aboutsummaryrefslogtreecommitdiff
path: root/README
blob: 7ad1925d4f92a9c3c5092970897ecf72917de6ac (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53




WebPAlt -- Web Password Alternative
===================================

Introduction
------------

WebPAlt is a public-key based crypto system for authentication and signature
generation on the web. It does not do identification and is intented to be
used anonymously, to maintain a user account or a session on a web site. In
fact it guarantees anonymity to the user. Even if he or she uses the same
login token on many web sites, the token will appear different to each web
site.

WebPAlt works by assigning each web site a different key pair, to protect
your anonymity, and in order to remove the need for user to keep track of
all key pairs, each key pair is stored encrypted at each web site. The only
data the user has to keep around is the symmetric encryption key which the
private keys are encrypted with.

Technical description
---------------------

First, the user generates a symmetric key and stores it securely (protected
by a password or, preferably, stored on an advanced smart card or USB token).
This key will be used to encrypt and decrypt the private keys.

When authenticating for the first time with a web site, generate a key pair
and encrypt the private key with the symmetric key. Then send the public key
and the encrypted private key to the web site, which stores the key pair.

Later, when authenticating with the same web site again, the user can prove
that he possesses the same symmetric key by decrypting the private key (which
has been stored in encrypted form on the server) and generating a signature.
The server validates the signature with the public key, which is not encrypted.

Advantages
----------

*   Only one key has to be kept be the user.
*   The user can use more than one device, each having a copy of the key,
    without having to synchronize the devices after the key has been copied.
*   It's impossible to connect different accounts, on different web sites,
    that belong to the same user.

Disadvantages
-------------

*   Needs a little more storage space on the server. Instead of storing a
    password we store a public key and an encrypted private key.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 11:22:59 +0000