NIP199 - a simple username password login

[earonesty]

simplified username/password login for nostr:

• create new username and password:

  • stretched-key = pbkdf2(c=100000, dklen=32, salt=username, data=password)
  • post a kind 30669 event:
    • content="",
    • tags:
      • "private", aes(nostr-private-key, stretched-key)
      • "d", hex(sha256(stretched-key))

• login using username

  • run a pbkdf2(c=100000, dklen=32) to get a stretched-key
  • query for kind 30669, "d", hex(sha256(stretched-key))
  • decrypt "private" tag

• change/reset password:

  • enter recovery words
  • same as create

or does this already exist somewhere?

[fiatjaf]

If you present people with a username/password login they will assume there is a way to click on a "forgot password" button.

[earonesty]

no reason that can't work. you can encrypt your key for a custodian if you want to (post it, custodian doesn't even have to be online... then later if you lose your pw, they can email you at the address in the encrypted post to verify).

seems like it would have to be optional though. not everyone wants poor security in exchange for safety. better to show bip39 "recovery" words to write down or print out.

example of a custodial recovery protocol on nostr:

• custodial advertisement:

  • kind 30666
  • content="Hey all, i'm willing to be a custodian, I support SMS and EMAIL recovery of things. 2FA is required!"
  • tags=[["url", "https://custody.me"], ["auth", "sms"], ["auth", "email"], ["otp", "otpauth://url"]]

• custodial storage of something... custodian has access now. this can be a threshold key computed using a sorted set of custodians using lagrange interpolation with the hash(pubk) as the x axis values. choose 2 or more custodians, add more p tags, and specify the threshold M chosen (if you choose 5, and M is 3, then any 3 of 5, for example). must compute the threshold public key if M > 1.

  • kind 30667
  • content=nip44encrypt({custodian-public-key, stringify({data: "some-data", name: [optional name that might help you remember what this is about], emails: [email-address-list], sms: [sms-list]}))
  • tags: ["d", "some-tag"], ["p": "custodian-public-key"], ["m": "1"]

• custodial recovery ephemeral request (specify an email address, or sms number to recover with):

  • kind 20668
  • content=nip44encrypt({custodian-public-key, stringify({email: [email-address], otp-code: <if needed>, pubkey: req-pub-key}))

  • tags: ["d", "some-tag", "p": "custodian-public-key"]

    (custodian should remain online at all times, and respond quickly. old events should be ignored)

• custodial recovery ephemeral response:

  • kind 20669
  • content=nip44encrypt({custodian-public-key, decrypt(matching stored data. this can be a partial decryption))
  • tags: ["d", "some-tag", "p": ""]

  custodian just computes the privk*epubk and hands it to the client if the email, sms, and otp worked. in the case of m==1 (or in sybil/coordinated attacks), the custodian could also, technically, access the data. otherwise, this is not possible