In today's reality, the basic way for a server to authenticate a client is through a system of logins and passwords. We are all familiar with this system, alright. Using any website or a platform for the first time we create a pair login-password to confirm our further visits. It looks pretty simple, however, this system has a number of disadvantages, which we all are aware of.
These disadvantages, e.g. weak passwords, the complexity of password management, the need to keep a separate password for each platform or website, high chances to lose or forget passwords, create a breach in the system making our personal data vulnerable to unauthorized access.
News about hacks and hijacks are coming with an alarming regularity lately. Nobody can be completely sure their data is safe, as the root of the problem is not the hacking as such, but the centralized storage of user data, including passwords and password hashes, used to restore them.
Solutions for securing user data
For searchers to ensure a high level of security of users’ data a few alternative solutions came out. The most widespread among them is SSL (Secure Socket Layer) which provides identity verification and security, so the user knows he is connected to the correct website and no one can bug on him. This is how the theory goes.
In practice, SSL appears to be a little bit messier. And this messiness arises mostly due to a sheer number of certificate authorities, their mistakes in verifying a validity of addresses for which security certificates are issues and still possible man-in-the-middle attacks.
Last year, HashCoin started playing around the idea of creating the world’s first decentralized system of digital key management based on Emercoin Blockchain - emcSSL.
Eliminating central authorization channel
EmcSSL is based on client SSL-certificates but also relies on client authentication. As a result, it provides a secure encrypted channel of communication with the server, all in a single package. Unlike other SSL systems, there is no central Certificate Authority (CA) - the role of CA is performed by the Blockchain of the decentralized cryptocurrency Emercoin, which is ideal for developing a decentralized authorization system.
“Emercoin is built on top of NVS technology which allows storing massive amounts of data, up to 20 KB. It is sufficient to store certificate data,” says Nikolay Pavlovskiy, CTO at HashCoins. “It is possible to build various technological solutions on top of NVS - domain name system, a system for distributing of SSH public keys and many others.”
According to Pavlovskiy, these solutions have demonstrated their efficiency. He assures that this is one of distinguishing features of Emercoin Blockchain makes it ideal for developing a decentralized authorization system.
The Emercoin Blockchain serves as a trusted storage for SSL certificate hashes and provides a unique User IDs, therefore offering solutions for two crucial problems. First of all, it ensures non-disclosure of confidential user’s data.
Secondly, it eliminates the need for centralization, allowing the system to scale up to the global level. Within the system, client SSL-certificates are generated and updated completely on the client side without restrictions or need for interaction with another party.
Let’s look into how good is the idea of having end users responsible for their own security infrastructure?
How it works
So, the power comes to the user’s hands, as he is the one who is responsible for issuing the security certificate and keeping it safe. He receives an all-in-one pass to all the platforms that he is using, which does not depend on any website, any certifier, basically nobody, but the user. How exactly does it work?
When you visit an emcSSL-enabled site, the site requests your browser to present a client certificate. If the client has no certificate or doesn't present one, the server, depending on the settings, can switch to a traditional password authentication system or refuse to proceed.
If the certificate exists, you submit it and the browser automatically associates the server with a certificate. Upon receiving a certificate, the server, in turns, checks its signature. Successful signature verification proves that the certificate was generated for the emcSSL system.
The server generates a random number (session password), encrypts it with the public key of the presented certificate, and sends it to user’s browser. The session password is established for this and only this connection. The browser extracts the private key and uses it to decrypt the password sent by the server to establish a secure https connection with the server.
In this system, the private key never leaves the user’s computer. Even if a certificate is intercepted while being transmitted over the network no one but the user can use it because an attacker will not know the private key.
“In case somebody steals your device, they can get access to the websites under your credentials,” explains Pavlovskiy. “However, with Emercoin the user can easily withdraw his certificate if he finds that the system has been compromised.”
Withdrawal of a certificate can be a real problem in systems that do not deploy Blockchain technology. A certificate authorizes the user’s device. To ensure the security of important data, for example, about the finances, it is necessary to use additional security layers.
emcSSL Blockchain architecture
How does the server behave once it made sure that the client has a valid private key? It checks the certificate against the information in the Emercoin Blockchain.
For this purpose, it extracts the certificate serial number and performs an EMC NVS search on this serial number to obtain a certificate hash that user uploaded to Blockchain. The server calculates a checksum for the newly received certificate against the corresponding serial number in the Blockchain.
In other words, the server confirms that the client's certificate, which contains the serial number N – is the same client who previously visited with the same serial number N, because this serial number can be registered only once within Emercoin's NVS subsystem. In case an attacker generates another certificate with the same serial number, they wouldn't be able to upload the same checksum to the Blockchain, as it is already taken by the user.
If they generate a certificate with a different serial number - it will have a different UserID, and the server would create a separate account. Besides, the emcSSL Blockchain architecture allows a quick withdrawal of a compromised certificate and its immediate replacement unlike CRL and OCSP protocol vulnerable to MITM attacks.
Methods of implementation
Generally, emcSSL is great and secure but lacks a simple method of implementation. “The main challenge in the process of integration of this solution is to ensure a balance between security itself and convenience for a user,” explains Pavlovskiy. “If you want to obtain a security certificate in one click, you will need to refer to some authority. It is convenient, but not secure. If you want to issue certificate all by yourself, you’d need to be a tech-savvy person and perform a number of manipulations.”
At the moment, classic emcSSL operates only in Emercoin pool and the Emercoin web wallet. One of the problems revolving around the integration of emcSSL concerns rather strict qualification requirements to site administrators.
“For this particular reason we decided to create Authorizer as we believe it would significantly simplify the process of integration of our solution,” continues Pavlovskiy. “Let’s say you are running a website on WordPress, connecting it to emcSSL will take only a few minutes and basically anyone can do that even not having programming skills.”
Pavlovskiy says to Cointelegraph:
“Now we are focusing on the development of authorization modules for popular CMS. Module for WordPress is completed, the next would be Drupal and others. We are using a standard oAuth2.0, therefore it won’t be difficult for experienced programmers to integrate it in their projects. Once the testing is completed, we are planning to add emcSSL authorization in HashFlare service, which has more than 500K active users.”
It is hard to say how much time it will take to transition to a passwordless authorization completely. At this particular moment, the Authorizer project is mainly targeted to the cryptocommunity. Hacks and interceptions of passwords represent a big problem for cryptobusinesses, and HashCoin is trying to the draw attention of industry leaders to this problem and seeks to cooperate on the integration of their solutions.