[HELP] Custom 2 step authentication where the user's password is a public key

[Alon Muroch]

Hey everyone, i've been thinking of implementing the following custom authentication scheme:

1. User generates a public and private key pair
2. when creating a new user, the user name is as usual but the password is the public key (in clear hex)
3. For login:
1. the user asks the server to generate a challenge string
2. the user signs the challenge string and passes it to the server
3. the user is considered logged in if the returned signed challenge can be verified by the server.

How i propose to do that: The user sends a GET request for the server which returns a randomly generated challenge and saves it in relation to the requesting user. The user then sends a login request, with the difference that the password param is the signed challenge. 

Problems with what i propose: How do i verify that who ever requests to generate the challenge is the actual user ?

Will be happy for suggestions on how to go about doing this.

Alon.

[Erik Cederstrand]

This looks an awful lot like TLS Client Authentication (http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake).

If you're serious about authenticating your clients, I'd suggest looking at that instead of rolling your own. Most browsers can handle the client certificate securely and automatically, the support is well-tested and there are tools for key management, certificate revocation etc.

Erik

[Alon Muroch]

Hey Eric, thanks for your reply.

The scheme will work as a restfull service (i use tastypie) and is designed specifically to work for a bitcoin cloud backup service. The reason we want to implement such a scheme is so if the password is compromised, an attacker cant download the encrypted data stored on the server. Basically its a privacy driven solution not a security one because the data stored on the server (which can be downloaded once the user is logged in) is encrypted.