Ryouiki
Self-hosted domain communication service

Authentication

Key-based

Password

Passwords are user-generated character sequences transformed into obfuscated validation structures via OPAQUE.

Password {
    Secret :natural
        # index of salt
    Envelope :sequence
        # serialized OPAQUE registration
}

RSA

Stores the public key corresponding to the client's private key.

During authentication, the server sends a random 128-byte code encrypted with the public key. The client decrypts the value and the server verifies that the code matches the original.

RSA {
    Key :sequence
        # der serialization of public key
}

FIDO2

FIDO2 { }

Time-based One-time Authentication Code (TOTAC)

At setup, the server generates an RFC 6238-compatible secret, which is provided to the client.

During authentication, the client generates the token for the current time, which the server validates against its own calculation.

TOTAC {
    Secret :sequence # block{N}?
        # token generation seed
}

Secret

Key used for token generation.

Pre-computed Authentication Code Table (PCACT)

At setup, the server generates a select number of tokens (50-1000) and provides them to the user. Each table has a reference to a byte sequence, which is used to salt each password in the table.

During authentication, the server provides a random number and the user inputs the table size to determine the key index. The user responds with the corresponding token and the server validates the token against the stored hash.

PCACI {
    Secret :natural
        # index of salt
    Table :list{block{32}}
        # list of hashed tokens
}

Message-based

Email, One-time Authentication Code (OTAC/Email)

The server transmits a randomly generated authentication code via email to a specified address, which the client provides in its answer.

User's email address must be verified.

Code expiration time, relative to request time, may be configured in minutes.

Method requires domain email configuration.

OTAC_Email {
    Address :natural
        # index of user's email address
    Expiration :natural
        # expiration of code in minutes
}

Service-based

OAuth2

OAuth2 { }

Management

Methods

Domain administrators may define authentication methods that may be assigned to one or more domain users.

Classes

Managed authentication methods may be organized into classes.

Challenges

Administrators may restrict challenges for specific authentications to select configurations, methods, or classes.

Procedure

Framing

All authentication-related packets should be padded to a fixed size (TBD).