Beyond the private key: building a Blockstack hardware identity keychain
In a previous article I wrote about the risks of developing a multi-user Blockstack application and how application private keys could be compromised. Whilst I discussed multiple ways for developers to prevent leaking app private keys, the main issue remains: the app private key is supplied to the app and it only needs to be stolen once. In this post, I will show what I believe to be the solution: taking the app private key out of the app.
One way to do this is to create a bridge or other proxy service that receives the app private key and then performs crypto operations on behalf of the application. Such an approach is better than the current model. Still, if the user’s machine is compromised it can still lead to private key theft. I am convinced that none of the private keys — be it master, identity, nor app — should ever exist on the user’s machine. Instead, they should reside on a separate hardware device, much like the many existing hardware wallets out there. I thus set out to create the first Blockstack hardware identity keychain prototype.
Blockstack authentication uses BIP32 and BIP39 but has its own peculiarities. I managed to implement a hardware counterpart by examining the BlockstackJS code. The current hardware keychain prototype, code-named “Ryder”, is compatible with the existing authRequest / authResponse mechanism and can therefore be used as a drop-in replacement for the Blockstack Browser. However, for a hardware device of this kind to succeed, it should tick a few boxes:
- Be portable. The current authentication model is rather finicky when it comes to bringing your identity with you. The master private key is stored in the Blockstack Browser and using your identities on different devices is not straightforward. Granted, you could bring your seed phrase with you, but that is rather dangerous. What if the computer you are entering your seed phrase into has a key logger installed, for example?
- Be easy to use. Hardware devices add a layer of complexity to an already complicated system. Signing in should be as straightforward as possible for non tech-savvy users. It should be as easy as plugging in the device, unlocking it, and approving the sign in.
- Be secure. No private key should ever leave the device. The user can then sign in on any machine without having to worry about identities being stolen.
With this in mind, I divided Blockstack hardware identity keychains into three types.
- Type 1: optionally requires bridge software and exports the app private key to the application to support the current Blockstack JS model. The app private key and optionally the owner private key leaves the hardware keychain.
- Type 2: requires bridge software, but the bridge receives the app private key and performs crypto operations on behalf of the application after approval has been given by the user. The app private key leaves the hardware keychain.
- Type 3: the app interfaces with the hardware directly. No bridge software is required and all crypto operations are performed by the hardware. No private keys ever leave the hardware keychain. (A barrier could be crypto performance when streaming large files to it.)
The current Ryder prototype is a type 1 hardware keychain. It is a proof of concept on the path to a type 3 device.
The video above shows the Ryder in action. After clicking the sign in button of a Blockstack application, a selection screen appears where the user can choose to use the Ryder or continue to the conventional Blockstack Browser. At the time of writing, the Ryder always exports the first identity. It is only an interface limitation, as it supports unlimited identities just like the Blockstack Browser. It is also fully compatible with existing Blockstack seed phrases, so existing identities can be restored onto it as well.
The prototype took many painstaking weeks to develop but there is still a lot of work left to be done. Next steps would be to prepare to move towards a type 2 device and to start thinking about a custom PCB. I would appreciate comments & feedback and can be reached on Twitter via @marvinjanssen. Suggestions in terms of possible funding are also appreciated, if the interest for such a device is great enough. Either way, I will post updates as research and development continues.
I envision that the final type 3 Ryder will be something akin to existing smart wearable devices. Something that is easy to bring along and allows the owner to securely sign in using his or her identities on any device in the world. It could use NFC or Bluetooth to transfer information whilst unlocked. Imagine simply placing a small device in a cradle and have all your data appear in front of you.