Might be a bit weird but interesting scenario: I have a telegram bot and I need to authenticate users but I don't want to store any user data(at least openly).
So here's a breakdown:
- I need to prove that the user has access to the bot. So there's a "timeframe" variable, an extra piece of information which might be helpful.
- The infrastructure can not be trusted so the db can't store any user data.
- Encryption is not an option since there's no way to keep the key secure (can store it in the memory, but what to do in case of restart?).
- Hashing is hard cause telegram sends user_id and user names in the meta. But unfortunately these are well-known (ids are just sequential numbers 32bit and usernames can be changed arbitrarily). So this is prone to brute force attacks. Bcrypt might be a solution but I thought that there might be better solutions.
- One option is that user can send a unique string(password). But this is not always possible in my scenario cause some of the users are IoT devices and they are hard to manipulate.
I know that the solution revolves around hashing but how can I make it really hard to brute force?
The original field is 32 bit but it gets really small when you factor in the actually taken ids (which is probably in the order of 100 million).
That sounds impossible but I have the "timeframe" field. Since the bot runs continuously is there a blockchain-like solution where it will rehash some stored data every now and then and older data will be obscured and exponentially harder to brute force?
