1. What is this about?
More than 80% of all stolen data and hacked accounts stem from leaked passwords in other non-related attacks. Most users are using the same password for at least several different internet services and many of them are not aware of how web security works or what rules they should follow. Once their password leaks from some xyz.com website with poor security, it puts in jeopardy all of the other accounts they have signed up for with the same username/email and password combination. Granted, most of the services these days use social signup and login OAuth protocols. Even signing up on some of the smaller services with your email, your social and authentication provider accounts can be under threat in case of a data breach.
You can check if some of those data leaks have compromised your cybersecurity on this website.
2. How does the current authentication work?
Almost no service stores your password in plain text, it’s usually hashed (scrambled) version of it. Furthermore, in most of these data leaks, passwords leak in the form of the hash which means that you cannot apply it on other websites successfully as an attacker.
However, in some cases, attackers listen for communications on server and collect HTTP logs where requests from client applications (browsers, mobile apps etc) send their credentials in plain text. For instance, there was an issue in Twitter which resulted in 320 million passwords being stored in HTTP logs. The investigation has shown that there was no misuse of these data and the problem was fixed later but data leaks in big systems like this are not that rare at all.
Sometimes passwords get hashed with SHA-1, MD5 or some other weaker hashing algorithms. In the case of Yahoo, which got compromised for 3 billion user accounts, they have been hashed with MD5.
There are several weak spots in today’s authentication processes but our focus is sending plain text password over the network. Storing password hashes should be easily solved by using a more secure algorithm (a lot of companies just get lazy with security and this might be the reason why they don’t do it on time).
Instead of sending a plain password over the network and through all of this internet infrastructure, we will try to make “Zero-Knowledge Proof of Computational Integrity” for the hashing function. We will prove that we know password without revealing it to the server.
3. What are “Zero-Knowledge Proofs“?
Zero-knowledge proofs, not so novel concept in cryptography, are used to probabilistically prove that party A (prover) has some information without revealing this information to party B (verifier).
While I am aware that there have been implementations of ZKPs for authentication, there are no free solutions out there for developers to use and this fact hinders the adoption of such protocols.
If you wish to learn more about zero-knowledge proofs you can refer to this website as a starting point. I will not go into details in this blog post.
4. Proposed Architecture
After some research on several different components which could be used to develop authentication client/server library like this, I have settled with OpenZKP, written in Rust with examples for several different use cases of zero-knowledge proofs.
OpenZKP has few distinct features I liked:
- It is written in Rust and doesn’t have to be run in a docker container;
- It can be compiled to web assembly and run inside of browser application;
- It can be compiled to binary and interfaced from any other server-side language;
- Uses ZK-STARKs, which are the most advanced zero-knowledge proof algorithm up to date.
The idea is to create a proof every time we log in. To enforce that the proof has been created at a certain time, we will use some public random number generator like a header of the latest block on Ethereum main-net (I may change this later).
Now, the goal of this small project is to have fun and learn something new. Hopefully, we can also impact the way authentication on the internet is being done. I will be updating you on progress in here with upcoming articles. If you are interested in contributing or just talking about the topic feel free to contact me through this contact form.
Stay safe. (Use safe passwords, care about security)