Solution to storing the posting key...

in #chainbb-suggestions7 years ago (edited)

screenshot-beta.chainbb.com-2017-06-19-09-26-59.png

I've thought of a solution to having to store the posting key.

  1. On the server, create a private-public key pair.
  2. On the login form, send the browser the public key.
  3. The browser then uses javascript to encrypt the posting key using the public key.
  4. The server then stores the encrypted posting key in the session.
  5. Any time the server needs the actual posting key, it uses the private key to temporarilly decrypt it, but doesn't store it.
  6. When session ends the encrypted posting key is lost, forcing user to login again to use the forum.

This can be further security improved by changing the public-private key pair at periodic intervals. Or using a different pair for each client IP address or a combination of such methods.

7 years ago in #chainbb-suggestions by
$6.63
  • Past Payouts $6.63, 0.00 TRX
  • - Author $6.08, 0.00 TRX
  • - Curators $0.55, 0.00 TRX
17 votes
Reply 7
Sort:  
  • Trending
    • [-]
     7 years ago 

    A non javascript version would require the unencrypted posting key to be sent once, upon login and encrypted by the server and entered into the session. (I say unencrypted, it would still be protected by https).

    $1.81
    • Past Payouts $1.81, 0.00 TRX
    • - Author $1.65, 0.00 TRX
    • - Curators $0.15, 0.00 TRX
    5 votes
    Reply
    [-]
     7 years ago 

    That would unfortunately require the entire operations library to run on the server as opposed to in your browser, wouldn't it?

    Right now all operations are performed by your browser, and never actually sent to any of my servers, instead being broadcast directly to the blockchain itself.

    $0.12
    • Past Payouts $0.12, 0.00 TRX
    • - Author $0.09, 0.00 TRX
    • - Curators $0.03, 0.00 TRX
    1 vote
    Reply
    [-]
     7 years ago 

    Okay, here is a reversed solution...

    1. Client creates ppk pair, encypts posting key and sends it to server. Stores ppk key pair locally.
    2. Server stores encrypted posting key. (mongodb? session?)
    3. When client needs the key for upvoting/posting/commenting etc, it gets the encrypted key via ajax call, decrypts it, does the steem API wizardry, then forgets it.
    4. On session end, server deletes all record of encrypted key.
    $0.12
    • Past Payouts $0.12, 0.00 TRX
    • - Author $0.09, 0.00 TRX
    • - Curators $0.03, 0.00 TRX
    2 votes
    Reply
    [-]
     7 years ago 

    I should probably add that in this case public key cryptography is probably redundant and a single key method could effectively be substituted.

    $6.31
    • Past Payouts $6.31, 0.00 TRX
    • - Author $5.27, 0.00 TRX
    • - Curators $1.03, 0.00 TRX
    5 votes
    Reply
    [-]
     7 years ago 

    Okay. I missed the word local in the warning message. Oops. I probably wouldn't have logged in on a work laptop if I'd realised.

    $0.00
      Reply
      [-]
       7 years ago 

      Congratulations @antonchanning! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

      Award for the number of comments received

      Click on any badge to view your own Board of Honnor on SteemitBoard.
      For more information about SteemitBoard, click here

      If you no longer want to receive notifications, reply to this comment with the word STOP

      By upvoting this notification, you can help all Steemit users. Learn how here!

      $0.00
        Reply
        [-]
         7 years ago 

        Thank you very much for the advice. A very pleasant day
        I follow u, follow me back if u want lot of fun and amazing picture every day.

        Coin Marketplace

        STEEM 0.19
        TRX 0.15
        JST 0.029
        BTC 63237.60
        ETH 2647.23
        USDT 1.00
        SBD 2.81