 |
February 03, 2014, 01:59:58 AM
Last edit: February 03, 2014, 03:02:06 AM by crazydownloaded |
|
Hello,
I'm currently working on a multi-currencies web wallet.
I'm wondering about the security of the encryption model I chose:
- During wallet setup, the user choose a password
- His browser (using JsEncrypt library) generates RSA (1024 bits) private/public key pairs
- It encodes the user's private key using AES encryption (symetric) and send the encrypted private key + the user's public key to the server for saving (using CryptoJS library)
- Private key of addresses the user generates are encoded using it's public key (this way I don't need to ask the user for its password)
- When signing a transaction, I ask the user for its password, decode its RSA private key using it and then decode the address' private key using the decrypted RSA private key.
- This also have the advantage to permit the user to change its password easily (on the server side I only need to save the new encrypted private key, without changing addresses encrypted private keys)
This seems pretty robust to me. Do you see any weakness in this model?
|
