Changes between Version 3 and Version 4 of ProofOfOwnership


Ignore:
Timestamp:
Feb 16, 2019, 8:21:46 AM (5 years ago)
Author:
Christian Beer
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ProofOfOwnership

    v3 v4  
     1[[PageOutline]]
     2
    13= Proof of Account Ownership =
    2 Provides your users a proof of BOINC project account ownership using OpenSSL public key cryptography.
     4Provides a proof of project account ownership for users of a BOINC project using public key cryptography (SHA512 signature).
    35
    46The user enters a message which is signed alongside their account ID using the project's private key, providing a standardized proof of account ownership to external systems.
     
    810== User guide ==
    911=== Instructions ===
    10  1. Login then navigate to the 'Proof of Account Ownership' page.
    11  1. Enter the message you wish to be signed alongside your account ID.
    12  1. Complete the captcha then submit the form.
    13  1. A text box will appear, copy and save the full contents to an xml file.
     12 1. Login then navigate to the 'Proof of Account Ownership' page (usually on the "Your Account" page).
     13 1. Enter the message you wish to be signed (typically supplied by the website that wants you to provide the proof of ownership).
     14 1. Submit the form.
     15 1. When successful the ownership proof will be shown on the website, copy and use the full contents to proof ownership of your account.
    1416
    1517=== Example XML output ===
     
    2123</account_ownership_verification>
    2224}}}
     25
     26
    2327== Project administrator guide ==
    2428=== Changes to web server ===
     29See modifications introduced by [https://github.com/BOINC/boinc/pull/2965 PR#2965] if you want to cherry-pick the commits.
    2530{{{
    2631html/inc/util.inc - fixing ttok warnings
     
    3237}}}
    3338=== Changes required to integrate this functionality: ===
    34  1. Have the latest stable OpenSSL installed on your BOINC web server.
    35  1. Install the latest  BOINC PR2965 web server changes
    36  1. Configure reCAPTCHA for the form.
    37  1. Generate OpenSSL keys in the /project/keys/ folder:
     39 1. Have a recent version of OpenSSL installed on your BOINC webserver that is used by PHP.
     40 1. Install the latest BOINC [https://github.com/BOINC/boinc/pull/2965 PR#2965] web server changes
     41 1. (optional) Configure reCAPTCHA in your `config.xml` so the form is protected.
     42 1. Generate necessary OpenSSL keys in the /project_root/keys/ folder:
    3843
    3944{{{
     
    5156
    5257=== Security ===
    53 The private key needs to remain on the web server, however if this key is compromised then proof of account ownership could be forged. It's important to maintain an updated and secure BOINC project web server to reduce the risk of this happening.
     58The private key needs to remain on the web server, however if this key is compromised then proof of account ownership could be forged. It's important to maintain an updated and secure BOINC project webserver to reduce the risk of this happening.
    5459
    55 If you believe that the private key has been compromised,  simply generate a new key pair to start from scratch, users will need to regenerate their signed messages to maintain a current proof of account ownership on external systems.
     60If you believe that the private key has been compromised, simply generate a new key pair to start from scratch, users will need to regenerate their signed messages to maintain a current proof of account ownership on external systems. In that case you might want to create a news item to inform users.
    5661
    57 ----
    58 == Verifying signed messages ==
     62
     63== External systems guide ==
     64=== Verifying signed messages ===
     65The content of the `signature` tag is a base64 encoded SHA512 signature of the content of the `msg` tag. See [https://boinc.berkeley.edu/trac/wiki/ProofOfOwnership#ExampleXMLoutput Example XML output] section above. Basically everything you need to verify the signature is in the XML snippet. You can use the `<master_url>` to get the public key, which is published in the XML output from `get_project_config.php`.
     66
     67The following scripts and procedures are just examples. You should create your own process on how the user needs to supply the generated XML snippet to you and how you do the verification. Also keep in mind that the structure of the snippet might be modified in the future and might differ slightly between projects.
     68
    5969=== Pre-requisites ===
    60 Follow the above user guide with your project, copy the output XML text snippet and save to 'xml_data.xml'.
     70Follow the above user guide with a project that has this feature enabled, copy the output XML text snippet and save to 'xml_data.xml'.
    6171
    62 Extract the PUBLIC_KEY_VALUE from the XML output produced by 'get_project_config.php' into a file called 'ownership_sign_public.pem'. Don't include the 'ownership_signature_public_key' tags in the file, don't include trailing return/newline characters in the text file.
     72Extract the PUBLIC_KEY_VALUE from the XML output produced by '<master_url>/get_project_config.php' into a file called 'ownership_sign_public.pem'. Don't include the 'ownership_signature_public_key' tags in the file, don't include trailing return/newline characters in the text file.
    6373
    6474{{{