New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client-side encrypted server side storage for private key #48

Open

brenzi opened this issue Jul 2, 2024 · 0 comments

Contributor

brenzi commented Jul 2, 2024 •

edited

Loading

similar to protonmail PGP key storage, we could sign TOPs with a client-side in-memory private key without the UX worries of key custody.

onboarding:

user picks a username and a strong passphrase
enclave ensures the username doesn't exist yet in the db
client generates a private key and caches it for the session (localstorage)
client encrypts private key with passphrase
client sends encrypted blob to enclave together with username
enclave encrypts both username and encrypted key again and stores them in a db (external to enclave)

later revisit (i.e.from different device):

user enters username
enclave looks up the encrypted username in db and returns encrypted private key
user enters passphrase
client decrypts private key and caches it in localstorage

notes:

enclave/server never sees the passphrase
enclave/server never sees the private key and could never sign messages

caveats:

an attacker can guess usernames, retrieve the encrypted private key and brute-force passphrases

brenzi mentioned this issue

serve session keys as proxies with roles integritee-network/worker#1654

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment