Account Recovery in DApps by Voting

Introduction

Decentralized applications have stronger security and fault tolerance. Our motivation in this project is that decentralization would also mean that account recovery is impossible because you cannot contact the administrator to prove your identity to them.

○ Decentralized

The solution avoided using any third party action in the account recovery process.

○ Hindsight

Requires no additional steps before the account was lost.

○ Privacy

The verification is based on the information asymmetry between a random user and previous trade partners.

Introduction

Method

We developed a method to prove one's identity to the set of previous trade partners without revealing one's sensitive information like mobile number, address or SSN like what you would do when you recover a bank account. For each voter, the user will send the information he still remembers, like what he bought or what color is the product. The trade partners can then vote if the information is correct. The vote is backed by an encryption step offline, so only the correct voter can read his version of the proof. Because these information is only known to these two people and not available on the public ledger, we believe it would not cause additional privacy leak. So far, we've developed a prototype program on Hyperledger Composer with a spam filter to separate good requests from spam requests and a voting mechanism to finally decide if the request is authentic or not.

There have been existing works on recovery using predefined emergency contacts and advanced secret sharing. However, these solutions requires the user be forward thinking. Compared to existing work, the recovery process does not require the user to take any action before the recovery, which is significant as some users might not be forward-thinking to prepare for losing an account in the future.

Proposal

The solution make use of the information asymmetry between a normal user and trade partners

What everybody knows : transaction amount, partners (from public ledger)

What the trade partner knows : transaction amount, partners, good, method of delivery

Each trade partner knows a piece of the owner’s information. But only the owner is supposed to know everything.

The user will write down the private information for each prev trade partner encrypted with the partner’s pubkey. The trade partners can then vote if the information is detailed and truthful

We developed the demo on hyperledger composer

We used virtual coins to illustrate this system

The prev voters are found using historian registry

The private information(proofs) is encrypted offline then uploaded and stored as an asset

Every voter can view the proof, but can only decrypt his/her version using his/her private key offline

We also used a spam filter on the plaintext description to reduce fake recovery attacks

Veto-recovery makes sure the original owner can close the recovery on his/her account if it is an attack. Only the original owner can submit the Veto-recovery transaction

Limitation

51% Attack as a trader

A malicious attacker can plan to steal a user’s account by doing a lot of trades with the user using different accounts, to a point when more than half of the trade partners are controlled by the attacker. Then the attacker can recover the account if the owner didn’t veto.

Social engineering

The attacker may obtain private information about a user from cyberstalking or phishing scams. With enough data, the attacker may be able to convince the voters that he/she is the real owner of the account.

Future work

What we are working on is to make the system less vulnerable to attacks and make it more practical. So possible directions for future work can be finding ways to identify accounts belong to the same person. This is for solving the attack by doing microtransactions with different accounts to increase one's influence in the voting result. Another direction is development on Ethereum, as Ethereum is a more suitable platform for its generalized applications and built-in cryptocurrency.