Unlocking Privacy
Zero Knowledge: The future of secure logins
Hello everyone! Hope you're all doing well.
It's that time of the week again for our Git Checkout article. Recently, I've been exploring a web3 idea centred around zero-knowledge principles, leading me to discover an intriguing repository. This repository might be smaller in scale compared to others I've reviewed, but it caught my attention for a unique reason: the author explores implementing a Zero-Knowledge Proof (ZKP) based login system in a web2 environment. For those curious about zero-knowledge:
Zero-knowledge is a cryptographic technique that enables one party to prove the truth of a statement to another party without disclosing any information beyond the validity of the statement itself.
Without further delay, let's dive into the repository. As always, I'll highlight some significant implementations and concepts we encounter. This week, we'll take a closer look at:
- The GitHub repository
- A notable quote on ZKP
The GitHub repository
The repository showcases a straightforward Zero-Knowledge (ZK) based login system, illustrating how authentication can be achieved without revealing a password. It features an Authentication Server for security checks and a Web Server for the user interface, both developed using Python and Flask. The system utilises gRPC for seamless client-server communication and stores user data in a MySQL database. gRPC stands out as a framework that ensures efficient communication between client and server applications. This repository acts as a valuable educational resource for implementing and deploying new age secure login methods.
I've simplified the explanation of the code's key components for better understanding and identified an opportunity where you might contribute, perhaps marking your first foray into open-source projects.
Authentication Server: This module manages user registration and login through zero-knowledge proofs.
Registration Process: Upon a new user's registration, the server collects their username, hashed password for enhanced security and email, storing it in a MySQL database. It also checks for username uniqueness to prevent duplicates. (code…)
Login Mechanism: For login, the server receives a request containing the username and cryptographic data, excluding the actual password. Leveraging Zero-Knowledge Proof principles, specifically the Schnorr protocol, it assesses the accuracy of the user's cryptographic data without accessing the password. Successful verification indicates correct password entry, granting the user access. (code…)
Web Server: Implemented with Flask, this module oversees registration and login processes. It employs HTML for the user interface and gRPC for communication with the authentication server, managing user sessions and executing cryptographic calculations for secure logins. (code…)
Feeling overwhelmed? The maths behind the computer's security tricks in the repository might look complicated. I tried to figure out how it works for logging in and realised it needs more digging. To make it easier to understand, I asked ChatGPT to explain it in a super simple way, like how you'd explain magic tricks to a five-year-old. And below is what it returned (code…):
Imagine your secret password as a magical word that unlocks a treasure chest. You don't want to reveal this word, so you devise a method to prove you know it without saying it aloud.
Here's a simplified breakdown:
1. Magic Dust: You start with magic dust (akin to the random number `r` in the formula), whispering your secret word to it, which makes it sparkle uniquely.
2. Show a Sparkle: You then show a sparkle from this dust to a friend. The sparkle, created from your secret word and the dust, doesn't reveal the word itself.
3. The Magic Test: Your friend uses a magic wand (representing `g`, `p` in the formula) to test if your sparkle is genuine. They perform a trick with their wand and your sparkle.
4. Secret Remains Safe: If their trick succeeds, it proves your sparkle—and thus your knowledge of the secret word—is real, all without disclosing the word itself.
This enchanting analogy illustrates how Zero-Knowledge Proofs enable you to prove knowledge of something precious, like a password, without exposing its details. It's akin to demonstrating you have a key to a treasure chest without showing the key itself.
I hope this brings some clarity!
Probable area of contribution
One exciting way to begin your journey in open source contributions, while also delving into the realm of zero-knowledge proofs (ZKP), is by adding a password reset feature to this repository:
Implementing Password Reset with ZKP: A critical aspect of any login system is the ability to reset passwords. Let’s explore how this could be seamlessly integrated into the existing codebase aligning with zero-knowledge principles.
The process starts by sending a time-limited reset link to the user's registered email. Upon clicking this link, the user is prompted to create a new password. Here's where ZKP comes into play: the client, or user's device, computes a new secret from the new password and constructs a Zero-Knowledge Proof. This proof is then sent to the server to demonstrate that the user has indeed generated a new secret, all the while keeping the actual password concealed.
Upon receiving this ZKP, the server performs a verification against its cryptographic criteria. A successful verification not only confirms the creation of a new secret but also the user’s new password, without the server ever knowing the password itself. Following this, the server updates the user's authentication records to reflect the new cryptographic parameters tied to the new secret.
This innovative approach ensures that users can securely reset their passwords, adhering to the stringent privacy and security standards set by Zero-Knowledge Proofs, thus enhancing the system's overall security architecture.
A notable quote on ZKP
"Zero-knowledge proofs provide the ability to verify the truth of a statement without revealing any information beyond the validity of the statement itself." - Shafi Goldwasser, Co-inventor of zero-knowledge proofs.
The quote about zero-knowledge proofs shows us how it can check if something is true without giving away any secrets. This is really important for keeping our information safe and private in a world where privacy matters the most.
That's a wrap for today's issue. As always, I value your thoughts and ideas! Should you have a specific repository or topic in mind that you're eager to delve into, I'm here to listen!
I want to make this newsletter a shared adventure. Your suggestions are more than welcome and it might just be the focus of our next discussion.
If you like what you read, please do not hesitate to share the love.
Until we meet again,
Cheers,
– Krish