Imilayezo ye-SMS iyindlela edume kakhulu yokuqinisekisa izinto ezimbili (2FA). Isetshenziswa amabhange, izikhwama ze-electronic kanye ne-crypto, amabhokisi eposi kanye nazo zonke izinhlobo zezinsizakalo; .
Ngicasukile ngalesi simo, ngoba le ndlela ayiphephile. Ukwabela kabusha inombolo kusuka ku-SIM khadi kuya kwenye kwaqala ekuqaleni kwenkathi yeselula - yile ndlela inombolo ebuyiselwa ngayo lapho kulahleka i-SIM khadi. “Ochwepheshe bokwebiwa kwemali edijithali” baqaphela ukuthi inketho “yokubhala kabusha ikhadi le-SIM” ingasetshenziswa ezinhlelweni zokukhwabanisa. Phela, lowo olawula i-SIM khadi angakwazi ukulawula ukubhanga ku-inthanethi kwabanye abantu, izikhwama ze-electronics, ngisho ne-cryptocurrency. Futhi ungathatha inombolo yomunye umuntu ngokufumbathisa isisebenzi se-telecom, usebenzisa inkohliso noma imibhalo yomgunyathi.
Izinkulungwane zeziqephu zokushintshaniswa kwe-SIM zivezwe, njengoba lolu hlelo lokukhwabanisa lubizwa kanjalo. Izinga lenhlekelele liphakamisa ukuthi umhlaba uzoshiya maduze i-2FA nge-SMS. Kodwa lokhu akwenzeki - ngo bathi akubona abasebenzisi abakhetha indlela ye-2FA, kodwa abanikazi besevisi.
Siphakamisa ukusebenzisa indlela evikelekile ye-2FA ngokuletha amakhodi esikhathi esisodwa nge-blockchain, futhi sizokutshela ukuthi umnikazi wesevisi angayixhuma kanjani.
Isibalo sifinyelela ezigidini
Ngo-2019, ukukhwabanisa kwe-SIM kukhuphuke ngo-63% ngokusho kwamaphoyisa aseLondon, futhi "i-avareji bill" yomhlaseli yayingu-4,000 GBP. Angizange ngithole izibalo eRussia, kodwa ngicabanga ukuthi zimbi nakakhulu.
Ukushintshaniswa kwe-SIM kusetshenziselwa ukweba ama-akhawunti adumile e-Twitter, Instagram, Facebook, VK, ama-akhawunti asebhange, futhi muva nje ngisho nemali eyimfihlo - ngokusho kukasomabhizinisi weBitcoin uJoby Weeks. Amacala aphezulu okuntshontshwa kwe-cryptocurrency usebenzisa ukushintshaniswa kwe-SIM abelokhu evela emaphephandabeni kusukela ngo-2016; U-2019 wabona inani eliphakeme langempela.
NgoMeyi, iHhovisi Lommeli Wase-U.S. Lesifunda SaseMpumalanga saseMichigan abantu abasha abayisishiyagalolunye abaphakathi kweminyaka engu-19 no-26: kukholakala ukuthi bayingxenye yeqembu lezigelekeqe elibizwa ngokuthi “The Community”. Iqembu lezigelekeqe lithweswe amacala okuhlasela okushintshisana okuyisikhombisa, okuwumphumela wokuthi abagebengu bantshontshe i-cryptocurrency ebiza ngaphezu kuka-$2,4 million. Futhi ngo-Ephreli, umfundi waseCalifornia uJoel Ortiz wathola iminyaka engu-10 ejele ngokushintshaniswa kwe-SIM; ukukhiqizwa kwakhe kwaba $7.5 million in cryptocurrencies.
Isithombe sikaJoel Ortiz esithangamini sabezindaba sasenyuvesi. Ngemuva kweminyaka emibili uzoboshelwa ukukhwabanisa ku-inthanethi.
Ukushintshwa kweSIM kusebenza kanjani
"Ukushintshashintsha" kusho ukushintshana. Kuwo wonke amacebo anjalo, izigebengu zithatha inombolo yocingo yomuntu ohlukunyeziwe, ngokuvamile ngokukhipha kabusha i-SIM khadi, bese ziyisebenzisela ukusetha kabusha iphasiwedi. Ukushintshaniswa okujwayelekile kwe-SIM kuthiyori kubukeka kanje:
- Isevisi yezobunhloli. Abakhwabanisi bathola ulwazi lomuntu siqu lomuntu ohlukunyeziwe: igama nenombolo yocingo. Angatholakala emithonjeni evulekile (izinkundla zokuxhumana, abangani) noma atholwe kumuntu osebenzisana naye - isisebenzi sika-opharetha weselula.
- Ukuvimba. I-SIM khadi yomuntu ohlukunyeziwe ayisebenzi; Ukuze wenze lokhu, vele ushayele ukwesekwa kochwepheshe bomhlinzeki, unikeze inombolo futhi usho ukuthi ifoni ilahlekile.
- Thwebula, dlulisela inombolo ku-SIM khadi yakho. Ngokuvamile lokhu futhi kwenziwa ngokusebenzisana naye enkampanini ye-telecom noma ngokukhohlisa kwemibhalo.
Empilweni izinto zinzima kakhulu. Abahlaseli bakhetha isisulu bese belandelela indawo yocingo nsuku zonke - isicelo esisodwa sokuthola ulwazi obhalisile alushintshele ekuzuleni kubiza amasenti angu-1-2. Ngokushesha nje lapho umnikazi we-SIM khadi eye phesheya, baxoxisana nomphathi esitolo sezokuxhumana ukuze akhiphe i-SIM khadi entsha. Kubiza cishe u-$ 50 (ngithole ulwazi - emazweni ahlukene kanye nabaqhubi abahlukene kusukela ku-$ 20 kuya ku-$ 100), futhi esimweni esibi kakhulu umphathi uzoxoshwa - akukho mthwalo walokhu.
Manje wonke ama-SMS azotholwa abahlaseli, futhi umnikazi wefoni ngeke akwazi ukwenza lutho ngakho - ungaphandle. Bese kuthi-ke izigilamkhuba zithole ukufinyelela kuwo wonke ama-akhawunti wesisulu futhi ziguqule amaphasiwedi uma zifunwa.
Amathuba okubuyisela impahla eyebiwe
Ngezinye izikhathi amabhange amukela izisulu phakathi nendawo futhi ahoxise ukudluliselwa kuma-akhawunti abo. Ngakho-ke, kungenzeka ukubuyisela imali ye-fiat ngisho noma isigebengu singatholakali. Kodwa nge-cryptocurrency wallets konke kuyinkimbinkimbi - futhi ngokobuchwepheshe, futhi ngokomthetho. Kuze kube manje, akukho nokushintshisana/isikhwama semali esisodwa esikhokhe isinxephezelo kuzisulu zokushintshwa.
Uma izisulu zifuna ukuvikela imali yazo enkantolo, zisola opharetha: udale izimo zokwebiwa kwemali ku-akhawunti. Yilokho kanye engikwenzile , olahlekelwe amaRandi ayizigidi ezingu-224 ngenxa yokushintshisana. Manje usemangalela inkampani yezokuxhumana i-AT&T.
Kuze kube manje, asikho isimo esinezinhlelo zokusebenza zokuvikela ngokusemthethweni abanikazi be-cryptocurrency. Akunakwenzeka ukufaka umshwalense wemali yakho enkulu noma uthole isinxephezelo ngokulahleka kwayo. Ngakho-ke, ukuvimbela ukuhlaselwa kwe-swap kulula kunokubhekana nemiphumela yako. Indlela esobala kakhulu ukusebenzisa "isici sesibili" esithembeke kakhulu se-2FA.
Ukushintshwa kwe-SIM akuyona kuphela inkinga nge-2FA nge-SMS
Amakhodi okuqinisekisa ku-SMS nawo awaphephile ngokombono wezobuchwepheshe. Imilayezo ingabanjwa ngenxa yokuba sengozini okungakabhalwanga Kusistimu Yokusayina 7 (SS7). I-2FA phezu kwe-SMS yaziwa ngokusemthethweni njengengavikelekile (i-US National Institute of Standards and Technology isho lokhu encwadini yayo ).
Ngesikhathi esifanayo, ukuba khona kwe-2FA kuvame ukunikeza umsebenzisi umuzwa wokuphepha kwamanga, futhi ukhetha iphasiwedi elula. Ngakho-ke, ukuqinisekiswa okunjalo akwenzi kube nzima, kodwa kwenza kube lula kumhlaseli ukuthi athole ukufinyelela ku-akhawunti.
Futhi ngokuvamile i-SMS ifika ngokubambezeleka isikhathi eside noma ingafiki nhlobo.
Ezinye izindlela ze-2FA
Vele, ukukhanya akuzange kuhlangane kuma-smartphones kanye ne-SMS. Kukhona ezinye izindlela ze-2FA. Isibonelo, amakhodi e-TAN esikhathi esisodwa: indlela yakudala, kodwa iyasebenza - isasetshenziswa kwamanye amabhange. Kukhona amasistimu asebenzisa idatha ye-biometric: izigxivizo zeminwe, izikena ze-retina. Enye inketho ebonakala sengathi ukuyekethisa okunengqondo mayelana nokunethezeka, ukwethembeka kanye nentengo izinhlelo zokusebenza ezikhethekile ze-2FA: Ithokheni ye-RSA, Isiqinisekisi se-Google. Kukhona nezikhiye zomzimba nezinye izindlela.
Ngombono, yonke into ibonakala inengqondo futhi inokwethenjelwa. Kodwa ekusebenzeni, izixazululo zesimanje ze-2FA zinezinkinga, futhi ngenxa yazo, iqiniso lihlukile kulokho okulindelekile.
Ngokusho , ukusetshenziswa kwe-2FA kuwukuphazamiseka ngokomthetho, futhi ukuthandwa kwe-2FA nge-SMS kuchazwa "ukuphazamiseka okuncane uma kuqhathaniswa nezinye izindlela" - ukuthola amakhodi esikhathi esisodwa kuyaqondakala kumsebenzisi.
Abasebenzisi bahlobanisa izindlela eziningi ze-2FA nokwesaba ukuthi ukufinyelela kuzolahleka. Ukhiye ophathekayo noma uhlu lwamaphasiwedi e-TAN lungalahleka noma luntshontshwe. Mina ngokwami ngibe nakho okubi nge-Google Authenticator. I-smartphone yami yokuqala enalolu hlelo lokusebenza iphukile - ngiyazisa imizamo yami yokubuyisela ukufinyelela kuma-akhawunti ami. Enye inkinga ukushintshela kudivayisi entsha. I-Google Authenticator ayinayo inketho yokuthekelisa ngenxa yezizathu zokuphepha (uma okhiye bengathunyelwa, yikuphi ukuphepha okukhona?). Lapho ngiphatha okhiye ngesandla, ngase nginquma ukuthi kulula ukushiya i-smartphone endala ebhokisini eshalofini.
Indlela ye-2FA kufanele ibe:
- Vikela - nguwena kuphela hhayi abahlaseli okufanele nithole ukufinyelela ku-akhawunti yakho
- Ithembekile - uthola ukufinyelela ku-akhawunti yakho noma nini lapho ukudinga
- Kulula futhi kuyafinyeleleka - ukusebenzisa i-2FA kucacile futhi kuthatha isikhathi esincane
- Kushibhile
Sikholelwa ukuthi i-blockchain iyisixazululo esifanele.
Sebenzisa i-2FA ku-blockchain
Kumsebenzisi, i-2FA ku-blockchain ibukeka ifana nokuthola amakhodi esikhathi esisodwa nge-SMS. Umehluko kuphela isiteshi sokulethwa. Indlela yokuthola ikhodi ye-2FA incike kulokho okunikezwa yi-blockchain. Kuphrojekthi yethu (ulwazi lukuphrofayela yami) lolu uhlelo lokusebenza lweWebhu, iTor, iOS, Android, Linux, Windows, MacOS.
Isevisi ikhiqiza ikhodi yesikhathi esisodwa futhi iyithumele kusithunywa ku-blockchain. Bese ulandela okwakudala: umsebenzisi ufaka ikhodi eyamukelwe kusixhumi esibonakalayo sesevisi futhi angene.
Esihlokweni Ngabhala ukuthi i-blockchain iqinisekisa ukuphepha nobumfihlo bokudluliselwa komlayezo. Odabeni lokuthumela amakhodi e-2FA, ngizogqamisa:
- Ukuchofoza kanye ukuze udale i-akhawunti - awekho amafoni noma ama-imeyili.
- Yonke imilayezo enamakhodi e-2FA ibethelwe End-to-End curve25519xsalsa20poly1305.
- Ukuhlasela kwe-MITM akufakiwe - yonke imilayezo enekhodi ye-2FA ingumsebenzi ku-blockchain futhi isayinwe ngu-Ed25519 EdDSA.
- Umlayezo onekhodi ye-2FA ugcina ebhulokhini lawo. Ukulandelana nesitembu sesikhathi samabhulokhi akukwazi ukulungiswa, ngakho-ke ukuhleleka kwemiyalezo.
- Asikho isakhiwo esimaphakathi esihlola “ubuqiniso” bomlayezo. Lokhu kwenziwa ngohlelo olusabalalisiwe lwamanodi olusekelwe ekuvumelaneni, futhi luphethwe ngabasebenzisi.
- Awukwazi ukukhutshazwa - ama-akhawunti awakwazi ukuvinjelwa futhi imilayezo ayikwazi ukususwa.
- Finyelela amakhodi e-2FA kunoma iyiphi idivayisi noma kunini.
- Ukuqinisekisa ukulethwa komlayezo ngekhodi ye-2FA. Isevisi ethumela iphasiwedi yesikhathi esisodwa iyazi ngokuqinisekile ukuthi ilethiwe. Azikho izinkinobho "Thumela futhi".
Ukuqhathanisa nezinye izindlela ze-2FA, ngenze itafula:
Umsebenzisi uthola i-akhawunti kusigijimi se-blockchain ukuze athole amakhodi ngomzuzwana - umushwana wokungena kuphela osetshenziswayo ukuze ungene. Ngakho-ke, izindlela zokufaka isicelo zingahluka: ungasebenzisa i-akhawunti eyodwa ukuthola amakhodi azo zonke izinsizakalo, noma ungakha i-akhawunti ehlukile yesevisi ngayinye.
Kuphinde kube nokuphazamiseka - i-akhawunti kumele ibe nokuthengiselana okungenani okukodwa. Ukuze umsebenzisi athole umlayezo obethelwe ngekhodi, udinga ukwazi ukhiye wakhe womphakathi, futhi uvela ku-blockchain kuphela ngokuthengiselana kokuqala. Yile ndlela esakwazi ngayo ukuphuma kuyo: sabanikeza ithuba lokuthola amathokheni mahhala esikhwameni sabo. Nokho, isisombululo esingcono ukuqamba i-akhawunti ukhiye osesidlangalaleni. (Uma siqhathanisa, sinenombolo ye-akhawunti U1467838112172792705 iphuma kukhiye womphakathi cc1ca549413b942029c4742a6e6ed69767c325f8d989f7e4b71ad82a164c2ada. Kusithunywa lokhu kulula kakhulu futhi kuyafundeka, kodwa ohlelweni lokuthumela amakhodi angu-2FA kuwumkhawulo). Ngicabanga ukuthi esikhathini esizayo othile uzokwenza isinqumo esinjalo futhi athuthele "Ukulula Nokufinyeleleka" endaweni eluhlaza.
Intengo yokuthumela ikhodi ye-2FA iphansi ngempela - 0.001 ADM, manje isingu-0.00001 USD. Futhi, ungakhuphula i-blockchain yakho futhi wenze intengo ibe ziro.
Ungaxhuma kanjani i-2FA ku-blockchain enkonzweni yakho
Ngethemba ukuthi ngikwazile ukuthakasela abafundi abambalwa ukuze bangeze ukugunyazwa kwe-blockchain kumasevisi abo.
Ngizokutshela ukuthi ungakwenza kanjani lokhu usebenzisa isithunywa sethu njengesibonelo, futhi ngokufanisa ungasebenzisa enye i-blockchain. Kuhlelo lokusebenza lwedemo ye-2FA sisebenzisa i-postgresql10 ukugcina imininingwane ye-akhawunti.
Izigaba zokuxhuma:
- Dala i-akhawunti ku-blockchain lapho uzothumela khona amakhodi we-2FA. Uzothola umushwana wokungena, osetshenziswa njengokhiye oyimfihlo ukuze ubethele imilayezo enamakhodi kanye nokusayina okwenziwayo.
- Engeza umbhalo kuseva yakho ukuze ukhiqize amakhodi e-2FA. Uma usuvele usebenzisa noma iyiphi enye indlela ye-2FA ngokuletha iphasiwedi yesikhathi esisodwa, ususiqedile lesi sinyathelo.
- Engeza umbhalo kuseva yakho ukuze uthumele amakhodi kumsebenzisi kusigijimi se-blockchain.
- Dala isixhumi esibonakalayo somsebenzisi sokuthumela nokufaka ikhodi ye-2FA. Uma usuvele usebenzisa noma iyiphi enye indlela ye-2FA ngokuletha iphasiwedi yesikhathi esisodwa, ususiqedile lesi sinyathelo.
1 Ukwakhiwa kwe-akhawunti
Ukudala i-akhawunti ku-blockchain kusho ukukhiqiza ukhiye oyimfihlo, ukhiye womphakathi, kanye nekheli le-akhawunti elitholiwe.
Okokuqala, umushwana wokungena we-BIP39 uyakhiqizwa, futhi i-SHA-256 hashi ibalwa kuyo. I-hashi isetshenziselwa ukukhiqiza ukhiye oyimfihlo u-ks kanye nokhiye womphakathi u-kp. Kusuka kukhiye womphakathi, sisebenzisa i-SHA-256 efanayo ne-inversion, sithola ikheli ku-blockchain.
Uma ufuna ukuthumela amakhodi e-2FA isikhathi ngasinye usuka ku-akhawunti entsha, ikhodi yokudala i-akhawunti izodinga ukungezwa kuseva:
import Mnemonic from 'bitcore-mnemonic'
this.passphrase = new Mnemonic(Mnemonic.Words.ENGLISH).toString()
…
import * as bip39 from 'bip39'
import crypto from 'crypto'
adamant.createPassphraseHash = function (passphrase) {
const seedHex = bip39.mnemonicToSeedSync(passphrase).toString('hex')
return crypto.createHash('sha256').update(seedHex, 'hex').digest()
}
…
import sodium from 'sodium-browserify-tweetnacl'
adamant.makeKeypair = function (hash) {
var keypair = sodium.crypto_sign_seed_keypair(hash)
return {
publicKey: keypair.publicKey,
privateKey: keypair.secretKey
}
}
…
import crypto from 'crypto'
adamant.getAddressFromPublicKey = function (publicKey) {
const publicKeyHash = crypto.createHash('sha256').update(publicKey, 'hex').digest()
const temp = Buffer.alloc(8)
for (var i = 0; i < 8; i++) {
temp[i] = publicKeyHash[7 - i]
}
return 'U' + bignum.fromBuffer(temp).toString()
}Kuhlelo lokusebenza lwedemo, sikwenze kwaba lula - sidale i-akhawunti eyodwa kuhlelo lokusebenza lwewebhu, futhi sathumela amakhodi kuyo. Ezimweni eziningi, lokhu futhi kulula kakhulu kumsebenzisi: uyazi ukuthi insizakalo ithumela amakhodi we-2FA kusuka ku-akhawunti ethile futhi angayiqamba.
2 Ukukhiqiza amakhodi e-2FA
Ikhodi ye-2FA kufanele yenziwe ekungeneni komsebenzisi ngamunye. Sisebenzisa umtapo wolwazi , kodwa ungakhetha noma iyiphi enye.
const hotp = speakeasy.hotp({
counter,
secret: account.seSecretAscii,
});
Ihlola ukufaneleka kwekhodi ye-2FA efakwe umsebenzisi:
se2faVerified = speakeasy.hotp.verify({
counter: this.seCounter,
secret: this.seSecretAscii,
token: hotp,
});
3 Ukuthumela ikhodi ye-2FA
Ukuhambisa ikhodi ye-2FA, ungasebenzisa i-blockchain node API, umtapo wezincwadi we-JS API, noma ikhonsoli. Kulesi sibonelo, sisebenzisa ikhonsoli - lena i-Command Line Interface, insiza eyenza ukuxhumana kube lula ne-blockchain. Ukuthumela umlayezo ngekhodi ye-2FA, udinga ukusebenzisa umyalo send message ama-consoles.
const util = require('util');
const exec = util.promisify(require('child_process').exec);
…
const command = `adm send message ${adamantAddress} "2FA code: ${hotp}"`;
let { error, stdout, stderr } = await exec(command);
Enye indlela yokuthumela imiyalezo ukusebenzisa indlela send kumtapo wezincwadi we-JS API.
4 Isixhumi esibonakalayo somsebenzisi
Umsebenzisi udinga ukunikezwa inketho yokufaka ikhodi ye-2FA, lokhu kungenziwa ngezindlela ezahlukene kuye ngeplatifomu yakho yohlelo lokusebenza. Esibonelweni sethu lena yi-Vue.
Ikhodi yomthombo yohlelo lokusebenza lwedemo yokuqinisekiswa kwezinto ezimbili ze-blockchain ingabukwa kuyo . Kukhona isixhumanisi ku-Readme esiya kudemo ebukhoma ukuze uyizame.
Source: www.habr.com