|
February 03, 2014, 01:59:58 AM Last edit: February 03, 2014, 03:02:06 AM by crazydownloaded |
|
Hello,
I'm currently working on a multi-currencies web wallet. I'm wondering about the security of the encryption model I chose:
- During wallet setup, the user choose a password - His browser (using JsEncrypt library) generates RSA (1024 bits) private/public key pairs - It encodes the user's private key using AES encryption (symetric) and send the encrypted private key + the user's public key to the server for saving (using CryptoJS library) - Private key of addresses the user generates are encoded using it's public key (this way I don't need to ask the user for its password) - When signing a transaction, I ask the user for its password, decode its RSA private key using it and then decode the address' private key using the decrypted RSA private key. - This also have the advantage to permit the user to change its password easily (on the server side I only need to save the new encrypted private key, without changing addresses encrypted private keys)
This seems pretty robust to me. Do you see any weakness in this model?
|