tx doesnt happen

so the entire blockchain would need to be able to verify the PIN code

Hmm. Actually it is possible if we stored the hash of something for the blockchains to match and the forging node would complete a referenced TX based on this

Something like that.

James

Details, James, Details. That is the important issue here.
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #6 on: June 20, 2014, 07:22:36 pm »

First of all, I would categorize 2-factor into:

A) using a trusted party
B) no trust required
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #7 on: June 20, 2014, 07:24:09 pm »

I personally would like the trusted party thing. So, they could send me a TAN on my mobile phone.
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #8 on: June 20, 2014, 07:24:55 pm »

On the other hand side, a no-trust-required solution appeals even more to me. :) But I have no idea what the difference would be to passphrase split into 2 parts.
Logged

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: two factor auth
« Reply #9 on: June 20, 2014, 07:26:28 pm »

Well, the problem here is to define what exactly 2-factor-auth mean. Ideas?
That's simple.
It means I can use google authenticator to come up with the PIN code to input into the wallet and if I dont, the large tx doesnt happen

so the entire blockchain would need to be able to verify the PIN code

Hmm. Actually it is possible if we stored the hash of something for the blockchains to match and the forging node would complete a referenced TX based on this

Something like that.

James
We need a seed for the TOTP, we cant store the seed without encrypting or hashing it, so lets publish the hash of the seed

This doesnt seem to work at all. Even assuming the forging node will be able to run some custom checks to match up an pending TX, no the forging node cant generate the TOTP to verify.

OK, so what about requiring a time based tokenized approval of the tx?

A NXT token would be required for any tx > threshold that was calculated using the raw unsigned bytes of the tx combined with timestamp field. But this wont protect against someone who already has the NXT acct's secret so it isnt strictly 2 factor

Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: two factor auth
« Reply #10 on: June 20, 2014, 07:27:02 pm »

Well, the problem here is to define what exactly 2-factor-auth mean. Ideas?
That's simple.
It means I can use google authenticator to come up with the PIN code to input into the wallet and if I dont, the large tx doesnt happen

so the entire blockchain would need to be able to verify the PIN code

Hmm. Actually it is possible if we stored the hash of something for the blockchains to match and the forging node would complete a referenced TX based on this

Something like that.

James

Details, James, Details. That is the important issue here.
I defined the user experience precisely :)
I leave the tech to you
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #11 on: June 20, 2014, 07:28:34 pm »

I defined the user experience precisely :)
I leave the tech to you

There are more ways in doing 2-factor-auth.

PS: could you shorten the quotes sometimes? It makes your responses easier to read. :)
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #12 on: June 20, 2014, 07:29:18 pm »

We need a seed for the TOTP, we cant store the seed without encrypting or hashing it, so lets publish the hash of the seed

This doesnt seem to work at all. Even assuming the forging node will be able to run some custom checks to match up an pending TX, no the forging node cant generate the TOTP to verify.

OK, so what about requiring a time based tokenized approval of the tx?

A NXT token would be required for any tx > threshold that was calculated using the raw unsigned bytes of the tx combined with timestamp field. But this wont protect against someone who already has the NXT acct's secret so it isnt strictly 2 factor

What type of 2-factor-auth are you talking about?
Logged

benjyz

  • Hero Member
  • *****
  • Karma: +71/-4
  • Offline Offline
  • Posts: 508
    • View Profile
Re: two factor auth
« Reply #13 on: June 20, 2014, 07:31:04 pm »

User generates a mix of token + lastest blockchain hash. He sends this to any of N servers. the server will know that the request was a recent one. server verifies and sends a token. an attacker would have to compromise all servers or somehow meddle with traffic, which is extremely hard (I suppose 99.99% of all hacks are some drive-by attacks). the user pays the service for the SMS (<0.20$ in most countries).
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #14 on: June 20, 2014, 07:35:21 pm »

Okay. Let me define what I believe is 2-factor-auth:

The user is required to enter 2 secrets to sign a transaction. These two secrets should be stored in different locations.


Examples:
1) first secret on my PC, second secret on PC of trusted party which can be unlocked by a TAN sent to mobile phone
2) first secret on my PC, second secret in my brain
3) ...
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #15 on: June 20, 2014, 07:36:07 pm »

User generates a mix of token + lastest blockchain hash. He sends this to any of N servers. the server will know that the request was a recent one. server verifies and sends a token. an attacker would have to compromise all servers or somehow meddle with traffic, which is extremely hard (I suppose 99.99% of all hacks are some drive-by attacks). the user pays the service for the SMS (<0.20$ in most countries).

Sounds more like EC. ;)
Logged

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: two factor auth
« Reply #16 on: June 20, 2014, 07:36:46 pm »

What type of 2-factor-auth are you talking about?
something like google authenticator
imagine I am a clueless end user, I just wants what I am used to using
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

benjyz

  • Hero Member
  • *****
  • Karma: +71/-4
  • Offline Offline
  • Posts: 508
    • View Profile
Re: two factor auth
« Reply #17 on: June 20, 2014, 07:40:40 pm »

is there a plan for multi-sig in Nxt? I find advanced things in Bitcoin are not possible just because everything takes so much time and mental efforts, the kernel is being unfriendly and cryptic. Although the script was precisely designed for many transaction types.
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #18 on: June 20, 2014, 07:40:53 pm »

What type of 2-factor-auth are you talking about?
something like google authenticator
imagine I am a clueless end user, I just wants what I am used to using

Then forget about Nxt. :D

Kidding, so, it seems you are in for the trusted party approach, right?
Logged

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: two factor auth
« Reply #19 on: June 20, 2014, 07:41:35 pm »

is there a plan for multi-sig in Nxt? I find advanced things in Bitcoin are not possible just because everything takes to much time and the kernel is extremely unfriendly. Although the script was precisely designed for many transaction types.

Phasing will do here. :)
Logged
Pages: [1] 2 3  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly