ed25519-login icon indicating copy to clipboard operation
ed25519-login copied to clipboard

Published 20 hours ago verified publisher icon 62726164

IV key as a salt?

Open egberts opened this issue 3 years ago • 3 comments

add a random salt to the encrypted epoch time, so you can verify that they validated the key?

I am not a cyrptography expert but I would like to think that I visualize some semblance of replayability there.

egberts avatar Feb 27 '22 01:02 egberts

Hi. Thanks for the comment. The web service itself stores used signatures. Once a signature is used to login, it cannot be re-used later.

62726164 avatar Feb 27 '22 07:02 62726164

What if two websites use this? If a user has the same public key stored on both sites and logs in to site 1, then couldn't site 1 log into site 2 as the user?

hut8 avatar Feb 27 '22 09:02 hut8

Yes, that would be true. If the current time signing scheme was used on multiple websites and the user used the same keypair for both sites then that would work. I plan to switch to having users sign a nonce rather than the current time. In that case, only site 1 (and the user) would have the nonce. Thanks for the feedback.

62726164 avatar Feb 27 '22 16:02 62726164