orblivion
commented
2 years ago Inspiration: You mentioned zksnarks. That got me thinking here.
I had an idea for a small but significant change to your approach that I think could ease a few of our problems. But I wanted to run it by you before I go too deeply into using it for use cases and diagrams.
KDF(password) = (walletKey, downloadKey)
walletKey does the same thing as before. downloadKey authorizes downloading encryptedWallet and nothing else.
wallet contains a new key pair: loginPublicKey and loginPrivateKey which will never change.
An auth request (login or password change) contains:
loginPublicKey(user ID)downloadKey- domain (prevent reuse elsewhere)
- timestamp (prevent reuse later)
- (probably other stuff)
- Signature of the above using
loginPrivateKey
The response is sessionToken. It also updates the server with the latest supplied downloadKey.
The sessionToken can authenticate all requests other than the auth request above. downloadKey, again, can only authenticate download requests.
From this point, loginKey in the previous design is replaced by sessionToken or downloadKey, and it works roughly the same. downloadKey is the only medium-to-long term secret sent across the wire. loginPrivateKey is a new permanent secret, but it's stored with the rest of the keys to the kingdom anyway.
I can think of several ways that it makes this system at least a little bit smoother:
- No meaningful password breaches; password reuse between services is relatively benign
- A hacker or a malicious service would gain access to
downloadKey, but would probably have access to anencryptedWalletby that point anyway - The remaining threat is an attacker who also has
walletKeyand is playing the long game: usedownloadKeyto download future versions of the wallet, to quietly capture more secrets. (No idea how important that is).
- A hacker or a malicious service would gain access to
- Fewer password sync problems between server and local
- Suppose the user upgrades their password locally, and the server backup call fails. With the
loginKeysystem, the server would only respond to the previous password, which the user may have forgotten. So we'd have to be extra sure this never happens. With the login key pair system, it's not such a crisis: the login keypair is unchanged, it's encrypted with the new password that the user presumably remembers, and we can just try a new auth request to updatedownloadKeywhenever the network is back up.
- Suppose the user upgrades their password locally, and the server backup call fails. With the
- No password upgrade consistency issue across multiple backup servers
- Similar to above - Supposing you're backing up to two services and you change your password and only one service gets the message. On the next attempt both will be up to date, no problem.
- Authorizing signup for new services is unambiguous
- Supposing you're spinning up a new backup service and a user signs up. How do you know they're who they say they are? I haven't even thought of how to deal with this with the previous design. With this, the id is the public key and the signature from the private key proves it.
- Additional emergency recovery option
- Perhaps a long shot, but if the user somehow forgets their latest password but gets access to a local decrypted copy of their wallet, they can regain access to all of their associated accounts.
It just seems like a tighter system. More naturally decentralized. Are there downsides I haven't thought of? Did LBRY already consider and reject this idea at some point?
Is this somehow a bad idea for Odysee? Our plan involved decrypting the wallet in-browser for Odysee anyway, right?
I can think of one hypothetical downside: Without taking the time to think too deeply about it, my intuition tells me that this design may make it easier to clobber conflicting changes between two devices if there's a password change involved, that the previous design would stop us from doing. We just have to think extra carefully about it. Perhaps related: loginKey is always kept in sync with encryptedWallet in your design, and maybe I need to change things around to preserve that.
Some quick thoughts about tightening things up a bit more:
- can
downloadKeybe a key pair, or is the KDF only good enough for a symmetric key? If it can be a key pair, we could do the same signature trick and only senddownloadPublicKeyfor auth requests, removing the small "future wallets" threat above. - Can we use the existing LBRY blockchain key pair as
loginPublicKeyandloginPrivateKey? Or, use the seed feature to make it deterministic? This way, if a user "upgrades" two different LBRY clients to this new system, they won't accidentally end up generating two different login key pairs. That could be a mess. - Maybe we could just sign every request instead of using
sessionToken, but perhaps there are speed concerns and/or no particular benefit. Plus you wanted to do oauth which uses tokens.
lyoshenka
trymeouteh
(draft)
Motivation
Your wallet file stores important data that apps need to access. There's no convenient noncustodial way to back up your wallet or keep it synced across multiple apps. If you use several LBRY apps, you'll end up with many separate wallets.
Goals
noncustodialmultiapponepwpwresetrealtimewallets synced live between apps (at least it should feel like its live). relaxing this constraint since realtime stuff is moving out to federation or local storagedecentralizeduserfriendlyPlan
1. move as much stuff out of the wallet as possible
encrypted blob in channel?unsynced, or the sync is done by the app2. hosted wallet sync and oauth
set up https://lbry.id service to host wallets and provide oauth (should be open-source and documented so anyone can run their own auth service)
support 2fa?
3. client-side signing via lbry.id or js or browser plugin (a la metamask)
Once this sync protocol is adopted, apps will need a way for users to sign transactions to interact with LBRY. This must be done client side to satisfy the
noncustodialrequirement. This can be done (in increasing order of security) custom in the app via JS, or using a popup like Deso, or a browser extension like Metamask (which could also do hardware wallet support).Terms
Server Operations
register
Register a new account
params: id, password, version response: authToken errors: version not supported, id already exists
oauth
Support the standard Oauth flows. We'll probably integrate with existing IDP project
getWallet
Get the current wallet data
params: authToken response: version, encryptedWallet, sequence errors: invalid authToken
putWallet
Store new wallet data
params: authToken, version, encryptedWallet, sequence response: ok errors: invalid authToken, version not supported, sequence mismatch
changePassword
This is the same as a putWallet, but also changes the loginKey.
params: authToken, version, loginKey, encryptedWallet, sequence response: ok errors: invalid authToken, version not supported, sequence mismatch
info
Get info about a user
params: authToken response: id, version, sequence
websocket
Connect to websocket to be notified when new wallet data is stored
params: authToken
Common flows
New account
TODO
Connect an app
TODO
Conflicting writes
TODO
I forgot my password, what can I do?
TODO
Multiple user apps (desktop + mobile + paper backup)
TODO
UX Considerations
Different wallets have different needs. If you just started an account, its no big deal to lose your wallet. If you have a lot of channels/claims/lbc in there, you want more backups and security.
Security
how to do this so its secure? what's the threat model?
prolly want an audit for this, but shouldn't block deployment
Rabbit holes
password resets
oauth and multiple apps
secure client-side signing via lbry.id
migrating odysee to this system
phishing
do we have to have the same password across multiple apps?
Extras
When unlocking, run sync first to make sure latest version is stored in cloud
Unlock via QR code or copying a string?
optional passcode to wrap root key locally
encrypt data with intermediate key, then encrypt that key with the password. this lets you back up your wallet encrpytion key on paper
does this work with multiple apps? can you have separate passwords across multiple apps? prolly not… so then a malicious app could get your odysee password
can you login with zksnarks? proof you know some encrypted string without revealing that string?
tell ppl when their passwords are poor using haveibeenpwned.com
outline what changes sdk has to make
should we store an
updatedAttimestamp for wallet changes?Alternative ideas
no wallets. everything is on-chain and can be restored from seed
store wallet in public cloud (s3, google drive, etc). define storage location in channel claim.
onepwrequirementRelated issues
https://github.com/lbryio/lbry-sdk/issues/2641
References