I would like user authentication to take place in the following way:
- User generates an encryption key and keeps it on their device. The encrypted key is then encrypted by their password.
- To create a new account, the user sends a public key and a signed message that says something like "new member". The server decrypts the message and verifies that the public keys match. It then creates a new account for the member.
- Any time the user interacts with the server, he signs a message with the private key stored on his or her device indicating his or her request. Perhaps the parameters for the request are also encrypted.
The server verifies that the user is in possession of the private key at each step. At no point is the private key communicated over the internet. The way I see it, this entire protocol could be run over GET requests with no security holes. The only security hole appears to be local storage of a user's key, but my implementation avoids this (hence the method which is derived here).
Now comes the real question. Are there any libraries set-up for this protocol that would make implementing it very easy? I'm looking for node and bower implementations. Most crypto libraries make you do something like this in 5-6 steps. That's adequate, but I'm wondering if this is actually a common method that I just haven't heard of.
via Kevin
No comments:
Post a Comment