Nillion
Nillion Key Manager #105
Envoy-VC
started this conversation in
Show and tell
Nillion Key Manager
#105
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Show and tell project type
Builder Bounty Submission
Github Repo Link
https://github.com/Envoy-VC/nillion-tools
Video Walkthough Link
https://youtu.be/-0loSlaMdiM
Project Description
We have built Nillion Key Manager, a tool to manage and authenticate Ed25519 keys. It provides a simple workflow to create, import, and export keys. It also provides a way to authenticate keys using WebAuthn and FIDO2.
It is served as a npm package and you can use it in your app by running the command
Docs are available at: https://nillion-tools.envoy1084.xyz/docs/key-manager
Problems with WebAuthn
WebAuthn is a standard for creating and verifying cryptographic credentials. These credentials are typically stored securely within an authenticator device (e.g., YubiKey) in a protected environment known as a Secure Enclave. The private key component of the underlying key pair is not accessible to external entities.
And the key pair is restricted to signature generation and cannot be used for other cryptographic operations in the WebCrypto API.
PRF Extension
This is where PRF comes in. A PRF is a cryptographic function designed to be computationally indistinguishable from a truly random function. It takes in a query and returns a truly random response from its output domain.
The WebAuthn PRF Extension introduces a mechanism for generating a PRF alongside a credential during the Registration process. This PRF can further be queried during authentication assertions.
It internally uses the CTAP2
hmac-secretextension, which is supported by many security keys, the PRF Extension is expected to have broad compatibility.In our use-case the output of the PRF (
32 Byte ArrayBuffer) which can serve as a symmetric key for encrypting and decrypting user data usingAES-GCM, specifically NillionEd25519 User Keys. So Users can now Authenticate their Keys using WebAuthn.Security
The output from the PRF extension will be the same for every authentication ceremony so long as:
This means that each UserKey is specific to a website, and a malicious actor from say from Website B cannot decrypt your UserKey stored on Website A because Passkeys are domain specific.
What problems does your project solve? How does it preserve privacy for users?
Problems with Metamask Snap
It solves previous problems related to storing and authenticating Nillion User Keys. Previously we used
Metamask Snapsto get the Nillion User Key.The problem with that is Keys are used as plain text in the application.
Our Approach requires key to decrypted only when they are needed as they are always stored in Encrypted Format.
Session based Decryption
Decryption can either take place via authenticating with a Passkey or another approach is to save the key in Sessions with a refresh token structure for access.
Support for any Decrypt Logic
We are also not restricted to WebAuthn based Decryption, Users can pass their own encrypt and decrypt function for Key Access.
How does the project use Nillion? Describe and link to any Nada programs
No response
Is there anything else you want to share?
PRF extension is recent addition of the prf extension to the WebAuthn L3 Draft spec and is in experimental stage and not yet supported in all authenticator devices. As per testing these devices support PRF:
chrome://flags/#enable-experimental-web-platform-featuresturned on)there can be even more authenticators that support PRF.
Optional - Link your project and team members' social handles
https://x.com/Envoy_1084
Optional - Team ETH Address(es)
Beta Was this translation helpful? Give feedback.
All reactions