wiki:ProofOfOwnership

Version 2 (modified by Richard, 6 years ago) (diff)

--

Proof of Account Ownership

Provides your users a proof of BOINC project account ownership using OpenSSL public key cryptography. The user enters a message and that is signed alongside their account ID using the project's private key, proving that the user owns the account to external systems.

User guide

  1. Login then navigate to the 'Proof of Account Ownership' page.
    2. Enter the message you wish to be signed.
    3. Complete the captcha then submit the form.
    4. A text box will appear, copy the contents.

Project administrator guide

Changes required to integrate this functionality:

  1. Have the latest stable OpenSSL installed on your BOINC web server.
    2. Install the latest BOINC PR2965 web server changes:
html/inc/util.inc - fixing ttok warnings
html/user/get_project_config.php - export public key safely
html/inc/user.inc - add link to account ownership form within the profile

html/user/account_ownership_action.php - new file
html/user/account_ownership_form.php - new file
  1. Configure reCAPTCHA for the form.
    4. Generate OpenSSL keys in the /project/keys/ folder:
openssl genpkey -algorithm RSA -out ownership_sign_private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in ownership_sign_private.pem -out ownership_sign_public.pem
  1. Adjust key permissions:
chown -R boincadm:boincadm ownership_sign_p*
chmod --reference upload_private ownership_sign_public.pem
chmod --reference upload_private ownership_sign_private.pem
  1. Try the form, sign a message, attempt to verify the message using your public key and the decoded base64 message from the form.

Security

The private key needs to remain on the web server, however if this key is compromised then proof of account ownership could be forged. It's important to maintain an updated and secure BOINC project web server to reduce the risk of this happening.

If you believe that the private key has been compromised, then simply generate a new key pair to start from scratch, users will need to regenerate their signed messages.