內容簡介
Meveto 是一家總部位於美國加州的網路安全公司,旨在提供強大、去中心化和簡單的身份驗證系統,可輕易取代目前已過時且易被破解的基於密碼、2FA 和 MFA 的身份驗證系統。使用 Meveto 後,完全消除了密碼和其他較弱安全措施的需求。Meveto 授權您的個人行動裝置(例如手機),在網路上無論何時何地都能進行身份驗證(當然,此服務只能與已採用 Meveto 的服務使用),我們希望不僅人,連工作站、設備和 IoT 等領域也能朝此方向革新。
Meveto 使用 PKI(公開金鑰基礎建設)對實體進行身份驗證。使用強大的橢圓曲線密碼學 X25519,密鑰大小為 384 字節。當裝置與 Meveto 帳戶配對時,裝置上會生成一對公私鑰,並將公鑰發送到 Meveto 伺服器上。這樣做的好處是,最重要的私鑰從未離開原始設備,確保了最大的安全性。每當裝置與 Meveto 應用程式(Android 或 iOS)配對時,該裝置都會通過 Meveto 應用程式生成新的公私鑰對(即使在同一裝置上重新安裝應用程式),因此整個安全控制都是完全去中心化的。以下是簡要說明 Meveto 如何運作的步驟。
註冊:
1. 使用者註冊 Meveto。Meveto 將派送「裝置 ID」和一個短暫、單次使用的「配對密鑰(paring key)」。
2. 使用者在裝置上下載 Meveto 應用程式。他們使用裝置 ID 和配對密鑰配對裝置和 Meveto 帳戶。
3. Meveto 應用程式在發送「配對請求」之前,生成一對公私鑰,並將公鑰連同裝置 ID 和配對密鑰發送到 Meveto 伺服器。
4. Meveto 伺服器驗證裝置 ID 和配對密鑰,並存儲裝置的公鑰。
身份驗證:
1. 從 Meveto 網站,使用者輸入其使用者名稱或電子郵件地址並請求登錄。
2. Meveto 生成最多 6 位偽隨機數字並將其顯示在使用者屏幕上,稱之為會話 ID。此外,Meveto 還將「登入會話令牌」傳送至瀏覽器,當過程完成時,瀏覽器可以用其交換身份驗證令牌。
3. 使用者將他們在屏幕上看到的會話 ID 數字輸入其配對的 Meveto 應用程式中,然後按「驗證」按鈕。
4. Meveto 應用程式傳送其 ID(儲存在初始配對時),使用者剛輸入的會話數字,並使用其私鑰對請求進行簽名。
5. Meveto 伺服器首先驗證輸入數據,然後使用裝置 ID 從配對過程中儲存的「公鑰」中擷取裝置的公鑰。然後使用公鑰驗證請求的簽名。如果簽名驗證成功,則 Meveto 檢查會話數字,並驗證這些數字(需要注意的是,這裡只需驗證會話數字是為了確認使用者確實請求登錄),否則將通過驗證簽名進行身份驗證。
6. 如果一切順利,Meveto 伺服器將廣播已經成功驗證通過的事件。使用者的瀏覽器監聽廣播,然後根據其收到的「登錄會話令牌」向服務器請求身份驗證令牌。
外掛標籤
開發者團隊
原文外掛簡介
Meveto is a cyber-security company based in California, US. We aim to provide strong, decentralized and simple authentication system that can easily replace the current outdated and obsolete passwords based or 2FA and MFA based authentication systems that can be compromised easily. With Meveto, The need for passwords and other weak measures is completely eliminated. Meveto empowers your personal mobile devices such as your phone, to always be able to authenticate you everywhere over the internet (of course you can only use Meveto with services that have adopted it) and we hope that soon we will be revolutionizing the way not only people, but workstations, devices and IoT authenticate.
How it works?
Meveto uses PKI (Public Key Infrastructure) to authenticate an entity. It uses curve X25519 of the strong elliptic curves cryptography with a key size of 384 bytes. When a device is paired with a Meveto account, a public private key pair is generated on the device itself and the public key is sent to the Meveto servers. This way, the private key, which is the most important piece in the puzzle, never ever leaves the original device thus ensuring maximum security. Each device generates a new pair through Meveto app (Android or iOS) when it’s being paired (even if the app is re-installed on the same device) and this way the entire security control is full decentralized. Here are the steps that briefly explains the way Meveto works even further.
The Registration
A user registers with Meveto. Meveto associates sends the user a “device ID” and a short, one time “Pairing Key”.
The user downloads Meveto app on their device. They use the Device ID and Pairing Password to pair the device with their Meveto account.
Meveto app before sending the “pairing request”, generates a public and private key pair. It also then sends the public key along with the device ID and pairing key to the Meveto servers.
Meveto servers verifies device ID and pairing key and stores the public key of the device.
The Authentication
From Meveto’s website, user enters their username or email address and requests login.
Meveto generates up to 6 pseudo random digits and displays it to the user on their screen. We call this a session ID, however, it has absolutely no significant role to play and does not need to be unique or something. Additionally, Meveto also sends a “LoginSessionToken” to the browser that the browser can then exchange for an authentication token when the process is complete.
Users enter the session ID digits they see on the screen into their paired Meveto app and presses the “Authenticate” button.
Meveto app sends its ID (which was stored at the time of initial pairing), the session digits that the user just entered and then signs the request with its private key.
Meveto servers first validates the input data of course, then uses the “Device ID” to fetch the “Public key” of the device that was stored during the pairing process. Then Meveto servers uses the public key to verify the signature of the request. If the signature is successfully verified, then Meveto checks the Session digits and verifies those as well (Note that here the verification of those session digits is only needed to confirm that the user has actually requested a login) otherwise, the authentication is done through the verification of the signature.
If all goes well, Meveto servers broadcasts an event that the authentication has been successful. The user’s browsers listens to the broadcast and then requests an Authentication token from the servers against the “LoginSessionToken” which was received by the browser when the user requested login.
