[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-anastasis] 01/03: Added employee api for authenticat
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-anastasis] 01/03: Added employee api for authentication procedures like video identification etc. Http Status is missing yet. |
Date: |
Fri, 13 Sep 2019 23:34:28 +0200 |
This is an automated email from the git hooks/post-receive script.
dennis-neufeld pushed a commit to branch master
in repository anastasis.
commit 739e092d24b6731214e79585b918484366841cf0
Author: Dennis Neufeld <address@hidden>
AuthorDate: Fri Sep 13 15:18:07 2019 +0200
Added employee api for authentication procedures like video identification
etc. Http Status is missing yet.
---
src/api/api-anastasis.rst | 126 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 124 insertions(+), 2 deletions(-)
diff --git a/src/api/api-anastasis.rst b/src/api/api-anastasis.rst
index 3d6f3e1..9210d81 100644
--- a/src/api/api-anastasis.rst
+++ b/src/api/api-anastasis.rst
@@ -390,12 +390,12 @@ argument and signature may be optional.
// ground truth, i.e. H(challenge answer),
// phone number, e-mail address, picture, fingerprint, ...
- // (Q: as string in base32 encoding?)
+ // base32 encoded
//
// The truth MUST NOT be revealed to the user, even
// after successful authentication (of course the user
// was originally aware when establishing the truth).
- truth: byte[];
+ truth: string;
// mime type of truth, i.e. text/ascii, image/jpeg, etc.
truth_mime: string;
@@ -482,4 +482,126 @@ argument and signature may be optional.
}
+--------------
+Employee API
+--------------
+
+This API is used for authentication procedures that require an employee to
authenticate
+a client (e.g. video identification).
+The employee uses an AssignmentRequest_ object to request a job to be
processed from the server.
+The server responds accordingly with an AssignmentResponse_ object that
contains, among other
+things, the required Truth-Object (for example, a photo that is required for
video identification).
+When the employee has processed the job, it sends the corresponding result, an
EncryptedVerificationResult_ object,
+back to the server. The EncryptedVerificationResult-Object must contain an
AES-GCM tag resulting from the
+encryption of a VerificationResult_ object. Since the server has all the data
needed to create the
+same tag (with result=true), it can compare the tags: If the tags match, the
verification was
+successful. If the tags do not match (the employee has set result=false etc.),
the verification will
+be considered as failed.
+
+.. http:get:: /employee/assignment/employee_ID
+
+Request:
+Body must contain an AssignmentRequest_ object.
+
+Response:
+Returns an EncryptedAssignmentResponse_ object.
+
+**Details:**
+
+ .. _AssignmentRequest:
+ .. code-block:: tsref
+
+ interface AssignmentRequest {
+ // Binary ECDHE ephemeral public key used to encrypt the gzip compressed
JSON-encoded AssignmentResponse_
+ employee_pub: EddsaPublickey;
+
+ // Salt included to encrypt the VerificationResult_ for this session
+ employee_salt: string;
+
+ }
+
+ .. _EncryptedAssignmentResponse:
+ .. code-block:: tsref
+
+ interface EncryptedAssignmentResponse {
+ // Authentication tag
+ aes_gcm_tag: byte[32];
+
+ // Variable-size encrypted assignment object with public key obtained
from AssignmentRequest_.
+ // After decryption, this contains a gzip compressed JSON-encoded
`AssignmentResponse`_.
+ // The salt of the HKDF for this encryption must include the
+ // string "EAR" and is obtained from the AssignmentRequest_.
+ encrypted_assignment_response: byte[];
+
+ }
+
+ .. _AssignmentResponse:
+ .. code-block:: tsref
+
+ interface AssignmentResponse {
+ nonce: string;
+
+ // Binary ECDHE ephemeral public key used to encrypt the gzip compressed
JSON-encoded VerificationResult_
+ server_pub: EddsaPublickey;
+
+ // Time when this assignment was generated
+ timestamp: Timestamp;
+
+ // Expiration time of the session/assignment
+ deadline: Timestamp;
+
+ // ground truth, i.e. picture,
+ // base32-encoded
+ truth: string;
+
+ // mime type of truth, i.e. text/ascii, image/jpeg, etc.
+ truth_mime: string;
+
+ // UUID of the authentication method
+ uuid: UUID;
+
+ }
+
+.. http:post:: /employee/verification/UUID
+
+**Details**
+
+ .. _EncryptedVerificationResult:
+ .. code-block:: tsref
+
+ interface EncryptedVerificationResult {
+ // Authentication tag
+ aes_gcm_tag: byte[32];
+
+ // Variable-size encrypted verification object with public key obtained
from AssignmentResponse_.
+ // After decryption, this contains a gzip compressed JSON-encoded
`VerificationResult`_.
+ // The salt of the HKDF for this encryption must include the
+ // string "EVR". The Nonce obtained from AssignmentResponse_ must be
also included by the HKDF.
+ encrypted_verification_result: byte[];
+
+ }
+
+ .. _VerificationResult:
+ .. code-block:: tsref
+
+ interface VerificationResult {
+ // result of verification procedure
+ // true -> verification successful
+ result: boolean;
+
+ // Time when this assignment was generated
+ timestamp: Timestamp;
+
+ // Expiration time of the session/assignment
+ deadline: Timestamp;
+
+ // ground truth, i.e. picture,
+ // base32-encoded
+ truth: string;
+
+ // mime type of truth, i.e. text/ascii, image/jpeg, etc.
+ truth_mime: string;
+ // UUID of the authentication method
+ uuid: UUID;
+ }
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
address@hidden.