Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making the registration invite codes shorter and better #15

Closed
JanisErdmanis opened this issue Jan 15, 2024 · 2 comments
Closed

Making the registration invite codes shorter and better #15

JanisErdmanis opened this issue Jan 15, 2024 · 2 comments
Assignees
@JanisErdmanis

Comments

@JanisErdmanis
Copy link
Member

The current invitation format, while functional, is rather verbose. It takes up too much space in the email, and the size of it can be offputting to users who need to copy and paste it. Another consideration is that the code could perhaps be made clickable, similar to how a magnet link works for torrent clients now.

As a reference, the current invite that PeaceFounder sends over email is as follows:

{"demehash":"8fd0ddc86f5ef0cf89a52bbb2f1f19b1b33ed53e73ce5a05da6fd9da3e94a4a7",
"route":"http://192.168.1.16:4584",
"hasher":"sha256",
"token":"2b148f52bc5a2f220b8e6f61b2b013c364ccb7050a0c397ec199413ebc923cb2",
"ticketid":"e9ef0fc87e04556487c656229fd140bd"}

There are three improvements which can be made to make the invites better:

  1. Removing ticketid from Invites: The ticketid field can be eliminated from the invite structure. Instead, we can use the token to derive a sessionid by hashing the token.

  2. Adopting a Magnet Link Inspired Format: Transitioning from JSON to a magnet link-inspired format will further streamline the invitation system. The proposed format is more compact and human-readable, which is beneficial for both use and debugging:

deme:xt=sha256:8fd0ddc86f5ef0cf89a52bbb2f1f19b1b33ed53e73ce5a05da6fd9da3e94a4a7&sr=http://192.168.1.16:4584&tk=2b148f52bc5a2f220b8e6f61b2b013c364ccb7050a0c397ec199413ebc923cb2
  1. Optimizing Token and Hash Lengths: Considering the short-lived nature of these tokens and the subsequent signing with a digital identity provider, we can limit the token range for efficiency. Additionally, truncating the hash to 128 bits should maintain reasonable security. This approach will further reduce the invite size:
deme:xt=sha256:8fd0ddc86f5ef0cf89a52bbb2f1f19b1&sr=http://192.168.1.16:4584&tk=2b148f52bc5a2f22

This format maintains readability, which is essential for debugging while ensuring the invite is concise.
@JanisErdmanis JanisErdmanis self-assigned this Feb 18, 2024
@JanisErdmanis
Copy link
Member Author

After the last commit 0440fff the ticketid is now been made redundant for the client registration. Next step is to remove it from the sent invite and refactor ticket struct to have a tokenid as cache.

JanisErdmanis pushed a commit that referenced this issue Feb 19, 2024
refactoring for #15
9886a36
JanisErdmanis pushed a commit that referenced this issue Feb 22, 2024
implementing deme invite scheme #15
b1d7f2d
@JanisErdmanis
Copy link
Member Author

An invite to a deme now has a following short form:

deme:?xt=sha256:FLSdIo-DzJZf_geHi8eO8kMzmLOZo8axdA5fcO_y8dM&sr=http://peacefounder.org&tk=rROIpybpRBk

where hash and token is encoded with bas64 encoding with replacements '+'=>'-' and '/'=>'_'. The token is limited to 8 bytes which is sufficient as probability for adversary guessing it is $P=1/10^{20}$.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JanisErdmanis JanisErdmanis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JanisErdmanis