search

archethic-foundation / archethic-docs

Official documentation of the Archethic Network
https://wiki.archethic.net
6 stars 11 forks source link

Decentralized Identity / Keychain concepts #4

Closed ghost closed 2 years ago

ghost commented 3 years ago

ARCHEthic is providing a decentralized identity build on top of the network, being able to have one unified encrypted vault accessible only by you and the several accesses you are allowing.

Keychain

This vault or identity is something we called Keychain where users are able to hold cryptographic derivation path for the derived keys for the services enlisted. So a keychain is like a decentralized wallet where you can have access to all the keys to use the services provided, and only you can have this access. The main point of this feature, is to replace the nightmare of remembering all the different password and credentials we are using for all the services we are connected to and to avoid storing each keys. Once you have access to the keychain, you will be able to decrypt it and generate keys in the fly for the desired service.

A keychain can represented like this:

{
  "seed": ".....", 
  "services": {
    "uco": {
       "derivationPath": "......."
     },
     "bitcoin": {
       "derivationPath": "...."
     },
     "gmail": {
        "derivationPath": "...."
     }
  } 
}

The seed is used to derive new transaction on the keychain transaction chain, to be able to add new services and new authorizations and to derive keys from the derivation paths for the listed services

The services will contain all the services you have access with this keychain and their cryptographic information used to derive keys as the path, the algorithms to use and any other data useful for those keys.

To be able to generate a keychain, you need to create a transaction with type: keychain and to encrypt the wallet and put in inside the data/ownerships/secret.

Access the keychain

To give access to this keychain and keep the security high, we have to leverage cryptography and encryption to allow you to access it.

A symmetric key encrypts the entire keychain. This key is also encrypted with a list of authorized public key using Elliptic curve cryptography. So, by providing one of the authorized key, you should be able to decrypt the keychain and have access to your cryptographic seeds for all the services needed.

A specific type of transaction access_keychain is created generated from either a seed coming from a passphrase, a hardware or a biometric device.

Inside this transaction, we encrypt the genesis address of the keychain transaction and authorized the current access key to have access. In other words, an access_keychain transaction's owner will have access to the keychain address and only him/her.

Once, the keychain address retrieved, we can request the network to fetch the keychain transaction to be able to decrypt it content or not. (Note then, the access keychain's transaction should have been authorized before to be able to decrypt the keychain)

Keychain Creation Workflow

  1. We are generating the keychain transaction seed
  2. Then we generate the keychain genesis address
  3. Then we build the access_keychain transaction by encrypting this genesis address with a random symmetric key and authorize the access_keychain public key to be able to decrypt it.
  4. After we build the keychain transaction and encrypt inside the decentralized wallet/identity, the transaction seed and authorize the first access_keychain public key to be able to decrypt it.

Keychain Access

  1. We are generating the access_keychain address from a seed (passphrase, USB, biometric) and the first address
  2. We are requesting the network to fetch this transaction
  3. Once retrieved, we are decrypting the secret to be able to get the keychain's address
  4. Once decrypted, we are requesting the network to fetch the keychain transaction
  5. Finally, we are decrypting the keychain vault, to be able to have access to the given services and cryptographic keys.

This have been implemented archethic-foundation/libjs#37

Remains the doc to be written:

ghost commented 3 years ago

Study the integration with W3C DID standard and Verifyable Credentials and Web Authentication

ghost commented 2 years ago

This have been implemented archethic-foundation/libjs#37

Remains the doc to be written: