Monero Crypto-Lock

in monero •  7 years ago  (edited)

MoneroCrypto-Lock.png

Are you tired of having to remember all the usernames and passwords you have for various web sites? Are you comfortable relying on the security professionals of those sites to protect your personal information and protect you from identity theft? How much personal information do these sites really need to deliver value added services?

I’m of the opinion that they really don’t need my personal information to deliver the services I desire. Rather, they want my personal information so that they can make money selling it to others. To sell me things, they think, I need.

Wouldn’t it be nice if we were in control of managing our personal information? If we were in control of whether or not to reveal our identity to others? If we could decide what we wish to reveal, to who, and when? If we were the ones who benefited financially when our personal data was sold to others?

I believe we are past, or are getting to the point, where we need to ask ourselves, what happened to that thing they call privacy? Especially when it comes to financial privacy. It’s time to move in a different direction before we pass that point of no return.

Introducing Monero Crypto-Lock

What if we could uniquely identify ourselves to a website simply by providing a cryptocurrency wallet address. The website wouldn’t even need to know my name, address, telephone number, email address, credit card number, race, sex, etc.

What if we were to start off anonymously. Then as we develop a relationship, we begin to offer additional information. When there is a compelling reason to provide such information. I object to providing my name, address, and credit card information, simply because I might buy something from you at a later date.

Or that approach of a free trial - if you give us your financial information so that we can bill you after the free trial - you can always cancel later. That’s just taking advantage of people!

I believe that cryptocurrency is an evolution of money, that the days of government controlled fiat money are numbered. My thought is why not provide a new model, a different approach. Let people see it, think about it, and see where it goes.

One of my heros, Buckminster Fuller once said (something like): “You never change things by fighting the existing reality. To effect meaningful change, create a new model that renders the existing model obsolete.”

So let me introduce a new model that I call - Monero Crypto-Lock.

Privacy is Important

The Monero cryptocurrency project has done a great job producing a cryptocurrency that provides individuals with financial privacy. Monero transactions are secure, untraceable, unlinkable, and the amount of value transferred in transactions is unknowable as a result of confidential transactions. So at the blockchain level, Monero is arguably, the leading privacy coin at present.

The Monero community is also focusing on providing privacy at the network layer which connects the blockchain. They are developing Kovri, a C++ implementation of the I2P end-to-end encrypted overlay network, and integrating it into the Monero code base.

Looking into the future, I think financial privacy will become even more important than it is today. We will need to focus on developing the digital infrastructure necessary to enable privacy and anonymity in our evolving digital ecosystem.

One important foundational need that I see involves standardizing the means to authentication. Secure authentication will need to enable man and machine interfaces (think IoT and AI). The ability to support secure and anonymous authentication will be an important feature moving forward. The days of having to remember a multitude of usernames and passwords should be placed behind us!

Usernames and passwords are not very secure and we can do better!

Public-key cryptography provides an elegant approach to secure, anonymous authentication and its built-in to Monero and other cryptocurrency platforms.

Essentially, the process to securely and anonymously authenticate to a digital resource using a cryptocurrency address (i.e., public-key cryptography) goes like this:

  1. Someone, or something makes a request for authentication identifying themselves using a cryptocurrency address.
  2. The entity responsible for authenticating such requests (the gatekeeper), submits a challenge (data string) to the requester.
  3. The requester digitally signs the challenge (data string) with the private-key of the cryptocurrency address and submits the cryptocurrency address and digital signature to the gatekeeper.
  4. The gatekeeper then verifies that the digital signature submitted is a valid signature of the cryptocurrency address for the challenge (data string). If it is valid, then the requester is authenticated. If it is not valid, authentication is denied.

A valid signature of the challenge (data string) essentially proves that the entity has possession the private key corresponding to the cryptocurrency address requesting authentication.

So in essence, the cryptocurrency address is the identifier of the entity requesting authentication. Being able to provide a valid digital signature of the challenge (data string) on behalf of the cryptocurrency address, proves without a doubt, that the requester has possession (is the owner) of the cryptocurrency address.

Eric Larcheveque described this approach when he submitted the Bitcoin address authentication protocol (BitID).

For Bitcoin (in BitID) as well as Monero (Crypto-Lock), a public cryptocurrency address is used as the identifier for authentication.

Since I place such a high importance on privacy, I prefer an implementation of this approach to authentication using Monero rather than Bitcoin. It only requires the use of a Monero wallet and a couple of Monero commands (get-address, sign and verify).

So being able to securely and anonymously authenticate to a digital resource such as a website, using nothing more than a public Monero address is a big first step! I could purchase a digital product, pay with Monero, and download the digital product without having to provide any information other than my Monero address.

I don’t have to worry about my credit card information being misused or stolen. I don’t have to provide my billing or shipping address, which is irrelevant in the context of the transaction and unnecessary for me to divulge.

If it turns out that I need to provide my personal identity, I can do so. It would be my decision. The unique identifier for my identity information could be linked to my Monero address. There are better ways of managing identity where we manage the data ourselves rather than handing it over to a trusted intermediary to manage. That’s a longer discussion that I will address at a later date.

To provide a genuine demonstration of secure, anonymous authentication using this approach, I have developed a simple nodejs web application on the I2P network. The web application can be found at:

http://lrqks3cdoh5d6arrkng4njdbykveytbdzu4dl2tqizs7mnlwz7ka.b32.i2p/

(You must have access to an I2P router and be connected to the I2P network to reach this web application. The I2P network is used for privacy and to enable anonymity. )

The first screenshot below shows the data entry screen for the authentication demonstration.

Demo1.png

When the fields are properly filled in and the Submit button is pressed, the application verifies the signature and communicates “Success” on a valid signature or “Failure” on an invalid signature, as shown below:

Demo-2.png

If your using the monero-wallet-rpc, then you basically need to issue two commands (getaddress and sign), then copy and paste the resulting text into the web application:

For the monero address:
curl-1.png

For the digital signature, issue the sign command. The monero-wallet-cli actually involves the signature of a file, not a string. The monero-wallet-rpc sign command accommodates a string for signing.

The following command would perform the signing using the monero-wallet-rpc
curl-2.png

The signature obtained from the above command would then be placed in the Signature field in the demo application.

Using the Monero GUI Wallet is a much simpler interface. To get your address, click the “Receive” tab and copy your address to the clipboard:

Monero-gui-address.png

For signing, click “Advanced->Sign/verify, enter the challenge string in the message field at the top of the screen. Click the Sign button, then paste the signature string into the clipboard.

Monero-gui-sign.png

You can create a brand new Monero wallet just for use with Monero Crypto-Lock. The wallet doesn’t need to contain any money or ever have to hold XMR. Additionally, wallets only used for Monero Crypto-Lock do not need to be on a synchronized blockchain. In my Monero Crypto-Lock applications I run the monerod (daemon) with the --offline parameter. The address, sign, and verify functions do not need an up-to-date blockchain to work properly.

You don’t have to use your financial wallet Monero address for Monero Crypto-Lock use cases.

You can, but you don’t have to.

Wrap-up
I have given the project the name Monero Crypto-Lock because, conceptually, it is a model that resembles a digital/programmable lock that can be used for much more than authentication. I’m currently in the process of writing a whitepaper describing the protocol and presenting a number of example use cases. A few of which are:

  • Authentication and Authorization (A&A)
  • Encrypting and Decrypting files
  • Digital Lock-Box
  • Physical devices with embedded single-board computer interfaces
  • IoT
    and more.

I’m in the process of building an actual digital service provider example on the I2P network (also made available as a Tor hidden service) where services are purchased with Monero. The goal is to provide a working reference model.

I will be depositing the whitepaper, code examples and documentation in the following github repository: https://github.com/dougbebber/Monero-Crypto-Lock

My hope is that others will study the content of this repository, adopt the protocol and build it out to develop the foundations and digital infrastructure necessary to enable our secure and anonymous ecosystem moving forward.

References

BitId - https://github.com/bitid/bitid/blob/master/BIP_draft.md
Why Monero - https://steemit.com/bitcoin/@dnaleor/on-fungibility-bitcoin-monero-and-why-zcash-is-a-bad-idea
Bitcoin addresses - https://en.bitcoin.it/wiki/Address
Monero addresses - https://getmonero.org/resources/moneropedia/address.html
Wendy McElroy - The Satoshi Revolution - The Moral Imperitive of Privacy - https://news.bitcoin.com/the-satoshi-revolution-by-wendy-mcelroy/#section-2
CryptoNote whitepaper - https://cryptonote.org/whitepaper.pdf
Annotated CryptoNote Whitepaper - https://downloads.getmonero.org/whitepaper_annotated.pdf
I2P - https://en.wikipedia.org/wiki/I2P
Monero Kovri project - https://getmonero.org/resources/moneropedia/kovri.html
Crypto Izzy - The Bitcoin Flaw: Monero Rising - https://cryptoizzy.blogspot.com/2017/11/the-bitcoin-flaw-monero-rising.html
Crypto Izzy - The Power of Money: A Case for Bitcoin - https://www.scribd.com/document/360363481/The-Power-of-Money-A-Case-for-Bitcoin

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

The github repository has been moved to: https://github.com/monero-ecosystem/Monero-Crypto-Lock