Participating in hackathons is always fun. You get to meet like-minded people, learn new ideas, get a lot of connection in the respective community, understand what is happening in the community, get some cool goodies and last but not least, you get to eat in a 5 start hotel (sometimes) :D. So it does not matter whether you win or lose, you are always happy after hacking.I have been failing all through my life that now I enjoy being a failure. Participated in many of them and lost in most of them, never actually affected my intensity to hack. I spend my weekends in either hacking or preparing for them. Having many geeks friends, including my brother, in the nearby city, Bangalore is a boon for me. Most of the time these people participate in one of those hackathons and give my name without even asking me, especially when it comes to Blockchain.

This time was no different. My brother and team participated in a hackathon conducted by a Chinese company called, CyberVein last month, which is a blockchain company (I will talk in details in a bit), recently did token sale and other rituals which now a day all blockchain companies are doing to raise funds. Since I knew I was going to get a bit held up this month, I told them I won't code. They were okay with that and convinced me to join just for the sake of taking Blockchain related questions. Once our idea got shortlisted, I decided to help the team with research that is needed for the implementation.

We submitted our idea, got shortlisted and was declared the winner of the event. I would like to take this opportunity to share my experience of the hackathon.

Cybervein

I have not got a chance to dig deeper into CyberVein blockchain, so far what I have understood is: It is trying to solve the current scalability problem of blockchain by using DAG. Currently, blockchains are not designed to store a vast amount of data, CyberVein claims to solve that problem by improving on Directed Acyclic Graph (DAG) architectures by introducing a resource-conserving consensus algorithm, as well as a smart contracting language and virtual machine, optimized for the handling of massive amounts of data. Its a network of immutable, blockchain-based databases on which information can be securely processed, traded and shared. You can read more about it in its whitepaper.

The idea

The idea was to use public key infrastructure (PKI) on top of single sign-on (SSO) to login into multiple web applications as well as decentralized applications. Among the four themes of Blockchain for Data Management, Blockchain for Identity Management, Blockchain for Smart Wallets, Blockchain for Social Initiatives, our idea was falling under the 2nd category - Blockchain for Identity Management. Details about themes is here. You must be wondering where does blockchain fit into this idea?

2 reasons:

  • SSO for decentralized application (DApps).
  • Signing transactions for any* blockchain in case of DApps.

Note: By any, I meant those who support ECDSA cryptographic algorithm.

Though this idea was no extraordinary or unique except the SSO part, somehow it clicked to the judges. Solutions, similar to this, like Uport and ThumbSignin are already there in the market but none of them comes with feature like SSO and signing transactions to any blockchain (although ThumbSignin helps to sign a transaction on Ethereum blockchain).

Implementation

There is two part of this implementation:

  1. Figure out how to generate ECDSA key pair and use those for signing and verification of messages.
  2. Develop the SSO module to implement the above.

Part 1

For the first part of the problem, I was researching js or python library for ECDSA. js was preferable since the key-pair generation is going to happen in the mobile phone and dealing with python on the mobile phone is a bit tricky. I came across a library called, eth-lightwallet which uses module elliptic for ECDSA and provides full-featured HD wallet. The concept of hierarchical deterministic wallet (or HD Wallets) was introduced in Bitcoin Improvement Protocol (BIP) 32 which is a system of deriving keys from single starting point known as a seed.

Installation

npm i eth-lightwallet 

This package exposes the global object lightwallet to the browser which has the two main modules lightwallet.keystore and lightwallet.txutils. keystore is used to create a vault and to generated key-pairs using seed. It accepts a parameter, password.

Keys Generation

// generate a new BIP32 12-word seed
var secretSeed = lightwallet.keystore.generateRandomSeed();

// the seed is stored encrypted by a user-defined password
var password = prompt('Enter password for encryption', 'password');
lightwallet.keystore.deriveKeyFromPassword(password, function (err, pwDerivedKey) {

var ks = new lightwallet.keystore(secretSeed, pwDerivedKey);

// generate one new address/private key pairs
// the corresponding private keys are also encrypted
ks.generateNewAddress(pwDerivedKey, 1);
var addr = ks.getAddresses();
});

Please note 2 points here:

  • This is not the best way to implement the seed generations. Other implementations are also available.
  • This is not secure at all since the salt is fixed.

You can read more about the keystore function from here

Message Signing

Now that we have keyStore object ready, we can go ahead and sign a message:

signing.signMsg(keystore, pwDerivedKey, rawMsg, signingAddress, hdPathString)

* `keystore`: An instance of the keystore with which to sign the TX with.
* `pwDerivedKey`: the users password derived key (Uint8Array)
* `rawMsg`: Message to be signed
* `signingAddress`: hex-string defining the address corresponding to the signing private key.
* `hdPathString`: (Optional) A path at which to create the encryption keys.

This will return us Signed hash as a signature object with v, r and s values

Message Verification

Once the message is signed, we pass the rawMessage, r,s,v values and publickey to the verification method which actually tries to recover the publickey using r, s, v values and checks if the sent publickey is same as recovered publicKey.

signing.recoverAddress(rawMsg, v, r, s)

Recovers the signing address from the message rawMsg and the signature v, r, s.

Part 2

This was the most difficult part. We can not implement SSO in within a week or two. So I decided to look for any open source full fledge SSO and I landed on KeyCloak. KeyIcloak is an Open Source Identity and Access Management solution for modern Applications and Services. Check out the java implementation of KeyCloak in their repository. I asked the team to fork it and understand the code flow of the current login system.

Just to give you an idea about KeyCloak :

Keycloak has the concept of realm, which sits in the top. Under realm, you can register client applications. Now once client application can have multiple roles and a role can have users. Admin takes responsibility of registering users and generates temporary username and password. Our idea was to eliminate username and password.

            Realm
              |
        +-----+-----+
        |           |
      Client_App1   Client_App2
        |   
    ----+----
    |       |
  Role1   Role2
  |   |
Usr1 Usr2
(username/password)

Surprise!

A day before the hackathon I reached Bangalore and asked the team about the progress. They told me that they were able to implement eth-lightwallet in the mobile app but could not do anything about Keycloak. Well, this was expected. I did take a look at the code base of KeyCloak once and get the idea that its going to take time to understand the code flow since the code base is comparatively huge. The second factor was, none of us are Java developers and apart from this, we work for our employer and we only get time during weekends to work on extra stuff (however, being a Pramatian I have some privilege on that front).

We coded for the whole night but could not implement something considerable to show the demo except for login into a web app using PKI. We could not even completed the presentation since it was already too late and we started feeling dizzy too.

Showtime!

We reached late at the venue and were still feeling sleepy. I got a serious headache as well since the previous night I did travel by bus from Chennai to Bangalore which was pathetic. Teams had started the presentations but fortunately, our slot was in the second half, so I will get some time to prepare the ppt, I thought.

I was scratching my head on how to prepare the presentation for 20 minutes. Since we did not have a proper demo, I decided to give a talk on Blockchain technology in general (of course relating the idea) but still struggling where to start. But then I recalled about Sri Kumar's blog on Blockchain applications must be closed systems where he talked about data stored on the chain must circle back to the chain itself for validation. He further explains his point by giving an example of health insurance. I took this point and started my talk explaining with the very same example and finally related my idea. Judges liked the way I presented the problem statement and finally declared us Winner. I encourage you to go through Sri's blog on blockchain as a closed system and potential degeneration of contracts.

Other Solutions

Blood Diamond : 1st runner up

A blood donation system which provides end to end traceability. Blockchain-based blood donation system to trace blood and add accountability to the ecosystem by enabling digital signing of donated blood bottles by an authorised donation center, tracing and signing a pint of blood by the testing center.

Block Hunters 2 : 2nd runner up

A non-transactional cold storage hardware wallet to securely protect crypto private keys offline using NFC technology and blockchain. This NFC chip can be used to login to wallet to perform crypto transactions.

--

Happy Hacking!