Georgia-based bitcoin merchant processor BitPay has launched a project that leverages bitcoin technology to facilitate a decentralized authentication system.
Called BitAuth, the system uses cryptographic signatures in place of server-side password storage.
For IT administrators, password storage is common security problem because a breach can potentially leak customer authentication information. Bitcoin core developer and BitPay employee Jeff Garzik conceived some of the concepts to make BitAuth a reality.
Garzik told CoinDesk:
“Replacing passwords with digital signatures is not a very original idea. [But] digital identity is going to be a key technology for the future.”
The news follows BitPay’s previous foray into making technology improvements with cryptographic systems.
The company, which recently raised $30m in venture funding, released Bitcore in February, an open set of JavaScript libraries used to better interface with the bitcoin protocol.
How it works
BitAuth shares characteristics with bitcoin technology by using the same elliptic curve cryptography, but it introduces a System Identification Number (SIN), which is outlined on the Bitcoin Wiki.
Essentially, a SIN uses a cryptographic key pair to sign transactions with a server for authentication purposes.
The secp256k1 parameter elliptic curve used in bitcoin and for BitAuth. Source: WikipediaWith BitAuth, users would still authenticate with a conventional login and password combination. But, that information would only be stored locally, also known as client-side. The local login process would only be used to facilitate sending a private key to a remote server for access purposes.
To ensure that each authentication session is unique, every time a user releases a private key it is signed with a public key on a remote server and a nonce is generated.
Cryptographic nonces are randomized strings used only once for the purpose of a session identifier.
Security issues
Web breaches exposing identifiable information have been a problem for large companies as of late, as evidenced by major events affecting eBay, PF Changs, Target and Verizon. Though, such events could potential threaten the bitcoin industry.
Garzik says that using his SIN system with BitAuth can reduce the issues that many IT departments face in terms of digital identity. SINs can be attached to identities, or they could be obscured with non-identifiable information.
Garzik told CoinDesk:
“[BitAuth] is as anonymous, or not, as you choose. At a minimum, public keys are revealed to external parties.”
Further, Garzik says that BitAuth’s trustless properties can enable an improved experience for everyone.
“What makes the SIN proposal unique is that SINs are decentralized, as anonymous as you want them to be, digitally secure, capable replacements for website username/password, and most of all, extensible to any system that may be covered by hashes,” he said.
Not just a concept
The announcement is also notable given the recent criticisms levied by developers regarding the lack of improvements to bitcoin’s infrastructure. For example, experts like Mike Hearn have said that bitcoin as a software project is underfunded and needs attention to ensure for continued progress.
BitPay’s Stephen Pair recently told CNBC that Visa and MasterCard will eventually ‘leverage’ bitcoin, which might be why the company wants to establish secure technical tools such as BitAuth and Bitcore for developers at these larger financial companies.
Those wishing to engage with BitAuth can now do so. BitPay has a GitHub repo dedicated to the project, and there is also a BitAuth chat room hosted on Gitter.
Disclaimer: CoinDesk founder Shakil Khan is an investor in BitPay.
Login image via Shutterstock
authenticationbitcoreBitPayidentitysecurity
Original author: Daniel Cawrey