Signature Decryption – How to Decrypt Signed Message with Web3 and Public Key?

public-keysignature

I want to verify my user before the server sends him information.

So I want the user to sign a message using his private key, then the server decrypt that signature to verify the user is indeed the owner of a wallet address.

So I used the following on the client side

web3.eth.personal.sign

I am not sure what I can use on the server side to decrypt that signature and verify the original message and sender address.

Thank you for advance.

Best Answer

Most answers for verification are outdated. Something like the following worked for me.

    var msg = Buffer.from(msgstr);
    const prefix = Buffer.from("\x19Ethereum Signed Message:\n");
    var prefixedMsg = Buffer.concat([prefix, 
    Buffer.from(String(msgstr.length)), msg]);
    
    prefixedMsg = Web3.utils.keccak256(prefixedMsg);
    prefixedMsg = prefixedMsg.substring(2);
    prefixedMsg = Uint8Array.from(Buffer.from(prefixedMsg, 'hex'));
    var pub = ethJsUtil.ecrecover(prefixedMsg , vrs.v, vrs.r, vrs.s);
    var addrBuf = ethJsUtil.pubToAddress(pub);
    var addr = ethJsUtil.bufferToHex(addrBuf);

Related Solutions

Ethereum Encryption – How to Encrypt a Message with the Public Key of an Ethereum Address

thx @Edmunx Edgar, i tried to use ECIES, but it failed to install because of a subdepencency. I now used the bitcore-lib together with bitcore-ecies. This works like expected.

EDIT: I created a npm-module which does exactly theses things and also has some performance optimisations and tutorials: github:eth-crypto.

Here is my code for anyone with the same question:

// run 'npm install eth-crypto --save'

const EthCrypto = require('eth-crypto');

// create identitiy with key-pairs and address
const alice = EthCrypto.createIdentity();

const secretMessage = 'My name is Satoshi Buterin';
const encrypted = await EthCrypto.encryptWithPublicKey(
    alice.publicKey, // encrypt with alice's publicKey
    secretMessage
);

const decrypted = await EthCrypto.decryptWithPrivateKey(
    alice.privateKey,
    encrypted
);

if(decrypted === secretMessage) console.log('success');

Run via CodeSandbox

Key Generation Guide – How to Generate Private/Public Keys Securely?

Everything in a contract is public so it is not a good idea to store the private keys inside a contract to decode messages. A hacker can determine your private key and create fake messages.

Also not a good idea to have a hardcoded private key in your mobile app. It is possible that a hacker can do a reverse engineering and find your keys.

It is hard to recommend something without more details. Probably I'd create a new pair private/public key on installation and store them in secure storage of the OS, and register the public key with your contract.

Now your app can sign transaction with its private key and send the signed message to the contract. The contract can use the ecrecover trick to recover the public key of the message signature and verify it is one of the registered in the contract.

Best Answer

Related Solutions

Ethereum Encryption – How to Encrypt a Message with the Public Key of an Ethereum Address

Key Generation Guide – How to Generate Private/Public Keys Securely?

Related Topic