Multi account security

[columbo]

We would like to offer wallet service for hundreds / thousands of our clients. We want to make it as secure as possible.
Based on what is described here:

"- Make one cross browser compatible web version and add browser side encryption feature than you can use bitaddress.org script to create bitcoin address and encrypted private key (using password entered by your client), than store that encrypted private key in your server.
- Give those encrypted private key some identifier or simply tie it up with users email so your script can identify which encrypted private key it should look at when users try to sign in.
- Now you can show balances from that address in user's dashboard and for added security you can add 2FA.
- If you want to run a profitable bitcoin wallet than set some fix fees (recommended network fee + your profit) after you will get really good number of users using your wallet on daily basis."

We will use the importprivkey bitcoin-cli command to add account to wallet and create "Account1", "Account2", "Account3", etc. accounts. How can we protect these accounts so Account1 will only be able to see and spend what is on Account1?

Or, is there a way that we only import the private key from the account temporarily (by decrypting the above mentioned encrypted private key with user's password) and drop it right after account is logged out?

[mocacinno]

We would like to offer wallet service for hundreds / thousands of our clients. We want to make it as secure as possible.
Based on what is described here:

"- Make one cross browser compatible web version and add browser side encryption feature than you can use bitaddress.org script to create bitcoin address and encrypted private key (using password entered by your client), than store that encrypted private key in your server.
- Give those encrypted private key some identifier or simply tie it up with users email so your script can identify which encrypted private key it should look at when users try to sign in.
- Now you can show balances from that address in user's dashboard and for added security you can add 2FA.
- If you want to run a profitable bitcoin wallet than set some fix fees (recommended network fee + your profit) after you will get really good number of users using your wallet on daily basis."

We will use the importprivkey bitcoin-cli command to add account to wallet and create "Account1", "Account2", "Account3", etc. accounts. How can we protect these accounts so Account1 will only be able to see and spend what is on Account1?

Or, is there a way that we only import the private key from the account temporarily (by decrypting the above mentioned encrypted private key with user's password) and drop it right after account is logged out?

There seem to be many problems with your theory. For starters: it looks like you want your to safeguard your user's private keys by letting them use bip38 encryption, but you're still thinking about importing those (unencrypted) private keys onto your node... As far as i can see, this would nullify your security model. The basic idear of your model seems to be that the private key is bip38 encrypted in the user's browser before it's sent to your server. You only keep the encrypted key. When a user tries to log in, you fetch the encrypted key and it gets decrypted in the user's browser.
If you want to import said key, the user would need to send this decrypted key to you, and you'd need to import it... As i said: this would nullify your security concept.

There is no easy way to import a private key and the the balance without rescanning the chain (takes a long time). you'll need to run a modified bitcoin daemon that allows you to index addresses, txid's,... for example, bitcore has an implementation, but afaik, they forked from core 0.12... link

If you go down the path of giving each user an account and then import his/her private key, you should realise the "sendtoaddress" has no "account" option. This means that the wallet will pick the most suitable unspent outputs disregarding to which account they belong. This will force you to manually generate new transactions, manually selecting the outputs, signing, broadcasting,... Or you'll need to work with a "hot" wallet and seperate your accounting, so the user doesn't have his own wallet anymore, he just has a deposit address you monitor, and let him spend from the hotwallet directly...

Maybe you can have a look at bitcore's implementation of bitcoin core and their wallet implementation?

Last but not least: i welcome users experimenting with bitcoin, but i doubt there is room in the bitcoin landscape for yet another online wallet... A lot of those wallets turn out to be ill-written or plain out scams. There might be better projects to dedicate your time to than to pump out yet-another-soon-to-be-a-potential-scam-online-wallet

[columbo]

We would like to offer wallet service for hundreds / thousands of our clients. We want to make it as secure as possible.
Based on what is described here:

"- Make one cross browser compatible web version and add browser side encryption feature than you can use bitaddress.org script to create bitcoin address and encrypted private key (using password entered by your client), than store that encrypted private key in your server.
- Give those encrypted private key some identifier or simply tie it up with users email so your script can identify which encrypted private key it should look at when users try to sign in.
- Now you can show balances from that address in user's dashboard and for added security you can add 2FA.
- If you want to run a profitable bitcoin wallet than set some fix fees (recommended network fee + your profit) after you will get really good number of users using your wallet on daily basis."

We will use the importprivkey bitcoin-cli command to add account to wallet and create "Account1", "Account2", "Account3", etc. accounts. How can we protect these accounts so Account1 will only be able to see and spend what is on Account1?

Or, is there a way that we only import the private key from the account temporarily (by decrypting the above mentioned encrypted private key with user's password) and drop it right after account is logged out?

There seem to be many problems with your theory. For starters: it looks like you want your to safeguard your user's private keys by letting them use bip38 encryption, but you're still thinking about importing those (unencrypted) private keys onto your node... As far as i can see, this would nullify your security model. The basic idear of your model seems to be that the private key is bip38 encrypted in the user's browser before it's sent to your server. You only keep the encrypted key. When a user tries to log in, you fetch the encrypted key and it gets decrypted in the user's browser.
If you want to import said key, the user would need to send this decrypted key to you, and you'd need to import it... As i said: this would nullify your security concept.

There is no easy way to import a private key and the the balance without rescanning the chain (takes a long time). you'll need to run a modified bitcoin daemon that allows you to index addresses, txid's,... for example, bitcore has an implementation, but afaik, they forked from core 0.12... link

If you go down the path of giving each user an account and then import his/her private key, you should realise the "sendtoaddress" has no "account" option. This means that the wallet will pick the most suitable unspent outputs disregarding to which account they belong. This will force you to manually generate new transactions, manually selecting the outputs, signing, broadcasting,... Or you'll need to work with a "hot" wallet and seperate your accounting, so the user doesn't have his own wallet anymore, he just has a deposit address you monitor, and let him spend from the hotwallet directly...

Maybe you can have a look at bitcore's implementation of bitcoin core and their wallet implementation?

Last but not least: i welcome users experimenting with bitcoin, but i doubt there is room in the bitcoin landscape for yet another online wallet... A lot of those wallets turn out to be ill-written or plain out scams. There might be better projects to dedicate your time to than to pump out yet-another-soon-to-be-a-potential-scam-online-wallet

Thanks for your comments.
Obviously, the last thing we want is to secure our clients' funds. Our main business model is not the wallet model, it is exchange but it is really hard to offer an exchange for newbies without offering a wallet. We noticed that the vast majority of our exchanges stop at the moment client needs to provide his bitcoin address. So this is why we are exploring the possibility to offer wallet services.

[mocacinno]

Thanks for your comments.
Obviously, the last thing we want is to secure our clients' funds. Our main business model is not the wallet model, it is exchange but it is really hard to offer an exchange for newbies without offering a wallet. We noticed that the vast majority of our exchanges stop at the moment client needs to provide his bitcoin address. So this is why we are exploring the possibility to offer wallet services.

If it's something you're only going to do as an extra service for clients, i'd defenatly suggest going for bitcore's implementation:
https://bitcore.io/guides/wallet-service

This way, you'd have a relatively time-tested service that seems to be pretty secure without having to re-invent the wheel and invest thousands of development hours to create a very basic wallet service.