December 30, 2016 at 16:18Authorizer: decentralized authorization emcSSL will work with oAuth 2.0
News about the latest hacking databases and hijacking passwords or hashes appear with frightening regularity, even from giants such as VK and Yahoo. But Facebook and Google users cannot be sure of their security, because the essence of the problem is not hacking as such, but centralized storage of user data, including passwords or password hashes, which can be restored quite successfully.
Last year, we already wrote about the world's first decentralized digital key management system based on the Emercoin blockchain: emcSSL . Its authentication architecture does not reveal the user's secret during the authentication process to the server and uses decentralized account storage.
In theory, this is a great way to secure the credentials of users of any service, but in practice, the implementation of emcSSL requires the participation of a qualified programmer and contains a number of inconveniences from the point of view of the user. Therefore, our announcement today can be considered a Christmas present from HashCoins to the whole world: we have almost finished working on the Authorizer service, which allows you to connect emcSSL via oAuth 2.0 .
Unfortunately, emcSSL integration is not the easiest thing to do:
To simplify the life of webmasters, HashCoins decided to take care of this problem by combining emcSSL with oAuth 2.0: now you just need to paste the code for the conditional login button, the user clicks on the button, goes to the “Avtoraizer” website or sees our pop-up window (from the user's point it will look the same as authorization via Facebook, for example) and will come back with an authorization token.
To configure the webmaster must specify the data of our oAuth provider Autorzier. It is configured two orders of magnitude easier than installing emcSSL and does not scare visitors with certificate requirements. This functionality is ready.
In addition to authorization per se, Authorizer can be used to transfer other user information, such as a mailing address, etc. The idea is the same: centralized storage of personal data on someone’s servers is evil, because when they are compromised, personal, payment, medical and other information may be lost. When using emcSSL, this information is contained in a special info card stored in the Emercoin blockchain in encrypted form, and various services get only temporary access to it during authorization and only with the permission of the user. This can be useful, for example, to online stores, concerned about the reduction in the number of user actions that precede the purchase itself. When using authorization through Authorizer, the store receives data for delivery directly when the user is authorized,
Thanks to emcSSL, Authorizer achieves exactly this with the help of an infocard. At the first authorization through the “Autoizer”, we will ask the user to fill out an info card or take the data from the card to the user Emercoin, if the user is one. In the future, when entering a site, Authorizer will ask the user if he wants to show his data, for example, to an online store.
If the answer is yes, Avtoraiser will transmit the data from the info card - for example, the delivery address - to the store. After making a purchase, the server "forgets" its contents - until the next user login. As a result, only UserID can be stored in the server account, and nothing more. No password, no personal user data. And if there is nothing to take from the server, they will most likely not be trying to crack it.
After connecting emcSSL with oAuth2, the most difficult thing is not to implement the technology, but to change user habits. Because the principle of passwords, for all their shortcomings, is understood even by your grandmother. Passwordless authorization, although as old as the web, remains new and incomprehensible to most users. We have simplified the integration of emcSSL, but for the technology to become truly massive, it needs to be understood by ordinary users. Therefore, here are a few words about how it works - a small educational program, which you can share with less advanced acquaintances, so as not to tell everything from scratch.
All that a user needs is his electronic key to all doors: a certificate. There are several ways to create it: either through the “Avtoraizer” website (we will give links to it after the official release), or on emcssl.orgOr in the web-wallet emercoin or most reliable way: self-generation with the help of scripts . It sounds, of course, so far not very usable from the point of view of the mass user, but we are working to expand and simplify the receipt of the certificate. However, in the first release of Avtoraiser it will be required to create it yourself.
By creating it, you can add it to all browsers and devices that you use. When creating a certificate, you also create a password that you need to enter only one in each new browser - it is needed for your protection in case the certificate is stolen.
Then everything is simple: when you visit the site with Authorizer support, you see the authorization button for the certificate and select the certificate on your device and enjoy a secure connection.
Authorizer relieves you of the risk of compromising your personal data when hacking the servers of the next services, but increases the requirements for you as a guarantor of your own network security: you must take care of creating the certificate yourself and not let the password for it be stored in clear form anywhere. So we can say that in its current form, Authorizer is suitable for services designed for an audience of an average and higher level of technical literacy - for those for whom a couple of extra gestures are fully justified by the increased level of protection. Let's say that such a method of authorization as one of the alternatives would go fine for Habr, do not you think?
Release Authorizer is scheduled for late January. In the meantime, we will gladly listen to your feedback, questions and suggestions on our technology.
Last year, we already wrote about the world's first decentralized digital key management system based on the Emercoin blockchain: emcSSL . Its authentication architecture does not reveal the user's secret during the authentication process to the server and uses decentralized account storage.
In theory, this is a great way to secure the credentials of users of any service, but in practice, the implementation of emcSSL requires the participation of a qualified programmer and contains a number of inconveniences from the point of view of the user. Therefore, our announcement today can be considered a Christmas present from HashCoins to the whole world: we have almost finished working on the Authorizer service, which allows you to connect emcSSL via oAuth 2.0 .
How emcSSL works
The emcSSL system does not have a certification authority, and certificates are issued by the users themselves. Accordingly, issuing an accele certificate is by definition free. The EmerCoin blockchain acts only as a public trusted repository of hashes of SSL certificates and ensures the uniqueness of Serial, which is a unique UserID.
Thus, in the emcSSL system both problems have been successfully resolved - both non-disclosure of secret (a) and decentralization (b), which allows you to scale the system to a global level. The user of the emcSSL system receives a kind of “pass-all-terrain vehicle” that is independent of anyone but the user. Neither from the "website on the Internet", nor from the certifier, nor from anyone else. Accordingly, attacks of the type discussed above are impossible in the system, which lead to mass compromise of accounts, because private keys are generated by users and never leave their computers, and there simply is no such central place that can be compromised.
In especially important cases, it is advisable to use emSSL together with a password as part of two-factor authentication. In this case, emcSSL authorizes the device and provides a secure communication channel with the server, and the password authorizes the operator.
It is also worth mentioning that the emcSSL blockchain architecture efficiently and safely solves the problem of revoking a compromised certificate and quickly replacing it, which compares favorably with CRL and the OCSP protocol, which is vulnerable to MItM attack.
In general, emcSSL is cool and safe, but without a convenient way to implement it, it's all pretty much useless. It requires an Emerkoin wallet on the server, it is impossible to use CDN, because an enetrprise account is required to place the Emercoin certificate, thirdly, when authorizing through emcSSL, a certificate is required, which can frighten unprepared users.
Unfortunately, emcSSL integration is not the easiest thing to do:
To simplify the life of webmasters, HashCoins decided to take care of this problem by combining emcSSL with oAuth 2.0: now you just need to paste the code for the conditional login button, the user clicks on the button, goes to the “Avtoraizer” website or sees our pop-up window (from the user's point it will look the same as authorization via Facebook, for example) and will come back with an authorization token.
To configure the webmaster must specify the data of our oAuth provider Autorzier. It is configured two orders of magnitude easier than installing emcSSL and does not scare visitors with certificate requirements. This functionality is ready.
Info cards
In addition to authorization per se, Authorizer can be used to transfer other user information, such as a mailing address, etc. The idea is the same: centralized storage of personal data on someone’s servers is evil, because when they are compromised, personal, payment, medical and other information may be lost. When using emcSSL, this information is contained in a special info card stored in the Emercoin blockchain in encrypted form, and various services get only temporary access to it during authorization and only with the permission of the user. This can be useful, for example, to online stores, concerned about the reduction in the number of user actions that precede the purchase itself. When using authorization through Authorizer, the store receives data for delivery directly when the user is authorized,
An ideal system of user accounting on the server side should have information about it when this information is required (say, at the time of the purchase), and not contain it when an attacker trying to merge this information tries to merge it.
Thanks to emcSSL, Authorizer achieves exactly this with the help of an infocard. At the first authorization through the “Autoizer”, we will ask the user to fill out an info card or take the data from the card to the user Emercoin, if the user is one. In the future, when entering a site, Authorizer will ask the user if he wants to show his data, for example, to an online store.
If the answer is yes, Avtoraiser will transmit the data from the info card - for example, the delivery address - to the store. After making a purchase, the server "forgets" its contents - until the next user login. As a result, only UserID can be stored in the server account, and nothing more. No password, no personal user data. And if there is nothing to take from the server, they will most likely not be trying to crack it.
Get used to passwordless authorization
After connecting emcSSL with oAuth2, the most difficult thing is not to implement the technology, but to change user habits. Because the principle of passwords, for all their shortcomings, is understood even by your grandmother. Passwordless authorization, although as old as the web, remains new and incomprehensible to most users. We have simplified the integration of emcSSL, but for the technology to become truly massive, it needs to be understood by ordinary users. Therefore, here are a few words about how it works - a small educational program, which you can share with less advanced acquaintances, so as not to tell everything from scratch.
All that a user needs is his electronic key to all doors: a certificate. There are several ways to create it: either through the “Avtoraizer” website (we will give links to it after the official release), or on emcssl.orgOr in the web-wallet emercoin or most reliable way: self-generation with the help of scripts . It sounds, of course, so far not very usable from the point of view of the mass user, but we are working to expand and simplify the receipt of the certificate. However, in the first release of Avtoraiser it will be required to create it yourself.
By creating it, you can add it to all browsers and devices that you use. When creating a certificate, you also create a password that you need to enter only one in each new browser - it is needed for your protection in case the certificate is stolen.
Then everything is simple: when you visit the site with Authorizer support, you see the authorization button for the certificate and select the certificate on your device and enjoy a secure connection.
Authorizer relieves you of the risk of compromising your personal data when hacking the servers of the next services, but increases the requirements for you as a guarantor of your own network security: you must take care of creating the certificate yourself and not let the password for it be stored in clear form anywhere. So we can say that in its current form, Authorizer is suitable for services designed for an audience of an average and higher level of technical literacy - for those for whom a couple of extra gestures are fully justified by the increased level of protection. Let's say that such a method of authorization as one of the alternatives would go fine for Habr, do not you think?
Release Authorizer is scheduled for late January. In the meantime, we will gladly listen to your feedback, questions and suggestions on our technology.
Only registered users can participate in the survey. Please come in.
Do you need such authorization on Habré and Giktayms?
- 63.1% yes 24
- 36.8% no 14