[BIP][Draft] BitID - "Connect with Bitcoin" protocol - page 2.

EricKennedy

sr. member

Activity: 360

Merit: 250

CEO, Ledger

Quote from: Falkvinge on October 29, 2014, 10:25:35 AM

Specifically, in what standard format are the parameters passed? Using Json? Http headers? Encoded onto the Uri? What? A tangible example of the exact HTTP POST request sent from the client, byte by byte, would have been enormously helpful here. As is now, I'm blind on the server side - I don't know what data to expect and have to guess how the client sends its data?

If you go here :
http://bitid.bitcoin.blue/login
And click on "manual", you'll get a curl example showing exactly how to POST on the demo server implementation.

trasla

hero member

Activity: 707

Merit: 500

This makes the whole process more cumbersome plus forces me to have an offline phone just for signing in. People willing to take these hurdles could as well use a dedicated hardware device or some of the long available complicated options for secure authentication.
The beauty of bitid is that it requires only a mobile wallet and a very simple step. It's easy and get it for free if you use a mobile wallet anyway.

You could of course proxy the callback with some software reading from a QR code on the phone. But, you know, complicated more secure systems which don't get used improve security less than systems which get used cause they are easy and still a hell lot better than this username plus password crap we have today.

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: trasla on October 29, 2014, 11:27:42 AM

I don't get it... How should me phone authenticate me to some server without contacting that server?

It's really quite simple - to "sign up" your phone creates a public key that it displays as a QR code and you use the camera on your PC to *scan it*. Then it sends back a public key (for your account) along with a one time message as a QR code that you then scan with your phone. Your phone then *signs a message* with its private key for the public key (and the one time message) and displays that as a QR code - you now again show your phone to the camera and you are done.

When signing in at a later stage you first enter your username - it will then display a QR code that is the public key and one time message. You scan this with your phone and then it creates a QR code of the *signed response" which lets you "log in".

So your phone never needs internet access to do this (just needs a camera and a display).

It is not that much more difficult than a traditional login (especially if you consider 2FA) and it is 100% secure (getting people used to this idea is going to be the hardest part).

trasla

hero member

Activity: 707

Merit: 500

Quote from: CIYAM on October 29, 2014, 10:30:15 AM

I had also considered this exact idea (being a fan of QR codes) - IMO the main thing to really help this to happen would be the software to be available for smart phones and a smart phone that can be *permanently disconnected from all normal comms*.

I have read about (more or less) transparent Faraday cages so I am thinking that an inexpensive approach might be to use an old smartphone and such a Faraday cage to create an authenticator that never needs to be online.

I don't get it... How should me phone authenticate me to some server without contacting that server?

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

I had also considered this exact idea (being a fan of QR codes) - IMO the main thing to really help this to happen would be the software to be available for smart phones and a smart phone that can be *permanently disconnected from all normal comms*.

I have read about (more or less) transparent Faraday cages so I am thinking that an inexpensive approach might be to use an old smartphone and such a Faraday cage to create an authenticator that never needs to be online.

Falkvinge

newbie

Activity: 31

Merit: 0

Some feedback - this part was not clear to me:

Quote

POST the signature, the URI and the public key to the callback URL

Specifically, in what standard format are the parameters passed? Using Json? Http headers? Encoded onto the Uri? What? A tangible example of the exact HTTP POST request sent from the client, byte by byte, would have been enormously helpful here. As is now, I'm blind on the server side - I don't know what data to expect and have to guess how the client sends its data?

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: Falkvinge on October 27, 2014, 04:50:22 AM

I intend to implement this as a 2FA sign-on in Swarmops over the next two weeks. I've never seen _anything_ matching its ease of use.

Is there redistributable server-side code somewhere I can use as a template? My platform is ASP.Net and C#. I would rather not reimplement crypto code, but I am happy to change its syntax keywords from another implementation language.

Cheers,
Rick
(Swarmops: https://github.com/Swarmops/Swarmops)

Hi Falkvinge,

There's no server-side code written in C# yet but it would be really great if someone can achieve that.

WRT crypto code, there's a great bitcoin library written in C# : NBitcoin
I'm almost sure that you can get all the crypto code required by BitId (basically the verification of ECDSA signatures) from this library.
You may contact Nicolas Dorier (maintener of NBitcoin) to check if you can reuse parts of his code and where to find the relevant code.

WRT BitId code, implementing server-side code is quite straightforward. There's several implementations in different languages :
- Ruby (original code)
- Python
- JS
- PHP

I hope it helps. Do not hesitate if you need more details about the protocol.

Quote from: bernard75 on October 27, 2014, 05:35:20 AM

Thumbs up here too.

You're welcome

bernard75

legendary

Activity: 1316

Merit: 1003

Quote from: Mitchell on October 22, 2014, 08:36:47 AM

Quote from: laurentmt on October 22, 2014, 08:17:43 AM

That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/

I just tried the TestNet version and I can confirm that it works like it should. Thanks for keeping those servers up and running. Wink

Thumbs up here too.

Falkvinge

newbie

Activity: 31

Merit: 0

I intend to implement this as a 2FA sign-on in Swarmops over the next two weeks. I've never seen _anything_ matching its ease of use.

Is there redistributable server-side code somewhere I can use as a template? My platform is ASP.Net and C#. I would rather not reimplement crypto code, but I am happy to change its syntax keywords from another implementation language.

Cheers,
Rick

(Swarmops: https://github.com/Swarmops/Swarmops)

Mitchell

copper member

Activity: 3948

Merit: 2201

Verified awesomeness ✔

Quote from: laurentmt on October 22, 2014, 08:17:43 AM

That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/

I just tried the TestNet version and I can confirm that it works like it should. Thanks for keeping those servers up and running. Wink

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: trasla on October 22, 2014, 06:07:53 AM

Quote from: xchrix on October 21, 2014, 05:41:04 PM

Quote from: trasla on September 12, 2014, 05:34:19 AM

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?

BitId is currently only enabled in the testnet version of mycelium.
We are still discussing whether we want to derive the keys in the exact way we do now.
Note that the example listed above will reject testnet addresses as invalid, in order to test that one I enabled bitid for my prodnet version.

That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/

trasla

hero member

Activity: 707

Merit: 500

Quote from: xchrix on October 21, 2014, 05:41:04 PM

Quote from: trasla on September 12, 2014, 05:34:19 AM

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?

BitId is currently only enabled in the testnet version of mycelium.
We are still discussing whether we want to derive the keys in the exact way we do now.
Note that the example listed above will reject testnet addresses as invalid, in order to test that one I enabled bitid for my prodnet version.

xchrix

hero member

Activity: 905

Merit: 1001

Quote from: trasla on September 12, 2014, 05:34:19 AM

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?

Rassah

legendary

Activity: 1680

Merit: 1035

Quote from: trasla on September 12, 2014, 05:34:19 AM

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though

(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))

I was just about to post that too. Really cool!

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: trasla on September 12, 2014, 05:34:19 AM

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though

(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))

Thanks for the feedback and information !
The warning about http instead of https is a great idea. All websites should use https Roll Eyes

trasla

hero member

Activity: 707

Merit: 500

I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though

(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: onchain.io on September 11, 2014, 10:11:30 AM

Dark Wallet supports BitID ? Do you have a link I can look at.

They do, since their last release (alpha 5)

onchain.io

newbie

Activity: 29

Merit: 0

Quote from: laurentmt on September 11, 2014, 10:09:14 AM

I'll add it to my list of test platforms with Dark Wallet.

Dark Wallet supports BitID ? Do you have a link I can look at.

laurentmt

sr. member

Activity: 384

Merit: 258

Quote from: onchain.io on September 11, 2014, 10:04:19 AM

Not sure. It's working now, that's the main thing.

Sure. Anyway, it's really great that you've integrated Bitid in the wallet !
Unfortunately, I don't own an android smartphone, so I won't be able to check your android app against futures version of the library but if your web web wallet manages bitid, I'll add it to my list of test platforms with Dark Wallet.
Keep up the good work !
Laurent

onchain.io

newbie

Activity: 29

Merit: 0

Not sure. It's working now, that's the main thing.

Topic: [BIP][Draft] BitID - "Connect with Bitcoin" protocol - page 2. (Read 22692 times)