Changes between Version 5 and Version 6 of ProofOfOwnership


Ignore:
Timestamp:
May 30, 2019, 6:59:22 AM (5 years ago)
Author:
Kevin Reed
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ProofOfOwnership

    v5 v6  
    22
    33= Proof of Account Ownership =
    4 Provides a proof of project account ownership for users of a BOINC project using public key cryptography (SHA512 signature).
    54
    6 The user enters a message which is signed alongside their account ID using the project's private key, providing a standardized proof of account ownership to external systems.
     5There are a number of external systems that need to verify that a particular person is in control of a user account.  The Proof of Account Ownership mechanism enables this proof using public key cryptography (SHA512 signature).  This is done by having the user entering a message provided by the external system which is then signed alongside their account ID using the project's private key.  The external system is then able to verify the signed message using the projects public key and thus provides proof that the user does in fact control the account.
    76
    87This is an optional extension to the BOINC generic project website. Is is available since server version "TODO".
     
    109== User guide ==
    1110=== Instructions ===
    12  1. Login then navigate to the 'Proof of Account Ownership' page (usually on the "Your Account" page).
    13  1. Enter the message you wish to be signed (typically supplied by the website that wants you to provide the proof of ownership).
     11 1. Login to the project and go to the "Your Account" page
     12 1. Click on the "Account Ownership" link (the link says "Generate ownership proof").  Note that this is only displayed if the proof of account ownership keys have been created.
     13 1. Enter the message you wish to be signed (typically supplied by the external system that wants you to provide the proof of ownership).
    1414 1. Submit the form.
    1515 1. When successful the ownership proof will be shown on the website, copy and use the full contents to proof ownership of your account.
     
    2929See modifications introduced by [https://github.com/BOINC/boinc/pull/2965 PR#2965] if you want to cherry-pick the commits.
    3030{{{
     31html/inc/account_ownership.inc - new file
    3132html/inc/util.inc - fixing ttok warnings
    32 html/user/get_project_config.php - export public key safely
    3333html/inc/user.inc - add link to account ownership form within the profile
    3434
    35 html/user/account_ownership_action.php - new file
    36 html/user/account_ownership_form.php - new file
     35html/user/get_project_config.php - include the account ownership public key
     36html/user/account_ownership.php - new file: UI that allows a user to have a message provided by an external system signed and linked to their account
     37
     38html/ops/index.php - Add link to check_account_ownership_keys.php
     39html/ops/check_account_ownership_keys.php - new file: provides a UI for a project admin to check if the account ownership keys are setup and installed
     40html/ops/generate_account_ownership_keys.php - new file: command line script to create the account ownership keys
    3741}}}
    3842=== Changes required to integrate this functionality: ===
    39  1. Have a recent version of OpenSSL installed on your BOINC webserver that is used by PHP.
    4043 1. Install the latest BOINC [https://github.com/BOINC/boinc/pull/2965 PR#2965] web server changes
    4144 1. (optional) Configure reCAPTCHA in your `config.xml` so the form is protected.
    42  1. Generate necessary OpenSSL keys in the /project_root/keys/ folder:
    43 
    44 {{{
    45 openssl genpkey -algorithm RSA -out ownership_sign_private.pem -pkeyopt rsa_keygen_bits:2048
    46 openssl rsa -pubout -in ownership_sign_private.pem -out ownership_sign_public.pem
    47 }}}
    48  5. Adjust key permissions:
    49 
    50 {{{
    51 chown -R boincadm:boincadm ownership_sign_p*
    52 chmod --reference upload_private ownership_sign_public.pem
    53 chmod --reference upload_private ownership_sign_private.pem
    54 }}}
    55  6. Try the form, sign a message, attempt to verify the message using your public key and the decoded base64 message from the form.
     45 1. Generate the account ownership public and private keys by running generate_account_ownership_keys.php using the commandline in the BOINC web server html/ops directory.
    5646
    5747=== Security ===
    58 The private key needs to remain on the web server, however if this key is compromised then proof of account ownership could be forged. It's important to maintain an updated and secure BOINC project webserver to reduce the risk of this happening.
     48The private key needs to remain on the web server so that it can be used to sign message. If this private key is compromised, then proof of account ownership signatures can be forged. It's important to maintain an updated and secure BOINC project webserver to reduce the risk of this happening.
    5949
    60 If you believe that the private key has been compromised, simply generate a new key pair to start from scratch, users will need to regenerate their signed messages to maintain a current proof of account ownership on external systems. In that case you might want to create a news item to inform users.
     50If you believe that the private key has been compromised, you can generate a new key pair using the generate_account_ownership_keys.php in the BOINC web server html/ops directory.  Existing signed messages will no longer be valid and users will need to regenerate their signed messages to maintain a current proof of account ownership on external systems. You should inform users if you need to take this action so that they understand what is happening.
    6151
    6252