Bitcoin Forum
November 25, 2017, 02:53:16 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Wallet per user  (Read 1313 times)
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 09, 2013, 11:16:46 PM
 #21

First off why would he switch them out each time someone wanted to use it.
That's a really good question that I'm still trying to understand. See here:

. . . shutdown the daemon and replace the wallet.dat file . . .

. . . Easily, you have the user supply a password, hash it, use that hash to create the public key, which then would be used to encrypt the wallet file. Then you do the opposite to decrypt the wallet file. It is kinda encryption 101 . . .
I can't make sense of what you are saying. If the user wants to create a new address, what do they transmit to your server? Do they send the un-encrypted private key?  If they send only the public key, then how will your server sign transactions for them?  How will your server protect them from losing their private keys?

. . . I wouldn't store the wallet on the users side . . . because the average gullible user needs to be protected from himself . . .

The only way to keep the private keys protected is to store them encrypted, then send the encrypted key to the user so they can decrypt it with the client software on their side and sign the transactions themselves on their side.

Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511578396
Hero Member
*
Offline Offline

Posts: 1511578396

View Profile Personal Message (Offline)

Ignore
1511578396
Reply with quote  #2

1511578396
Report to moderator
1511578396
Hero Member
*
Offline Offline

Posts: 1511578396

View Profile Personal Message (Offline)

Ignore
1511578396
Reply with quote  #2

1511578396
Report to moderator
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
February 09, 2013, 11:29:53 PM
 #22

First off why would he switch them out each time someone wanted to use it.
That's a really good question that I'm still trying to understand. See here:

. . . shutdown the daemon and replace the wallet.dat file . . .

That will take too much time, I can't speak for 0.8.0 cause i have yet to play with it but anything lower than this will not be able to do. You have to rescan when you switch the wallet.dat, and that takes awhile.

. . . Easily, you have the user supply a password, hash it, use that hash to create the public key, which then would be used to encrypt the wallet file. Then you do the opposite to decrypt the wallet file. It is kinda encryption 101 . . .
I can't make sense of what you are saying. If the user wants to create a new address, what do they transmit to your server? Do they send the un-encrypted private key?  If they send only the public key, then how will your server sign transactions for them?  How will your server protect them from losing their private keys?

No I am just talking about protecting the wallet.dat file. Honestly this not really good way to do it. But to create a new address, you would have to decrypt the wallet.dat with the password from the person and you would probably have to encrypt the bitcoin.conf so you can use JSON RPC API to create the new address. It is so many working parts that would take a long time, while keeping the connection to the user alive so they can get the address as soon as it is create.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 10, 2013, 12:14:11 AM
 #23

. . . Honestly this not really good way to do it . . .

I agree, which is what I'm trying to get madmadmax to understand.

. . . But to create a new address, you would have to decrypt the wallet.dat with the password from the person . . .
Meaning that anyone who has access to your server now has access to the user's password, and all their bitcoins.  That doesn't sound secure, and doesn't sound like a good idea.  The way https://bclockchain.info/wallet handles it is far more secure (and faster).

. . . It is so many working parts that would take a long time, while keeping the connection to the user alive so they can get the address as soon as it is create.
I agree.  All that in addition to the serious lack of security.

madmadmax
Hero Member
*****
Offline Offline

Activity: 740



View Profile
February 10, 2013, 05:35:41 PM
 #24

I agree, which is what I'm trying to get madmadmax to understand.

Meaning that anyone who has access to your server now has access to the user's password, and all their bitcoins.  That doesn't sound secure, and doesn't sound like a good idea.  The way https://bclockchain.info/wallet handles it is far more secure (and faster).

I agree.  All that in addition to the serious lack of security.

That will take too much time, I can't speak for 0.8.0 cause i have yet to play with it but anything lower than this will not be able to do. You have to rescan when you switch the wallet.dat, and that takes awhile.


No I am just talking about protecting the wallet.dat file. Honestly this not really good way to do it. But to create a new address, you would have to decrypt the wallet.dat with the password from the person and you would probably have to encrypt the bitcoin.conf so you can use JSON RPC API to create the new address. It is so many working parts that would take a long time, while keeping the connection to the user alive so they can get the address as soon as it is create.
You guys are hopeless, nevermind that I discarded the initial approach on the first page I have explained how the system works time and time again, the users password is hashed+salted with bcrypt and sent through an RSA-2048 secured connection to the server. Impossible to sabotage unless direct access to the main server is gained and maintained while users try to connect to their account (as the hashes aren't stored on the machine), thus every account is in cold storage until he is needed.

If somehow hackers gain a momental access to all the wallets on the server and obtain a copy, most of the users could be sent messages through sms asking them to change the password before the hackers would bruteforce a single one.

I am wondering what is the best method to encrypt individual accounts within a wallet...








       ▄▄▄▄▄               ▄▄▄▄▄
   ▄▄█▀▀▀▀▀▀██▄        ▄▄█▀▀▀▀▀▀▀█▄
 ▄██▀        ▀██▄    ▄██▀         ▀█▄
██▀            ▀██▄  ▀▀             ██
██               ▀██        ▄▄▄▄▄▄▄▄██
██                ▀██▄      ▀▀▀▀▀▀▀▀▀▀
 ██▄          ▄██   ▀██▄          ▄▄▄
  ▀██▄      ▄██▀      ▀██▄▄     ▄██▀
    ▀▀██████▀▀          ▀▀██████▀▀


Unchained Smart Contracts
Decentralized Oracle
Infinitly Scalable
Blockchain Technology
Turing-Complete
State-Channels



                 ▄████▄▄    ▄
██             ████████████▀
████▄         █████████████▀
▀████████▄▄   █████████████
▄▄█████████████████████████
██████████████████████████
  ▀██████████████████████
   █████████████████████
    ▀█████████████████▀
      ▄█████████████▀
▄▄███████████████▀
   ▀▀▀▀▀▀▀▀▀▀▀

             ▄██▄
     ▄      ▐████   ▄▄
   █████     ██████████
    █████████████████▀
 ▄████████████▀████▌
██████████     ▀████    
 ▀▀   █████     ██████████
      ▀████▌▄████████████▀
    ▄▄▄███████████████▌
   ██████████▀    ▐████
    ▀▀▀  ████▌     ▀▀▀
         ▀███▀
f


gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
February 10, 2013, 06:00:36 PM
 #25

You guys are hopeless, nevermind that I discarded the initial approach on the first page I have explained how the system works time and time again, the users password is hashed+salted with bcrypt and sent through an RSA-2048 secured connection to the server. Impossible to sabotage unless direct access to the main server is gained and maintained while users try to connect to their account (as the hashes aren't stored on the machine), thus every account is in cold storage until he is needed.

If somehow hackers gain a momental access to all the wallets on the server and obtain a copy, most of the users could be sent messages through sms asking them to change the password before the hackers would bruteforce a single one.

I am wondering what is the best method to encrypt individual accounts within a wallet...

Yes we are hopeless, we are trying to understand your logic, first off can't encrypt individual accounts within wallet. Second SSL is good but if your not securing the server well, you could still be hacked. Third you can't brute force bcrypt it is impossible no computer can do that. The problem would be users lossing there password or the hacker copying the wallet.dat file.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 11, 2013, 12:56:04 AM
 #26

I give up.  madmadmax, go about it however you like.  You won't provide enough information for anyone to assist you and the bits and pieces of information that you do reveal don't make any sense.  gweedo, you're welcome to try and assist, but I'm done here.

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!