4

I am working on a project where I need the functionality of user registration and user login. I need some suggestion. What would be the better way of achieving this task?

A.) Old school email & password OR
B.) By using public & private keys?

What I understand from option B is that we need to enroll a user from CA from Fabric-SDK. Once enrolment of user is done, we can generate a unique password-phrase like the same is happening in Meta-Mask. We can store that user info along with its username (the default username in fabric is user1, user2) with password-phrase.During user login, it will ask for user's private key or the unique password-phrase generated for its account. The certificates will be stored in hfc-keystore (the default dir used in Hyperledger fabric). Whenever a transaction is executed by that user say user akshay.sood, we will set the context of that user to fabric-client (Please correct if I am wrong in this case).

Here, My questions/queries are:

1.) What do you prefer (email/password or private/public keys and why?).
2.) If you prefer 2nd mechanism then how will you protect user keys and certificates stored in hfc-keystore dir. I mean it can be hacked or data can be stolen by hacker.
3.) How to recover user private/public key and certificate if it is deleted mistakenly from hfc-dir.
4.) Would you prefer using password-phrase? if no, what do you prefer?

Edits are welcome.
Please let me know if you have any suggestion/improvements

Akshay Sood
  • 3,867
  • 10
  • 28
  • 50
  • 1
    Hello, what have you done in the end? I am also doing a application where I need username / passwort authentication in a angular frontend. Now I am struggling to do this. Maybe you can help me here – BlockchainProgrammer Feb 20 '19 at 13:32
  • @BlockchainProgrammer I am following a similar use case. Any leads or challenges you have encountered would be very helpful – Shweta Gupta Nov 04 '19 at 12:55

1 Answers1

0

Your question is a choice of your preference, convenience & business needs. You can use either or both approaches in combination. Asking the user to keep or manage his private keys calls for a managed wallet. However, IMHO, if you are concerned about leakage or loss of private keys then you would need a Hardware Security Module that is specifically designed for this purpose.

P.S. Fabric & its examples store the keys in hfc folder for simplicity, although not recommended in real cases.

arnabkaycee
  • 1,542
  • 12
  • 25