Deep dive into Keys and @arcange's Hive Authentication Service HAS with Python
This is a value for value post: see the explanation in the footer.
If anyone else wants to look HAS authentication in Python, the code is all here:
HAS - Hive Authentication Service from Python
First of all HAS is cool, I like the way it operates. If you don't know, HAS is @arcange's authentication service where you give authorisation to a Hive website or dapp using QR codes you snap with Hive Keychain on a phone. Once you are authenticated, if you do anything that requires a signature (liking a post, writing a comment etc.) Hive Keychain will ask again for authorisation.
I've used it quite a bit logging on to public computers where I don't have or can't have Hive Keychain installed. I can log on, do something and then log out and be 100% sure that there is no way anyone else can use my credentials or access my account.
The system also works (mostly) on mobile. There are some technical issues when moving from app to app on phones (I'm using an iPhone) and behind the scenes, support for the underlying websocket protocol could improve, but it does work.
What's the problem we're solving here?
Let's just back up and restate what the problem we're trying to solve is.
When you log on to Facebook or Twitter, you do that with a username and password. Those centralised services will check your username and password against their internal database, record that you've logged in and then put an invisible "cookie" on your computer and every time you ask for a page from their site, their central servers will look at your cookie and if it is valid, they'll let you do anything you're allowed to:
- look at the content you can see,
- post under your name,
- generally make use of their service.
On Hive the websites and dapps you use have a significant difference: there is no central database of usernames and passwords, instead we have public and private keys.
And when we say public keys, we really do mean public: here are my keys for Hive!
The public keys are those things which start
STM.... The beauty of this system is that if you hold the Private Key, you can publicly "sign" a message which proves you have the Private Key to match any of those Public Keys.
Nobody else can do that and you don't need to actually show anyone the Private Key.
Private Key Store APP (PKSA)
Except that signing something with you Private Key is a semi complex cryptographic challenge which only a computer can really do for you. This is a snippet of code as an example:
For example, the ECC in "ecc.Signature" stands for Elliptic-curve cryptography which is the underlying system a lot of this is based on.
If you ever wondered what Hive Keychain is actually doing in your broswer, that fragment of code is the kind of thing which happens when you click yes on a pop up to do something.
The point here is that you aren't sending a key, you're just proving that you have the private key to match the same public key which anyone can see is recorded in your Hive profile.
Hive Keychain and Hivesigner or PeakLock are all PKSAs - Private Key Store Apps. You have to trust your private keys to those services and they shouldn't let your keys out. Only sending signatures back to services that need to know you are you.
Side note: delegated authority
You can see in my list above that my Posting section is big: each of the names in that section have been given
Posting Authority by me. If one of those account signs a transaction from me but with their posting key, not mine, it will be accepted as coming from me.
Making HAS work in Python
I started out with the idea that I would like to have a Python only based website, probably using the framework Flask. A long time ago when I was learning to code again, I managed to integrate Hive Keychain sign in with Flask and that work is here:
Python Flask Hive Keychain Demo
Once I actually started to implement HAS (and you can see the first failed attempt here) I realised this was a slightly bigger thing to implement than I thought.
I'm not sure why I did this after coming to realise how I should be using HAS, but I kept on going and set myself the challenge of doing the complete authentication in Python from the protocol documents which @arcange has posted.
Well I've done it. The code is not really finished because I haven't really figured out how this can be used but it's up there and open.
There's a stub of a command line which can authenticate a Hive account and I have behind the scenes code to sign any challenge and send any transactions.
If anyone else wants to look the code is all here, it's a bit of a mess right now but I want to improve it especially if anyone tells me their interested in using it:
In addition, I'm traveling to Australia soon with @apshamilton for our first in person court hearing on the Crypto Class Action.
Thanks to @arcange
All of this work stems from @arcange and I had numerous calls with him to get to this point. We found a couple of tiny issues with the documentation but he has built a remarkably solid solution.
I feel sure that there are probably some uses for this Python interface and one in particular I'm thinking about is a way to authenticate with Hive for using an API. If anyone reading this likes that idea, get in touch with me.
Value for Value
For the last few months while building @v4vapp I was generously supported by the DHF. Going forward I have a much more modest support which covers direct server costs and a little of my time.
If you appreciate the work I do on and around Hive, you can express this directly: upvoting posts on Hive is great. Also consider a direct donation (there's a Tip button on Hive or a Lightning Address) on all my posts.
Support Proposal 244 on PeakD
Support Proposal 244 with Hivesigner
Support Proposal 244 on Ecency
Vote for Brianoflondon's Witness KeyChain or HiveSigner
This is a direction of posts that we really need more of.
💯 we do!
I use hive keychain a lot. HAS is authentication for python. Although I don't know much about python, I like to read up on this !
Ladies and Gentlemen our very own Brainoflondon doing mind blowing things🙃
Good one mate @brianoflondon🙂
You have taken many nice steps for the solution and hope it will be good for users.
I am yet to make an application on the Hive blockchain and still wiggling about which authentication service to use (if any). For sure this looks like a contender amongst the other Hive authentication services.
But is traceable that they signed? Good Good.
Yes, you can see in the transaction how the signature was organised.
In the morning ✌️
I saw others and I also tested out https://hive.blog/@v4vapp
Congratulations, @theguruasia You Successfully Shared 0.800 WINEX With @brianoflondon.
You Earned 0.800 WINEX As Curation Reward.
You Utilized 4/4 Successful Calls.
Contact Us : WINEX Token Discord Channel
WINEX Current Market Price : 0.137
Swap Your Hive <=> Swap.Hive With Industry Lowest Fee (0.1%) : Click This Link
Read Latest Updates Or Contact Us
Great Post! Keep up the good work!
You know the advantages of Python:
For example, you could build a bot that uses the TPM of the computer. Assuming the TPM does ECC.
It's great to see more and more adoption of the HiveAuth protocol. Thank you for adding your contribution to it!
I was excited to run it, but it needed the latest Microsoft C++ Build Tools :/ Might try it later :D
An API of this functionality sounds cool. It would be a nice way to sign transactions just by using QR codes. Did I get it right?
This is going to make onboarding so much simpler. Tons of not so techy folks bail when they see the keys alone.
Also helpful for us security nuts who won't keep keys anywhere much at all. Makes logging in on different devices and apps around here far easier. Or even doable at times.
Very clever! 👏🏻
Best wishes for the development.