Password-less Authentication using Elliptic Curve Cryptography on Blockchain.

The Problem Of Traditional Login Systems

Blockchain technologies has been used to solve major issues in various areas including many business use cases. Sadly, the interaction with these system are based on traditional web logins (Username and Password) which are vulnerable to many attacks if not developed properly with security concerns.

Famous attacks on traditional web logins

1. 77 million Sony Playstation passwords were compromised in 2011
2. 400,000 Yahoo passwords were hacked in 2012
3. 5 Million Gmail passwords released online in 2014
4. Apple’s ICloud login system was compromised which leaked infamous celebrity photos

Popular password managers like LastPass or OnePass which allow the user to generate and manage password can also be compromised. These third-party application stores your password in a centralised server which can easily allow a attack to compromise your login. In 2015, LastPass experienced a data breach that allowed the hacker to expose users’ email addresses, and encrypted password

Why Passwords are vulnerable?

1. Guessing password is too easy these days. It can either be your name, phone number, your birthday etc
2. Dictionary attacks can be used to compromise common passwords
3. Username, and passwords and stored in central servers which gives hackers the flexibility to attack a specific server
4. Difficult passwords are written down somewhere to be remembered which makes it more vulnerable
5. Many passwords are reused in other websites. So, if a attacker knows your login details of one website, chances are the attacker can access your website with the same login.

Common Vulnerabilities in traditional web-login system

1. SQL Injection: According to Open Web Application Security Project (OWASP) SQL injection is rated to be #1 security concern in modern web. Here an attack can craft Structured Query Language (SQL) commands to force databases to leak meaningful information.
2. XSS (Cross Site scripting): XSS is a style of attack where a attacker can inject malicious scripts that can infiltrate your website visitors’ computers. This happen when developers do not test their code properly and allow a loop hole to insert XSS script in their application

Blockchain to the rescue! Going passwordless!

The centralized architecture of the database which stores username and password is the root cause of hacks and vulnerabilities, if it is hacked all data is compromised. Unfortunately, even Two Factor Authentication (2FA) has been proven to be penetrable through social engineering.

There is a quick uptake on passwordless web logins with the help of blockchain. It began in Satoshi Labs where Trezor Connect was developed, which allowed the user to login to participating website simply by plugging your hardware wallet. By leveraging the cryptography (Elliptic Curve) used in bitcoin we can create passwordless login which is more secure that traditional web logins.

What is Elliptic Curve Cryptography?

Elliptic Curve Cryptography is based on Public key and Private key cryptography such as RSA, but ECC is represented in an algebraic structure. However, ECC offer same security as compared with RSA but with smaller footprints. Moreover, it is also less cpu intensive that is ideal for creating faster network and and suitable for mobile devices.

RSA vs ECC

In mathematics, an elliptic curve is a plane algebraic curve defined by an equation of the form. that is non-singular; that is, it has no cusps or self-intersections.

Enough of theory, let’s get practical!

Creating Passwordless-Auth using Ethereum Blockchain, Web3, and Metamask

1. Install Ethereum Test RPC Client to simulate the Ethereum Blockchain

> npm install -g ethereumjs-testrpc

2. Install Metamask chrome plugin to interact with your blockchain app

link: https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn?hl=en

3. Insert a passphrase (seed phrase) to activate your metamask and access your account.

4. run

> testrpc

It generates for you 10 accounts by default

5. Connect one of your account with Metamask using the private key. Click on metamask icon in your account and click on Import New Account. Paste in your private key to import your account

6. Sample Express API

The api expect 3 information

• Signature: Signature which is the data signed by your private key.
• Owner: Which is your public key
• Challenge string: This is a challenge string which is used to create the signature. This signature can vary, it is only use to create unique signatures with your private key

Get Best Software Deals Directly In Your Inbox

The Code decrypts the signature generated and reveal the public key of the of the person who signed it. If the public key matches with the person orignal key, this means that the user has authenticated himself. By using ECC we can cryptographically prove that the address belongs to the person who signed the data.

7. Sample frontend to trigger the signature with MetaMask

In this code you generate a signature by signing it with your valid private key using a challenge string. After generating the signature, we pass this signature to the server side api when the signature gets decrypted and compared with your public key that authenticate your identity. Once it is authenticated, the backend issues a JWT for the user to allow to access the website. Else, if the user is not authenticated no JWT is issued.

Signing the challenge string with metamask

Read more:

1. Follow me for more: https://www.engineerability.com

Conclusion

By leveraging Ethereum Blockchain technology, Elliptic Cryptography, and Metamask we can bypass and authenticate ourself without the need of any passwords, and it arguable has better security than traditional login system based on Username and Passwords. To impersonate the user the hacker must know the public key and private key of the user. Also, he requires the seedphrase to login to his metamask. Common attacks such as XSS, SQL injection are bullet proof and will fail against this technique because there is no central server where the login information is stored. Even guessing the right combination of private and public key will fail because of gas price in the main Ethereum Net, each time the user signs a gas price has to be paid, eventually the hacker needs to try various combination which will cost him a lot. By this technique we have fewer forgotten passwords, very secure login, and happy user base :)

We successfully created Identity As A Service (IDAAS)using blockchain

References

Github: https://github.com/SaifRehman/identity/tree/master/myapp

Click to know more about cryptography