Fordem icon indicating copy to clipboard operation
Fordem copied to clipboard
verified publisher icon tcfev

Use of mnemonic & phrase for authentication.

Open zanzendegi opened this issue 3 years ago • 8 comments

Suggested workflow for the authentication is as below:

  1. On the first use of the app, we generate a mnemonic according to BIP39. Mnemonic generation must be deterministic.
  2. Derive a private key from the mnemonic. Then derive a public key from the private key.
  3. For every request to the server, the app will sign the payload with the private key. This is called Digital Signature.
  4. For every request to the server, the app will also send the public key and the digital signature in the headers.
  5. On the server, the authentication middleware will verify the digital signature with the incoming message (request payload) and replies with either OK (200) or Unauthenticated (401).

zanzendegi avatar Nov 18 '22 06:11 zanzendegi

@zanzendegi This is so fundamental and crucial to the security of the project, could you create/provide a diagram to illustrate the whole authentication and encryption, so it is easier to understand the flow and the logic?

lukas-h avatar Nov 18 '22 16:11 lukas-h

A basic suggestion from my side. Everyone has edit access to the diagram via your GDrive. Please add your revisions. Screenshot 2022-11-18 at 18 09 30

armantorkzaban avatar Nov 18 '22 17:11 armantorkzaban

Signal has really nice diagrams. something inspired by this would be good https://signal.org/docs/specifications/doubleratchet/

And @armantorkzaban I really want to see a diagram involving all of the keys being sent, the whole flow

lukas-h avatar Nov 18 '22 18:11 lukas-h

We need to let the user select from the 16 available/suggested words in their preferred order. @Kobin-ts

armantorkzaban avatar Nov 22 '22 21:11 armantorkzaban

@armantorkzaban When it comes to the security by randomness, there is no user choice/preference. The whole cryptography universe works by randomness. Letting users select their own words destroys the Entropy.

Indeed, user should be able to re-generate the mnemonic. For example, when someone sees my mobile screen or I find out I am under a CCTV camera, I need to re-generate my mnemonic.

@Kobin-ts In the verification screen, typing all the words without typos is difficult. We must display a shuffled list of words and force the user to select them in the correct order.

zanzendegi avatar Nov 23 '22 08:11 zanzendegi

The mnemonic screen is the first impression to the app. By UX, User should not feel it's a difficult app to work with. The shuffled list of words fixes the difficulty mindset to a great extent. I believe we need this in the MVP. @drkangl90

zanzendegi avatar Nov 23 '22 08:11 zanzendegi

@armantorkzaban When it comes to the security by randomness, there is no user choice/preference. The whole cryptography universe works by randomness. Letting users select their own words destroys the Entropy.

Indeed, user should be able to re-generate the mnemonic. For example, when someone sees my mobile screen or I find out I am under a CCTV camera, I need to re-generate my mnemonic.

@Kobin-ts In the verification screen, typing all the words without typos is difficult. We must display a shuffled list of words and force the user to select them in the correct order.

Here I am talking about the 'ordering' of the randomly presented words, by selection.

armantorkzaban avatar Nov 23 '22 10:11 armantorkzaban

What's the state of this issue? shall we move/update/close? @zanzendegi

armantorkzaban avatar Apr 01 '23 01:04 armantorkzaban