Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Verify user's private key for website login

Tags:

authentication

public-key

web

public-key-encryption

I'm trying to implement a login system to sign into a website using public key authentication. I'm not sure if this is feasible.

This is what I plan to do:-

  1. While signing up, user's public key is saved in the website.
  2. When the user tries to login later, the website asks the user for his corresponding private key.
  3. User is authenticated if the private key matches the public key which the user provided while signing up.

I have seen sites like startssl.com asking for user's private key to verify their identity (see the screenshot attached). So what does it takes to implement such a system?

Screenshot of website asking for private key

like image 212
Sparky Avatar asked Apr 07 '12 15:04

Sparky

People also ask

How are public keys verified on a website?

Public keys are available from a certificate authority, which issues digital certificates that prove the owner's identity and contain the owner's public key. Public keys are created using an asymmetric algorithm, which pairs the public key with an associated private key.

How do you authenticate a public and private key?

The public key authentication protocol uses two keys per node, a public key for encryption and a private key for decryption. Everybody has access to the public key of a node, while the private key is secret. During authentication, random numbers are generated and exchanged, similar to the shared secret key protocol.

How are private keys verified?

The hash of the transaction data and the digital signature are both broadcasted to the bitcoin network. The digital signature is then used to confirm that the sender knows the private key. This verification process is done by applying a specific mathematical algorithm which involves the public key of the sender.

How do I authenticate an SSH key?

The first step to configure SSH key authentication to your server is to generate an SSH key pair on your local computer. To do this, we can use a special utility called ssh-keygen , which is included with the standard OpenSSH suite of tools. By default, this will create a 3072 bit RSA key pair.

1 Answers

Just to clarify the flow

  1. The user signs up, using the plain old username and password pair. He is also asked to enter at least one public key (other ones can be added later from a profile administration panel)
  2. The server stores the user's public key and associates it with its user in a certificate
  3. Next time the client makes a request presenting his certificate (this should be handled by the browser, thus happening transparently to the user), the SSL engine on the server side checks if it knows the client and if it does the request is processed and the application code will authenticate and authorize the user since it knows the link between a public key and an user. If the client is not identified, the server should redirect to some page to allow signin up or manual login (maybe to add a new public key)
like image 83
Raffaele Avatar answered Sep 28 '22 01:09

Raffaele
Sign in to Comment

Related questions

How to change the redirect url when logging out?
Spring security authenticate exceptions handling
Mongoid and has_secure_password
How to store data to local storage with Nuxt.js
Where do I need to use JWT?
csrf attacks and double submitted cookie
MongoDB: How to store credentials safely?
Store Credentials in Redux store is a good practice?
Django Login POST hangs when i do HttpResponseRedirect (302)
django-rest-auth: social login with google
AWS Cognito Sign-In with Java SDK for desktop application
Implementing IIdentity, what is AuthenticationType?
ASP.NET MVC 5 and WebApi 2 Authentication
Implement identity server authentication in real world scenario
One-time login link in asp.net identity
What is the purpose of creating a login from a certificate?
Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2
What is the difference between AddAuthentication and AddAuthenticationCore?
Ruby on Rails User Management Engine/Framework? (with web pages)
How can I authenticate users using their Windows login credentials?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!