Use of mnemonic & phrase for authentication.

[zanzendegi]

Suggested workflow for the authentication is as below:

1. On the first use of the app, we generate a mnemonic according to BIP39. Mnemonic generation must be deterministic.
2. Derive a private key from the mnemonic. Then derive a public key from the private key.
3. For every request to the server, the app will sign the payload with the private key. This is called Digital Signature.
4. For every request to the server, the app will also send the public key and the digital signature in the headers.
5. On the server, the authentication middleware will verify the digital signature with the incoming message (request payload) and replies with either OK (200) or Unauthenticated (401).

[lukas-h]

@zanzendegi This is so fundamental and crucial to the security of the project, could you create/provide a diagram to illustrate the whole authentication and encryption, so it is easier to understand the flow and the logic?

[armantorkzaban]

A basic suggestion from my side.
Everyone has edit access to the diagram via your GDrive. Please add your revisions.

[lukas-h]

Signal has really nice diagrams. something inspired by this would be good https://signal.org/docs/specifications/doubleratchet/

And @armantorkzaban I really want to see a diagram involving all of the keys being sent, the whole flow

[armantorkzaban]

We need to let the user select from the 16 available/suggested words in their preferred order.
@Kobin-ts

[zanzendegi]

@armantorkzaban When it comes to the security by randomness, there is no user choice/preference. The whole cryptography universe works by randomness. Letting users select their own words destroys the Entropy.

Indeed, user should be able to re-generate the mnemonic. For example, when someone sees my mobile screen or I find out I am under a CCTV camera, I need to re-generate my mnemonic.

@Kobin-ts In the verification screen, typing all the words without typos is difficult. We must display a shuffled list of words and force the user to select them in the correct order.

[zanzendegi]

The mnemonic screen is the first impression to the app. By UX, User should not feel it's a difficult app to work with. The shuffled list of words fixes the difficulty mindset to a great extent. I believe we need this in the MVP.
@drkangl90

[armantorkzaban]

@armantorkzaban When it comes to the security by randomness, there is no user choice/preference. The whole cryptography universe works by randomness. Letting users select their own words destroys the Entropy.

Indeed, user should be able to re-generate the mnemonic. For example, when someone sees my mobile screen or I find out I am under a CCTV camera, I need to re-generate my mnemonic.

@Kobin-ts In the verification screen, typing all the words without typos is difficult. We must display a shuffled list of words and force the user to select them in the correct order.

Here I am talking about the 'ordering' of the randomly presented words, by selection.

[armantorkzaban]

What's the state of this issue? shall we move/update/close? @zanzendegi