dapp_如何让DApp用户恢复丢失的私钥

dapp

by Pierre-Marie Riviere

由Pierre-Marie Riviere

如何让DApp用户恢复丢失的私钥 (How to let DApp users recover a lost private key)

On Ethereum, private keys are used to access accounts, sign messages, etc. Once you lose access to your private key, you lose access to all funds stored with that account.

在以太坊上，私钥用于访问帐户，签名消息等。一旦失去对私钥的访问权限，就无法访​​问与该帐户一起存储的所有资金。

How is that different from losing a credit card pin code? You can’t ask the bank to give you a new code, because the bank doesn’t exist on Ethereum. Your funds are still credited to your address on the blockchain, but there is no way for you to withdraw them.

与丢失信用卡密码有什么不同？ 您不能要求银行给您一个新密码，因为在以太坊上不存在该银行。 您的资金仍会记入您在区块链上的地址，但是您无法提取它们。

Accounts and [DApp-] services on the Ethereum blockchain aim to be decentralized, and no one is safekeeping access codes on your behalf.

以太坊区块链上的账户和[DApp-]服务的目标是去中心化，没有人可以代表您保管访问代码。

A service storing your private key in its database would be able to access your funds at any moment — just like a bank — and this goes precisely against what the Ethereum community is trying to achieve.

将您的私钥存储在数据库中的服务将能够随时访问您的资金(就像银行一样)，而这恰恰与以太坊社区想要达到的目的背道而驰。

So how do we reconcile Ethereum’s call for decentralization and a user’s need for support services?

那么，我们如何协调以太坊对权力下放的呼吁和用户对支持服务的需求呢？

For decentralized services providers, being financial custodians also has strong legal implications. A look into our own case: The DApact is building a Credit-as-a-Service platform atop existing lending agents in low-income countries. We define ourselves as a software company — a plug-and-play tech platform for legally registered local lenders.

对于权力下放的服务提供商而言，担任金融托管人也有很强的法律含义。 看一下我们自己的案例：DApact正在低收入国家的现有借贷代理商之上构建“信用即服务”平台。 我们将自己定义为一家软件公司-合法注册的本地贷方的即插即用技术平台。

Having access to user’s funds would make us a financial service provider rather than a software company, and this would imply scrutiny by local financial regulators. This would eventually translate into being required to have some kind of banking license and capital deposit in each country where The DApact is available.

拥有用户资金将使我们成为金融服务提供商而不是软件公司，这意味着将受到当地金融监管机构的审查。 最终，这将意味着需要在拥有DApact的每个国家/地区拥有某种银行牌照和资本存款。

In pure DApps services, there is absolutely no way to gain back access to your funds once you lose your private key. Users need to take care of backing up their recovery passphrase to a safe place themselves. The actual most effective is to literally write down the passphrase three times and keep the hard copies in different places.

在纯DApps服务中，一旦丢失了私钥，绝对没有办法重新获得资金。 用户需要自己将恢复密码短语备份到安全的地方。 实际最有效的方法是在字面上写下三遍密码，并将硬拷贝保存在不同的位置。

Certain users tend to lose this passphrase or not back it up at all in the first place. This is a significant problem for all DApps developers, and specifically for The DApact as we’re dealing with populations who often don’t have as much knowledge about tech. Therefore, recoverability solutions must be available for our users.

某些用户一开始往往会丢失此密码短语或根本不备份它。 对于所有DApp开发人员，尤其是对于DApact来说，这是一个重要的问题，因为我们正在处理的人群通常对技术的了解不多。 因此，必须为我们的用户提供可恢复性解决方案。

Users must be offered private key recoverability solutions adapted to their understanding of decentralized systems.

必须为用户提供适合他们对分散式系统理解的私钥可恢复性解决方案。

Such recoverability solutions should respect the following three criteria:

此类可恢复性解决方案应遵循以下三个标准：

• External: Decentralized service providers cannot have access to the private key.

  外部：分散式服务提供商无法访问私钥。

• Customizable: Users should be able to understand and configure recovery options even in the event of private keys loss.

  可自定义：即使私钥丢失，用户也应该能够理解和配置恢复选项。

• Secure: There should be no easy way to hijack the account of another person via recovery options. Only the person actually owning the account should be able to recover it.

  安全：没有简单的方法可以通过恢复选项劫持其他人的帐户。 只有实际拥有该帐户的人才能收回该帐户。

现有解决方案 (Existing solutions)

Here is an overview of solutions being implemented, beefed-up or explored by UX designers in the Ethereum community, starting with the most rolled-out.

这是以太坊社区中UX设计人员正在实施，增强或探索的解决方案的概述，从最广泛的应用开始。

多个所有者 (Multiple owners)

MultiSig wallets allow for setting a number of owners n. If fewer than n owners are required, the remaining owners could replace an owner in case they lose access. This solution, however, requires at least 3 owners or owner devices (2 confirmations required for transactions) and a strong degree of trust between owners.

MultiSig钱包允许设置多个所有者n 。 如果要求少于n位所有者，则其余所有者可以替换所有者，以防他们失去访问权限。 但是，此解决方案至少需要3个所有者或所有者设备(交易需要2个确认)，并且所有者之间需要高度信任。

助记符 (Mnemonic)

A mnemonic (AKA seed phrase or passphrase) is a series of words that can cryptographically derive a private key. Users need to back up their recovery mnemonic themselves and make sure to keep it safe so they could regenerate their private key if lost.

助记符(又名种子短语或密码短语)是一系列可以加密得出私钥的单词。 用户需要自己备份恢复助记符，并确保其安全，以便丢失时可以重新生成私钥。

This recovery option is the standard for Ethereum addresses and wallets right now. Mnemonics have become a well understood mechanism among advanced DApps users, however a less knowledgeable user should have different options. Mnemonics are as secure as the place they are kept in. Written on a piece of paper, they are exposed to fire and floods, theft and crumbling.

此恢复选项是目前以太坊地址和钱包的标准配置。 助记符已成为高级DApps用户中的一种很好理解的机制，但是知识较少的用户应具有不同的选择。 助记符与其存放的地方一样安全。用助记符写在一张纸上，容易遭受火灾，水灾，盗窃和粉碎。

生物特征数据 (Biometric data)

A go-to solution for the industry would be biometric data like fingerprint, iris scan or face ID. Biometric data cannot be “lost” like passwords on a piece of paper. If Apple and Samsung are investing so much into biometric, it has to be a great solution right?

该行业的首选解决方案将是生物特征数据，例如指纹，虹膜扫描或面部ID。 生物识别数据不能像纸上的密码一样“丢失”。 如果苹果和三星在生物识别技术上投入大量资金，那一定是一个很好的解决方案，对吗？

The problem with this option is that once biometric data of a person is exposed to the public, there is no way to secure an account with it anymore since you cannot really change you fingerprint like you can change a password or switch an account. This eventuality is becoming more and more plausible as Face Recognition is going mainstream and there is even an OpenCV-based repo available on Github.

此选项的问题在于，一旦某个人的生物特征数据公开后，就无法再使用它来保护帐户，因为您无法像更改密码或切换帐户那样真正地更改指纹。 随着人脸识别成为主流，并且在Github上甚至有基于OpenCV存储库，这种可能性变得越来越合理。

Another downside of biometrics is, different fingerprint sensors can get quite fuzzy and not match exactly — e.g. if a user cuts themselves then there might be problems.

生物识别技术的另一个缺点是，不同的指纹传感器会变得非常模糊并且无法完全匹配-例如，如果用户割伤自己，则可能会出现问题。

社会恢复 (Social recovery)

Users could determine a group of friends that are enabled to recover access to their account on their behalf (i.e. each of them holds a piece of the signature that, combined together, would grant access to the account). Only when all friends agree, the account owner is replaced.

用户可以确定一组能够代表他们恢复对其帐户的访问权限的朋友(即，他们每个人都拥有一块签名，这些签名结合在一起可以授予对该帐户的访问权限)。 只有当所有朋友都同意时，帐户所有者才会被替换。

The biggest problem with this solution is that the group of friends could work together and steal access to the account from the owner even if the owner did not ask them to. That is why ideally, the members of the group should not know who else is part of the group.

该解决方案的最大问题是，即使所有者没有要求，朋友组也可以一起工作并从所有者那里窃取对该帐户的访问权限。 这就是为什么理想情况下，小组成员不应该知道谁是小组成员的原因。

Some sort of social recovery solution has been successfully implemented by WeChat to allow for password recovery: when a user loses their password, WeChat asks them to select people in their contact list within a big list of names. Knowing that WeChat contains sensible banking information, this is definitely a good lead for DApps.

微信已成功实施了某种社交恢复解决方案，以实现密码恢复：当用户丢失密码时，微信会要求他们在大名单中的联系人列表中选择人员。 知道微信中包含明智的银行信息，这绝对是DApp的好线索。

标准KYC程序 (Standard KYC procedures)

Similar to how modern banks perform KYC procedures on new customers, users could identify themselves to KYC providers in order to regain access to their funds. Users would, however, need to perform the procedure already once to set it up so the providers know about the identity behind an address.

与现代银行对新客户执行KYC程序的方式类似，用户可以向KYC提供者标识自己，以重新获得其资金的使用权。 但是，用户将需要执行一次该过程以进行设置，以便提供者知道地址后面的身份。

This solution has been used for token swap operations (e.g. Nimiq). KYC verification is usually handled by third party providers like IDnow, which is costly and somewhat contra blockchain principles.

该解决方案已用于令牌交换操作(例如Nimiq)。 KYC验证通常由IDnow之类的第三方提供商处理，这是昂贵的并且与区块链原则有些冲突。

麻痹证明 (Paralysis proof)

This new concept is also known as time lock recovery and last resort recovery. In case access to an account is lost, it can be marked as such. Also, the person marking it as lost may put in a deposit. Now a time period starts after which the account is replaced. During that time period the actual account owner could prove that the account is actually not lost by making a transaction. If so, the attacker loses the deposit which is transferred to the account.

这个新概念也称为时间锁定恢复和万不得已的恢复 。 万一丢失帐户访问权限，可以将其标记为此类。 同样，将其标记为丢失的人可以存入保证金。 现在开始一段时间后，将替换帐户。 在这段时间内，实际的帐户所有者可以通过进行交易证明该帐户实际上没有丢失。 如果是这样，攻击者将损失转入该帐户的存款。

As more designers are entering the blockchain space, there is hope that a great mind will come up with the killer UX for cryptographic keys management. Or who knows, maybe it will be a Middle-Age historian bringing up some old knight trick to secure gold…

随着越来越多的设计人员进入区块链领域，人们希望有一个伟大的想法，那就是用于加密密钥管理的杀手级UX。 或谁知道，也许这将是一个中古历史学家提出一些古老的骑士技巧来获得黄金……

For the time being, a number of solutions (or combination of them) show good potential as per our 3 criteria (externality, customizability, security). Once the community agrees on acceptable recoverability solutions, a common design language and standardized Best Practices will need to be adopted consistently across the ecosystem so that DApps users get accustomed to recoverability patterns.

目前，根据我们的3个标准(外部性，可定制性，安全性)，许多解决方案(或它们的组合)都显示出良好的潜力。 一旦社区就可接受的可恢复性解决方案达成共识，就需要在整个生态系统中一致地采用通用的设计语言和标准化的最佳实践，以使DApps用户习惯于可恢复性模式。

The DApact is a blockchain framework for microfinance operations.

DApact 是用于小额信贷运营 的区块 链框架。

You can follow us on Twitter or join the Telegram

您可以在Twitter上关注我们或加入电报

翻译自: https://www.freecodecamp.org/news/solutions-for-private-key-management-in-decentralized-apps-d20b25c7474a/

dapp