Deep dive into Keys and @arcange's Hive Authentication Service HAS with Python

avatar

This is a value for value post: see the explanation in the footer.


If anyone else wants to look HAS authentication in Python, the code is all here:

HAS Python on Github

image.png

HAS - Hive Authentication Service from Python

First of all HAS is cool, I like the way it operates. If you don't know, HAS is @arcange's authentication service where you give authorisation to a Hive website or dapp using QR codes you snap with Hive Keychain on a phone. Once you are authenticated, if you do anything that requires a signature (liking a post, writing a comment etc.) Hive Keychain will ask again for authorisation.

I've used it quite a bit logging on to public computers where I don't have or can't have Hive Keychain installed. I can log on, do something and then log out and be 100% sure that there is no way anyone else can use my credentials or access my account.

On Mobile

The system also works (mostly) on mobile. There are some technical issues when moving from app to app on phones (I'm using an iPhone) and behind the scenes, support for the underlying websocket protocol could improve, but it does work.

What's the problem we're solving here?

Let's just back up and restate what the problem we're trying to solve is.

When you log on to Facebook or Twitter, you do that with a username and password. Those centralised services will check your username and password against their internal database, record that you've logged in and then put an invisible "cookie" on your computer and every time you ask for a page from their site, their central servers will look at your cookie and if it is valid, they'll let you do anything you're allowed to:

  • look at the content you can see,
  • post under your name,
  • generally make use of their service.

On Hive the websites and dapps you use have a significant difference: there is no central database of usernames and passwords, instead we have public and private keys.

And when we say public keys, we really do mean public: here are my keys for Hive!

Public Keys for Brian of London

The public keys are those things which start STM.... The beauty of this system is that if you hold the Private Key, you can publicly "sign" a message which proves you have the Private Key to match any of those Public Keys.

Nobody else can do that and you don't need to actually show anyone the Private Key.

Private Key Store APP (PKSA)

Except that signing something with you Private Key is a semi complex cryptographic challenge which only a computer can really do for you. This is a snippet of code as an example:

image.png

For example, the ECC in "ecc.Signature" stands for Elliptic-curve cryptography which is the underlying system a lot of this is based on.

If you ever wondered what Hive Keychain is actually doing in your broswer, that fragment of code is the kind of thing which happens when you click yes on a pop up to do something.

The point here is that you aren't sending a key, you're just proving that you have the private key to match the same public key which anyone can see is recorded in your Hive profile.

Hive Keychain and Hivesigner or PeakLock are all PKSAs - Private Key Store Apps. You have to trust your private keys to those services and they shouldn't let your keys out. Only sending signatures back to services that need to know you are you.

Side note: delegated authority

You can see in my list above that my Posting section is big: each of the names in that section have been given Posting Authority by me. If one of those account signs a transaction from me but with their posting key, not mine, it will be accepted as coming from me.

Making HAS work in Python

I started out with the idea that I would like to have a Python only based website, probably using the framework Flask. A long time ago when I was learning to code again, I managed to integrate Hive Keychain sign in with Flask and that work is here:

Python Flask Hive Keychain Demo

In reality, most of the hard work is done on the web page by Javascript code written by the Hive Keychain team.

Once I actually started to implement HAS (and you can see the first failed attempt here) I realised this was a slightly bigger thing to implement than I thought.

The reality is, just like authenticating with Hive Keychain, using HAS on a website, is probably better done using the Javascript which @arcange supplies on his site.

Diving in

I'm not sure why I did this after coming to realise how I should be using HAS, but I kept on going and set myself the challenge of doing the complete authentication in Python from the protocol documents which @arcange has posted.

And it would appear that I'm the first to have done this. The Hive Keychain team has integrated the functionality for their mobile app to act as a PKSA but all the website and services which offer HAS right now have done so using @arcange's Javascript.

Well I've done it. The code is not really finished because I haven't really figured out how this can be used but it's up there and open.

There's a stub of a command line which can authenticate a Hive account and I have behind the scenes code to sign any challenge and send any transactions.

If anyone else wants to look the code is all here, it's a bit of a mess right now but I want to improve it especially if anyone tells me their interested in using it:

HAS Python on Github

What's missing is probably a Python version of this Javascript functionality. I'm just wondering if that's what I should be building.

I'm not sure where to go with this right now, I have to move back to working on things directly necessary for my @v4vapp though this all fits with my desire to have a much better front end. My conundrum is that whilst I'm happiest coding in Python, the reality is websites are far better written in any of the Javascript frameworks.

In addition, I'm traveling to Australia soon with @apshamilton for our first in person court hearing on the Crypto Class Action.

Thanks to @arcange

All of this work stems from @arcange and I had numerous calls with him to get to this point. We found a couple of tiny issues with the documentation but he has built a remarkably solid solution.

I feel sure that there are probably some uses for this Python interface and one in particular I'm thinking about is a way to authenticate with Hive for using an API. If anyone reading this likes that idea, get in touch with me.


Value for Value

For the last few months while building @v4vapp I was generously supported by the DHF. Going forward I have a much more modest support which covers direct server costs and a little of my time.

If you appreciate the work I do on and around Hive, you can express this directly: upvoting posts on Hive is great. Also consider a direct donation (there's a Tip button on Hive or a Lightning Address) on all my posts.

Support Proposal 244 on PeakD
Support Proposal 244 with Hivesigner
Support Proposal 244 on Ecency
Vote for Brianoflondon's Witness KeyChain or HiveSigner


Send Lightning to Me!



0
0
0.000
17 comments
avatar

I use hive keychain a lot. HAS is authentication for python. Although I don't know much about python, I like to read up on this !

0
0
0.000
avatar

Ladies and Gentlemen our very own Brainoflondon doing mind blowing things🙃

Good one mate @brianoflondon🙂

0
0
0.000
avatar

You have taken many nice steps for the solution and hope it will be good for users.

0
0
0.000
avatar

I am yet to make an application on the Hive blockchain and still wiggling about which authentication service to use (if any). For sure this looks like a contender amongst the other Hive authentication services.

0
0
0.000
avatar

Side note: delegated authority
You can see in my list above that my Posting section is big: each of the names in that section have been given Posting Authority by me. If one of those account signs a transaction from me but with their posting key, not mine, it will be accepted as coming from me.

But is traceable that they signed? Good Good.

0
0
0.000
avatar

Yes, you can see in the transaction how the signature was organised.

0
0
0.000
avatar

Great Post! Keep up the good work!

0
0
0.000
avatar

You know the advantages of Python:

  • rich syntax
  • access to the machine that Javascript cannot touch.

For example, you could build a bot that uses the TPM of the computer. Assuming the TPM does ECC.

0
0
0.000
avatar

It's great to see more and more adoption of the HiveAuth protocol. Thank you for adding your contribution to it!

0
0
0.000
avatar

I was excited to run it, but it needed the latest Microsoft C++ Build Tools :/ Might try it later :D

0
0
0.000
avatar

An API of this functionality sounds cool. It would be a nice way to sign transactions just by using QR codes. Did I get it right?

0
0
0.000
avatar

This is going to make onboarding so much simpler. Tons of not so techy folks bail when they see the keys alone.

Also helpful for us security nuts who won't keep keys anywhere much at all. Makes logging in on different devices and apps around here far easier. Or even doable at times.

Very clever! 👏🏻

Best wishes for the development.

0
0
0.000