Topic: Best way to make user proof that he owns address? (Read 1778 times)

Ideally you'd also add the URL of your page ("...linked to account on example.com."). Also a timestamp + a user supplied secret/random string might be useful.

Okay, absolutely agree. I will change the message to sign like this:

Thank you 

Well again, what you are currently doing is having them sign something self-evident.  All that signature proves is that "The owner of address X agrees with the following statement:  'I own address X'".  Instead, you should have them sign something like "The email address [email protected] is the address that should be associated with username ".  I don't know exactly what you're having them authorize with their signature, but it should be explicit.

For logging-in scenarios you are definitely right, however in this case this is a one-time action. This is not about loggin in, this is only to link an anonymous player to another account. This is only possible once in a players lifetime, so i think it is not really necessary to add a nonce or similar. Right?

Remember, signatures don't "prove ownership", they prove that the person holding the private key agrees with the statement being signed.

As such  SignWithPrivateKey(X, "I confirm that I own address X") is something that the owner of address X always agrees with.  I don't have to own X... I just have to ask the owner of X to sign that statement, and he may not object, because he really does own X -- then I use that signature to unauthorized login to your website.

Even if your way did "work", you have a serious problem:  you are having them sign the same string every time:  an attacker only needs to get the signature from any one login, and then they can use it to sign in, too.  There must be a unique "challenge" for them to sign, such as a 128-bit random number generated everytime.  Or something like:

"Please sign the following with address X:  My IP address is 103.38.271.18 and I am signing into this service at 10:43am EST on Feb 12, 2013.  38201844".

It's still not high-quality crypto/security, but it's at least more closely-related to your goals.

Following up on this discussion:
I have this now implemented on bitbattle.me where you can connect an existing anonymous player (only defined by a bitcoin address) to your user account. To obtain ownership of such an anonymous account you need to sign a message with the player's bitcoin address.

Sample link (you need to be logged in to see it): http://bitbattle.me/connectplayer/minnow/
Screenshot: https://i.imgur.com/JIOIUgM.png

Technically works fine, but I don't know yet what other clients besides the official one can actually do this. And documentation/instructions probably need to be improved, already received some questions how this should work :-)

Oh yeah almost forgot here is the wiki link for how to use the BDK_login_with_coin_address function https://github.com/Xenland/Bitcoin-Development-Kit/wiki/BDK-Login-With-Coin-Address

I must note that even though its called Login with coin address it is actually an "Address ownership verifying" function

I have made a PHP library just for that, It uses a server-side checksums that can expire after a set amount of time (prevents eves droppers from replaying the message), it also encodes the message in such a way that will prevent any binary conversions during networking transport(basically just base64 encodes the random string, time stamp and the address);

Did i mention it dosen't need a database? (In the future it will support databases but I need to build it securely with out the database then later integrate DB support)

It's called the Bitcoin Development Kit and is Open Source under the AGPL let me know if you want to make money off of it and we can work out a commercial license otherwise if its non-profit and open source then by all means use the AGPL. As a side-note, after I have made an Return on investment I will release it into the public domain but for now I need to justify why I spent all this time and research into a helpful library.

http://bitcoindevkit.com

It's only in Alpha stage but it is very stable and I'm using it for three websites already ( http://p2pcrypt.com and the other two I'm not allowed to disclose due to NDA but p2pcrypt.com is under construction so you wont be able to see it till the completed site is pushed online tomorrow).

The way to do this without signatures is a Diffie-Hellman key exchange (look up the details on wikipedia):

You want to verify that someone knows the privkey p to a pubkey P.
You generate a new keypair (a,A), a is private, A is public, and send A.
The other party computes p*A and sends it back to you.
You verify if p*A=a*P.

This works because A=a*G and P=p*G where G is the base point of the elliptic curve.

Okay, now it's clear - I will definitely go for a specifc string!
Thank you all for the explanations

it even can be a static text since the sign will always be different for each address

You should really think of "message signing" as exactly what it sounds like: you putting your "approval" on a message.  "Proving ownership" isn't exactly what you do with signatures -- you should sign messages that you agree with.

Don't:  "To verify your identity sign this string using address X:    "x83jkflj432jlkjsjfwe"
Do: "You have requested that operation be completed, please sign the following message "I submit approval of operation on 18:43 EST Jan 2, 2012 and all rebates should be sent to Address "

You're not "proving ownership", you're proving that the person in control of that address agrees with the signed message.
Never sign anything that isn't has any ambiguity about its meaning.

The point is if you asked me to sign some random string I would tell you to pack sand.  Maybe that random string is the hash of a contract you later will claim I agreed to by signing (one which obligates me to pay you 100 BTC per year for example).  Or maybe the random string is you public key and you are using me signing it as proof in another scam with a third party.  See I am trusted, D&T is trusted and he signed my public key.  

Even if you are legit a random string could be used by third parties.  It doesn't really prove anything other than the signing party signed a random string.  As an example you there are two people A & B.  A claims to control address 123.... but doesn't really.  You ask A to sign a random string. A instead tricks Bob into signing the random string.  Maybe A sells Bob some gold coins and being naive A states that the random string is the order number.  A could even draw up a contract with the order # (your not so random string).   Bob signs the random string provided by A not knowing that it is A's intent to turn around and gives it to you as proof A controls address 123 which is a false claim as Bob actually does.

TL/DR:
Singing a random string is about as useful as a laywer asking you to sign a contract made out of random letters.  Would you physically sign a contract which is just pages and page and pages of seemingly random letters & numbers?  What is the lawyer says trust me it is random I just need you to sign something?  If you want the user to sign something then have the sign something meaningful.

What grue was indicating is that a better solution is to have the user sign something SPECIFIC that can't be used for any other purpose.  

Which is less likely to be abused ..

Signing this?

Or signing this?

BTW if you did sign the later guess what it is a SHA-256 hash of ... this ...

In some systems, signing someone's key has special meanings.  Like an endorsement.

The "random" signed text could be the hash of a message that you disagree with, or a contract, and again it could look like you endorsed it.  As far as the bitcoin system goes, the software (and thus network) doesn't attach any special meaning to signatures.  Still, people can and do, even when they know better, so you are best off never signing anything provided by someone else.

Stick to writing your own text, include a time stamp (which can't be verified, but whatever), and maybe let them suggest a word or a phrase to include to prove that you didn't pre-generate it.

a common way of identifying people in the internet is to have them sign their messages. But you need to trust that their key actually belongs to who they say they are. People verify each others identities in person, then sign their public keys. Now when they send messages back and forth, they can trust that the real sender actually sent the message (since the sender's public key has been signed by the receivers private key).

Now, you can see that someone might think you are running a scam if you are asking people to sign a random string of characters with a private key. You could basically build up a lot of cryptographic trust, fraudulently, if your random string of characters was actually your public key. You now will end up with a key trusted by many users (and implicitly trusted by many others) which can be used deceive people as to your real identity.

Thanks for your answers so far!

Hmm, I don't get it. Why would I want someone to sign my public key? And which public key do you mean?

it probably shouldn't just be a random string, because someone may suspect that you want them to sign your public key. a better way is to have a fixed string that says what signing of the string signifies, with a random string appended to it.

That method makes the most sense to me.

Though note that it only proves exactly what you are asking for: that the user can sign a random string with a particular address at a particular time. That's probably about the closest one might be able to come to "ownership", but depending on what you're really trying to do, you need to keep in mind that perhaps more than one human being has (or can gain) access to the private key, and that some or all of those humans might forget their password or otherwise lose access to the private key in the future.

I'm working on a webapp which requires that a user proofs ownership of an address.
Current idea is that user has to sign a random string with his address. On the server I can use the rpcmethod "verifymessage" with the bitcoin address, same random string and signature.
Does this make sense / Is there a better or alternative approach?