Bitcoin Forum
November 12, 2024, 05:02:54 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: A Browser Based Cryptocurrency Client [real devs only please]  (Read 2628 times)
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 07:49:05 PM
 #41

that's 'brand X', the web wallet.  Im proposing the scenario on the right.

A secret phrase is enough to reconstruct thousands of ECC keys.

and if someone cracks or steals the secret phrase?  youre basically back to password authentication.

much less of a security problem if the phrase never leaves your own pc for sure, and might offer the right security characteristics for this architecture.

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 15, 2013, 07:53:40 PM
 #42

and if someone cracks or steals the secret phrase?  youre basically back to password authentication.

much less of a security problem if the phrase never leaves your own pc for sure, and might offer the right security characteristics for this architecture.

That's what I offer:

1. Ask for the secret phrase
2. Hash it with SHA-256 to get a master key
3. Generate Nth ECC private key as SHA256(master_key, N)

The secret phrase, the master key and the private keys don't need to be transfered nor saved. All that u need is to sign transactions using JavaScript.
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 07:59:28 PM
 #43

and if someone cracks or steals the secret phrase?  youre basically back to password authentication.

much less of a security problem if the phrase never leaves your own pc for sure, and might offer the right security characteristics for this architecture.

That's what I offer:

1. Ask for the secret phrase
2. Hash it with SHA-256 to get a master key
3. Generate Nth ECC private key as SHA256(master_key, N)

The secret phrase, the master key and the private keys don't need to be transfered nor saved. All that u need is to sign transactions using JavaScript.

I see so it's 2 factor auth.

so for your idea:  the master key is in the browser store?  is it unique to a user?  to a set of accounts?

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
jago25_98
Hero Member
*****
Offline Offline

Activity: 900
Merit: 1000


Crypto Geek


View Profile WWW
November 15, 2013, 08:03:00 PM
 #44

I'm sure blockchain.info's wallet unique selling point was to host as much as possible client side as a response to the MyWallet debacle.
Worth a look?
https://github.com/zootreeves/blockchain.info/blob/master/wallet.js

I've sent piuk a PM to let him know.

 -j

btw, love the decentralised exchange ideas

Stating the obvious here,
 but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas

thanks, but I think blockchain.info is a traditional web app?  Haven't used it much really.  He may have valuable advice, but the architecture I'm suggesting has few counterparts, here is one:  https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

Im somewhat versed in web app security.

thanks, bm




Bitcoiner since the early days. Crypto YouTube Channel: Trading Nomads | Analyst | News Reporter | Bitcoin Hodler | Support Freedom of Speech!
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 15, 2013, 08:04:23 PM
 #45

I see so it's 2 factor auth.

so for your idea:  the master key is in the browser store?  is it unique to a user?  to a set of accounts?

I don't see the 2nd factor there. It's like good ole password auth (before username began to be used).

Nothing is stored in the browser. User has to remember the phrase.
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 08:09:52 PM
 #46

I see so it's 2 factor auth.

so for your idea:  the master key is in the browser store?  is it unique to a user?  to a set of accounts?

I don't see the 2nd factor there. It's like good ole password auth (before username began to be used).

Nothing is stored in the browser. User has to remember the phrase.

again so if the Masterkey [1] is on the server(publicized) your point of weakness is the privacy of your password.

while password based security is more or less standard, it's not considered to be very strong and if that were the security model I don't think this system would offer much because, web wallets offer a similar security model (not as good though as what you are suggesting).

so in 'New Way' you cannot compromise the Bitcoin account without somehow gaining access to the wallet.dat that resides in the Browser(and no where else).  You can easily add two factor auth by using the hash system you describe.



[1] don't like ideas that begin with 'Master' these days. Smiley

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 08:16:47 PM
 #47

I'm sure blockchain.info's wallet unique selling point was to host as much as possible client side as a response to the MyWallet debacle.
Worth a look?
https://github.com/zootreeves/blockchain.info/blob/master/wallet.js

not fully versed in how their architecture works.  I did see that browser based vanity generator which was perhaps the most advanced use of client-side crypto I've seen in the Bitcoin world.  Whoever did that does know a thing or two about Crypto.  Feel free to credit him/her in this thread if you know.


I've sent piuk a PM to let him know.

 -j

btw, love the decentralised exchange ideas

thank you sir.  If you want to be involved and you're not technical I can put you in touch with our community leader.  This isn't a bluemeanie thing really, it's a community thing.  Smiley

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 15, 2013, 08:17:36 PM
 #48

again so if the Masterkey [1] is on the server(publicized) your point of weakness is the privacy of your password.

while password based security is more or less standard, it's not considered to be very strong and if that were the security model I don't think this system would offer much because, web wallets offer a similar security model (not as good though as what you are suggesting).

so in 'New Way' you cannot compromise the Bitcoin account without somehow gaining access to the wallet.dat that resides in the Browser(and no where else).  You can easily add two factor auth by using the hash system you describe.



[1] don't like ideas that begin with 'Master' these days. Smiley

Masterkey is a secret key, no need to publicize it. U don't need wallet.dat at all if u generate addresses the way I proposed.
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 08:21:18 PM
 #49

again so if the Masterkey [1] is on the server(publicized) your point of weakness is the privacy of your password.

while password based security is more or less standard, it's not considered to be very strong and if that were the security model I don't think this system would offer much because, web wallets offer a similar security model (not as good though as what you are suggesting).

so in 'New Way' you cannot compromise the Bitcoin account without somehow gaining access to the wallet.dat that resides in the Browser(and no where else).  You can easily add two factor auth by using the hash system you describe.



[1] don't like ideas that begin with 'Master' these days. Smiley

Masterkey is a secret key, no need to publicize it. U don't need wallet.dat at all if u generate addresses the way I proposed.

not hammering this down, I think it's a good idea.  But to give it the proper security term, it's 2 factor auth.

1st factor: the 'Masterkey' numerical non-mnemonic artifact
2nd factor: hashed passphrase to produce subkeys

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 15, 2013, 08:25:36 PM
 #50

not hammering this down, I think it's a good idea.  But to give it the proper security term, it's 2 factor auth.

1st factor: the 'Masterkey' numerical non-mnemonic artifact
2nd factor: hashed passphrase to produce subkeys

Adding 2FA u add a big hole in the security. Nothing should be stored, especially outside.
bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 15, 2013, 08:45:44 PM
 #51

not hammering this down, I think it's a good idea.  But to give it the proper security term, it's 2 factor auth.

1st factor: the 'Masterkey' numerical non-mnemonic artifact
2nd factor: hashed passphrase to produce subkeys

Adding 2FA u add a big hole in the security. Nothing should be stored, especially outside.

what you're suggesting?


Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 15, 2013, 08:57:54 PM
 #52

what you're suggesting?

(\__/)
(='.'=)
(")_(")    secret phrase
------------------------------>  [Browser] = FileSystem + WebRTC + some JS Crypto libraries

The browser signs transactions using the secret phrase and sends to some random peers. The list of peers is obtained via asking the user and sharing with other peers. A few peers not shielded by NAT is enough to build a network.

Protection:
- Virtual keyboard or mobile phone + microphone against key loggers
- Other computer or mobile phone for 2FA
GCInc.
Hero Member
*****
Offline Offline

Activity: 566
Merit: 500


View Profile WWW
November 19, 2013, 10:49:43 AM
 #53

This is interesting, related to some client side js crypto on which I'm currently getting project work done. Are there plans for prototype development of a browser based wallet? Come-from-Beyond do you have the skills required or do you have a team?

Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
November 19, 2013, 11:05:01 AM
Last edit: November 19, 2013, 10:26:40 PM by Sukrim
 #54

Ripple does this since about 1 year now - maybe have a look at their client too. The crypto used is similar, the server software is different from bitcoind. https://github.com/ripple/ripple-client, https://github.com/ripple/ripple-lib

Basically it is an SPV client in JavaScript that signs transactions locally and only communicates to its server via Websockets to get updates and to push (locally) signed transactions.

It seems you want to connect clients to each other using WebRTC - why exactly?

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 19, 2013, 02:55:01 PM
 #55

This is interesting, related to some client side js crypto on which I'm currently getting project work done. Are there plans for prototype development of a browser based wallet? Come-from-Beyond do you have the skills required or do you have a team?

I do have skills and a team, but I support only innovative projects. Bitcoin webwallet doesn't look innovative enough.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
November 19, 2013, 02:56:14 PM
 #56

It seems you want to connect clients to each other using WebRTC - why exactly?

To get rid of servers I suppose.
GCInc.
Hero Member
*****
Offline Offline

Activity: 566
Merit: 500


View Profile WWW
November 19, 2013, 06:43:06 PM
 #57

I do have skills and a team, but I support only innovative projects. Bitcoin webwallet doesn't look innovative enough.
I'm not sure we're talking about the same thing, but I was thinking no webwallet, no external servers for anything else than blockchain storage. Local wallet integrated to the web browser. Maybe not innovative but what a step towards cryptocurrency mass adoption!

bluemeanie1 (OP)
Sr. Member
****
Offline Offline

Activity: 280
Merit: 257


bluemeanie


View Profile WWW
November 19, 2013, 07:17:51 PM
 #58

I do have skills and a team, but I support only innovative projects. Bitcoin webwallet doesn't look innovative enough.
I'm not sure we're talking about the same thing, but I was thinking no webwallet, no external servers for anything else than blockchain storage. Local wallet integrated to the web browser. Maybe not innovative but what a step towards cryptocurrency mass adoption!

you certainly could improve the basic web wallet experience by:

 1) keeping ECC keys in the HTML5 Web Store

 2) forming and signing the TXs in the browser using Javascript.

-bm

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!