What's this about?
BOINC pull request #2134 provides a method of establishing a public key based cryptographic proof of BOINC UserId ownership on an individual BOINC project basis, allowing the user to prove account ownership on any external system/network permanently.
What's changed?
After the 2017 BOINC workshop, I went back to the drawing board and created PR2134 accounting for input from multiple parties.
At the 2018 BOINC workshop we discussed 2134 again, an initial peer review of the code was performed and several changes were requested. I was then provided an opportunity to present the PR in front of approx 30 workshop attendees which was positively received & resulted in several additional change requests after the presentation was over. See here for more about the workshop
The output from the signing process is now provided in a text box/area & a button to copy the contents of the textbox has replaced the XML download prompt. This was requested to improve compatibility with all devices without introducing complexities.
There were changes to how the recaptcha component was implemented, it is now implemented by default - any project administrator who doesn't want to us recaptcha may have to edit the code to work around this check. It's a good deterrent against potential automated abuse of the signing form.
A couple weeks after the workshop I attempted to reimplement the test environment using the latest BOINC and BOINC-Server-Docker repositories which caused several previously unobserved issued to be spotted. We now perform additional key checks, utilize an alternative method of reading the keys into memory and have somewhat solved file permission issues (needs generalized steps for all projects).
What's left to go now? Perhaps some back and forth discussion about the file permission issue then the code needs a final peer review and evaluation for pull request merge into the master repo branch.
You can test out the function on this test server! Just make an account, navigate to your profile then click 'Generate signature' to explore the new functionality.
Preview: OpenSSL signing form
The user can input anything, it will be be signed using the project's external system private key
alongside the user's UserID. External systems are free to establish their own handshake within the contents of the user input.
Any special characters input by the user are converted to their HTML equivalent, so external systems need to bear this in mind when planning their user_data input:
// Convert special characters to HTML equivalent
$user_data = htmlentities(post_str("user_data", true), ENT_QUOTES, "UTF-8");
Preview: Output of OpenSSL signing form
<boinc_user_id_verification>
<master_url>http://boinc.grcnode.co.uk/boincserver/
<msg>2 Address Version123</msg>
<signature>luNkSdylEMtpn3Y9DYXWH5NhPfkCbTcCRxxB/w6GLbIej3WvTD77llAQipdO5eQyYdwzE4udO9cdprzsW8aOzsPssyrdwp2Rxhi1Yenx2JxjtrKYD1+ntF7k71KfoKdKnlge6h8yTF8l/AUuolLOT/xVGspDDvWxquvLfqBKWYGz/osrg8JIHslTODq6+4yb5VW+zmuTuhuiL9HP3iq0hnH7DlpAp4b+BhPBeRzGJm0HZSILTW4R2Cg9lwmQeXMzUvbhOrBU/1YcdpfdGX7tq6XTTwB3SB40UKL9jeN81/iP8Frrf88lst55PwE59RrAcx0yWV9yEzTIVZ3071W9Yg==</signature>
</boinc_user_id_verification>
The output takes the form of XML since BOINC outputs are in XML. It could be easily modified to output JSON instead but no need to complicate things for now. External systems could either parse this entire copied textbox or they could instruct users to copy and paste just the signature into their system since they'd already know the expected message and master_url.
Possible use cases
- A cryptocurrency could use "Address_String Version_Int" to produce a message of "UserId Address_String Version_Int" associate an address with a BOINC UserID and allow updating of address via latest version - decentralizing the process of proving account ownership. Decentralized network participants could verify the signature using the project's public key.
- Proving ownership of an account for signature generator websites.
- Prove ownership of account for discounts or membership benefits online proportional to BOINC computation.
How to verify UserID signature
- Requires OpenSSL
- Retrieve the project's appropriate 'external system' public key.
- Instruct user to navigate to this openssl signing form, input their personalized message provided by your external service (like their external account id) then provide the external system the returned output.
- Extract signature from returned output.
- Double check project & message contents.
- Attempt to verify signature using project's external system public key & OpenSSL's verify functions.
Where to find out more?
Check out BOINC PR #2134 for more info on its ongoing development!
See the related Gridcoin-Research UserId beacon proposal on the wiki.
Interested in the above or have any questions? Do reply below! 👍