Website Authentication

Table of Contents

click to expand


Introduction

This page describes the authentication workflow used by the Website Authentication demo.

General Authentication

In general, the following authentication mechanism is used:

general authentication workflow

A user (the visitor) requests authentication information from a service provider (website server) to check its authenticity. The service provider creates and signs the needed data and makes it available to the user. The user then verifies the authenticity of that data by checking the signature and the service provider-related identity data stored on the Blockchain.

Data Type

To verify the authenticity of a domain the QR Code must contain the following data type.

Website Authentication

interface WebAuth {
    type: string;               // authentication type
    title: string;              // title shown to user
    domain: string;             // website domain
}

Website Authentication Participants

The website-authentication uses the following participants to create the authentication path for entity verification:

website authentication attestation path

Root (ARDOR-47NS-P7AU-HZNN-84PW6)

The root account acts as the trust anchor.
It has the following data items stored on Blockchain:

  • entity:name -> Blobaa Root
  • contact:email -> hi.blobaa@gmail.com

Server CA (ARDOR-AEZV-YQDZ-8X2L-7V6G6)

The server CA guarantees the authenticity of the service provider.
It has the following data items stored on Blockchain:

  • entity:name -> Blobaa Server CA

Server (ARDOR-W7BP-294E-9A8U-9NADY)

The website server entity represents the Blobaa website provider and has the following data items stored on Blockchain:

  • entity:name -> Blobaa

For a detailed description of how to collect these information from the Blockchain please have a look at the Travel Draw documentation.

Website Authentication Demo Workflow

Authentication

The authentication mechanism used by the website authentication demo is slightly different from the general workflow. Since the website authentication is static and therefore the signature time of the QR Code data is not validated on user side, the QR Code data has been created beforehand.

The user scans the code with the Blobaa app and verifies the authenticity of the signed data. After a successful verification the user compares the domain shown in the app with the website domain. If they match, one can be sure that one is visiting an authentic website.

website authentication workflow

Website Authentication Data

The following authentication data is used for the Blobaa demo page.

WebAuth = {
    type: "auth:web",
    title: "Blobaa Demonstrator",
    domain: "demo.blobaa.dev"
}

© 2020 Attila Aldemir. All rights reserved.

hosted with