A secure login where the user's private key is never hosted on servers or the user's online devices ( this project can also be used as a form of two-factor authentication ( 2FA ) where the user's private key is never hosted on servers )
1 ) Using an online device ( D1 ) the user goes to the server's login page ( S1 )
2 ) The user simply enters his username in the form, and this data is submitted to the server ( login.php )
3 ) If the user's username exists in the server's database ( code.php ) then the server creates a random code ( 108 alphanumeric characters that are case sensitive ) and a QR code containing the random code is sent to the user ( code.php )
4 ) Using an offline device ( D2 ) the user scans the QR code, encrypts the QR code data with the user's private key and creates a new QR code. Subsequently, using the online device ( D1 ) the user scans the new QR code created on the offline device ( D2 ) and the encrypted data contained in this new QR code is submitted to the server ( code.php )
5 ) The server decrypts the encrypted data submitted by the user with the user's public key ( test.php ) if the decrypted data matches the random code created by the server then the user will be able to access the user's home page ( home.php )
6 ) And the user will also be able to access the user's profile page ( profile.php )
» Philosophy : Never-Never
-
Private Keys : ( Never on servers ) and ( Never on online devices )
-
Therefore, public keys only on ( online or offline ) servers and private keys only on offline devices.
-
This philosophy only applies when using asymmetric encryption algorithms ( RSA, ECDSA, EdDSA, etc. )
» Philosophy : Only-Only
-
Private Keys : ( Only on offline servers ) and ( Only on offline devices )
-
Therefore, private keys : never on online servers and never on online devices.
-
This philosophy only applies when using symmetric encryption algorithms ( AES, 3DES, etc. )