Cryptographic Challenge of Ownership


#1

Originally spun out of this discussion we need a more robust means of externally verifying ownership of a certificate.

Problem Statement

How do you verify ownership of a certificate? Once we have strong ownership as a core feature of our cert-wallet app, you can prove to yourself that you own a certificate, but how do you prove it to a 3rd party? As an open-source app, the code on a phone can be modified to avoid this check, so just having something that looks like cert-wallet and says it’s owned by the recipient isn’t sufficient.

Proposed Solution

I’d like to use the public/private key nature of the bitcoin address embedded in the certificate to issue a cryptographic challenge that only the owned Recipient could answer correctly. For purposes of this discussion, the Recipient is the person the certificate was actually issued to, the Challenger is the person trying to verify this ownership claim, and an Attacker is someone trying to falsely claim the Recipient’s certificate as their own.

I see two approaches, and I’m not sure which is more secure, more standard, or just better practice:

Approach A

  1. Recipient sends Challenger a certificate.
  2. Challenger generates a secret string as the challenge text.
  3. Challenger encrypts that challenge text with the public bitcoin address embedded in the certificate. Challenger passes that encrypted text to the Recipient, along with identifying information about which certificate Challenger has generated the challenge text for.
  4. Recipient looks up the private key associated with that public bitcoin address & uses it to decrypt the challenge text.
  5. Recipient sends the Challenger the unencrypted challenge text – if it matches the original challenge text then ownership is confirmed.

Approach B

  1. Recipient sends Challenger a certificate.
  2. Challenger generates a secret string as the challenge text.
  3. Challenger sends the unencrypted challenge text to the Recipient, along with identifying information about which certificate Challenger would like proof of ownership for.
  4. Recipient looks up the private key associated with that certificate & uses it to encrypt the challenge text. Recipient passes this encrypted challenge text back to the Challenger.
  5. Challenger attempts to decrypt this response from the Recipient with the public bitcoin address embedded in the certificate. If it decrypts to the original challenge text, then ownership is confirmed.

In both cases, an Attacker would fail to validate ownership because they wouldn’t know what private key was associated with that bitcoin address. They would be unable to complete this signing challenge.

This also has the advantage on working on completely untrusted Blockcert wallet code. Since the Recipient does not generate the challenge text, it doesn’t have the means to beat this cryptographic challenge.

Migration Approach

This feature is purely additive and will have no impact on the current feature set.

Open Questions/Feedback

Which approach?

As I write this, I have a preference for Approach A. In this case, the Recipient never knows the challenge text. If an attacker were able to brute force enough private keys quick enough in Approach B, it could figure out what encrypted payload to deliver so the Challenger would falsely conclude that the Attacker owned it. Not so in Approach A.

What’s good challenge text?

Should it be entered by a user? Should it be a random series of characters? Is there a minimum length or randomness required? Are there any cryptographic holes if an easily guessable challenge text is used?

How are challenges transferred between Recipient and Challenger?

Do we send these payloads as attachments in emails? As universal deep links? Local peer-to-peer communication over bluetooth? QR code scanning? All of the above?

Does a Challenger use the cert-wallet app, or something different?

This use case my be specific enough to merit its own app, although a lot of the models will be shared with cert-wallet. While most institutions (universities, companies, government organizations) will want proof of ownership for another’s certificates, that’s not really common among individual Recipients. I imagine if you’re challenging Recipients on ownership, it’s something you’ll be doing substantially more often than you’d receive a certificate.


Strong Ownership of Certificates in `cert-wallet`
#2

Thanks for spinning this out into a separate topic.

In short, https://fidoalliance.org/ standardizes the challenge/response flows that you describe in Approach A. Fido is undergoing massive adoption right now (I use it for Google, and it can be used for Facebook too). Plus FIDO abstracts you away from the specificity of local authentication methods (there are hundreds of solutions - fingerprint, iris, voice, gesture, etc.)

As you will see from https://fidoalliance.org/how-fido-works/ - is very similar:

Login:
•Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
•User unlocks the FIDO authenticator using the same method as at Registration time.
•Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
•Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

My recommendation is that if a verifier requires a strong proof of ownership (in addition to verifying the cert itself), the wallet should support the FIDO standard. The proof of ownership would use the public/private key combo, and invoke local auth methods if required.

Finally, I don’t think you need to restrict importing of certificates. However, any certificates that require strong proof of ownership will require the private key as well.


#3

Re: My opinion about user experience for owner and verifier during this task. Ideally, the entire process happens as instantly as possible, without needing lots of user interaction.

What’s good challenge text?
Ideally, user/verifier wouldn’t need to type anything other than clicking a button to kick off the challenge. Then, the owner of the cert would simply click another button to sign the cert with their private key. The status of this action would then automatically appear to verifier.

How are challenges transferred between Recipient and Challenger?
Local peer-to-peer over bluetooth would be best. Most situations I can imagine are people wanting to check the person standing in front of them. Of course, other situations would occur as well, but peer-to-peer most powerful.

Does a Challenger use the cert-wallet app, or something different?
I think these are different apps. The needs of a “verifier app” are very different from cert-wallet and probably needs it’s own room to grow features around verification. Plus, the new focus on the cert-wallet having strong ownership requirement for imported certs doesn’t make it a good verifier app.


#4

@Tim I need to dive a bit deeper into what FIDO is. From a quick read of their website, it looks like it’s a means of standardizing authentication for a centralized, online service. While we’d be taking the same public-key cryptographic challenge approach for proving ownership, that’s decentralized and peer-to-peer.

However, maybe certificates (and their public/private key pairs) could be used with a FIDO-enabled online service? That could be a really interesting application.

@Chris for “what’s a good challenge text”, I was talking more the underlying implementation than the experience. The user may just hit a button, but the app still needs to generate something for that cryptographic challenge. I don’t know if choosing a poor challenge text might make the public/private key signing more susceptible to attack.


Strong Ownership of Certificates in `cert-wallet`
#5

@downie I am still figuring out FIDO might fit with the blockcerts wallet scheme, myself. I see lots of potential, in particular for secure travel documents, visas, citizenship status cards, etc.I have been discussing with @Chris on this topic. In my view, all of these docs are going to eventually land on a phone, and blockcerts seems to be the most general, flexible scheme out there.

While FIDO is used for authentication (centralized), it could be re-purposed for de-centralized strong ownership proof of blockcerts. The standard has a challenge response protocol that could be mimicked. For example, you might want to limit which verifiers can be used by forcing them to sign a challenge which must be validated before a response is provided.

Anyway, thanks again for the replies. Looking forward to seeing things develop!

Tim