Bitcoin Forum
November 13, 2019, 12:55:39 PM *
News: Help collect the most notable posts made over the last 10 years.
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Storing private keys on servers  (Read 365 times)
zaryabbkh
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 24, 2019, 07:25:46 AM
 #1

Hi, I'm newbie in crypto world and working on a tranding platform. I've to generate separate addresses against every user and stuck at how to securely store the private keys. I've looked into the ecc encryption, AWS KMS, and hashicorp vault but the common thing among all the methods is, the decryption password or token is still stored on the server. So if the server got compromised everything is gone. Now my question is what is the best way to store the private keys. Thanks! 
1573649739
Hero Member
*
Offline Offline

Posts: 1573649739

View Profile Personal Message (Offline)

Ignore
1573649739
Reply with quote  #2

1573649739
Report to moderator
1573649739
Hero Member
*
Offline Offline

Posts: 1573649739

View Profile Personal Message (Offline)

Ignore
1573649739
Reply with quote  #2

1573649739
Report to moderator
The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
Pmalek
Legendary
*
Offline Offline

Activity: 1120
Merit: 1164



View Profile
April 24, 2019, 07:35:01 AM
 #2

The safest way would be not storing them on any server at all. Sorry for going a bit off topic but I wouldn't trust a random site with my private keys. You explained the reasons yourself. They can be hacked or obtained by a malicious third party.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
bob123
Legendary
*
Offline Offline

Activity: 1078
Merit: 1571



View Profile WWW
April 24, 2019, 07:35:16 AM
Merited by bones261 (2), ETFbitcoin (1)
 #3

Don't store them on your online server.

If you can allow to delay payouts / withdrawals by a few hours:
- Create a 2-server-setup with one being your webserver and one being 'offline'.
- Make use of 2 wallets (hot- and cold wallet)
- Every X hours batch the transactions, verify them, do sanity checks, and create a payment request to your 'offline server'.
- Your 'offline-server' should then handle all payments (make sure to secure it with a firewall and only allow specific incoming requests from your webserver + outgoing requests to broadcast the transactions) from the hot wallet.
- Top up the hot wallet with the cold wallet funds when necessary (manually) or withdraw from the hot wallet to the cold wallet (automatically).


If you want 'instant' withdrawals:
- Make use of 2 wallets (hot- and cold wallet)
- Only keep a limited amount on your hot wallet (on the web server). It has to be an amount which you can afford to lose in case of an attack.
- Top it up with your cold wallet funds when necessary.


But generally:
If you are going to build a trading platform yourself (without developer who build the whole software with security in mind (from the very beginning)), you are guaranteed to have vulnerabilities.
And these vulnerabilities will be exploited if it is worth it for the attacker.

If you really want to build a professional platform and need to handle funds of users, hire some competent security-minded developer.
It is not going to be cheap, but it will save you a lot of money in the long run (given that you really want to build a professional platform).

NeuroticFish
Legendary
*
Online Online

Activity: 2030
Merit: 1355


There are no mistakes. Only opportunities wasted.


View Profile
April 24, 2019, 07:40:22 AM
 #4

Since you are custodian for the funds, you don't need private key for each user. Each user will have its own receiving address. The sending happens from the wallets that suits you best.
Sending the funds has to be batched for the sake of network, for making the tx fees smaller and for double checking them. And you'll clearly need cold storage too.

mocacinno
Legendary
*
Online Online

Activity: 1764
Merit: 1821


https://unblur.ninja =>lightning network testsite


View Profile WWW
April 24, 2019, 07:44:53 AM
Merited by bones261 (2), ETFbitcoin (1)
 #5

I agree for 100% with bob123, NeuroticFish and Pmalek, do not store private keys, seeds, xprv's,... on an online machine.

However, i did wanted to add one remark: there seems to be a misconception about hashicorp's vault in your OP: if you're storing the unseal keys or root tokens on your online machine, you're doing it wrong... But i do have to agree that IF you unsealed your vault AND your system gets compromised AND the hacker gets his hands on your machine AND a token (or user/pass or...) he will be able to get your private keys from your server if you were storing them in vault... It's the chicken or the egg dilemma, if you want your scripts to be able to access your private keys directly, a hacker will always have a loophole to do thesame. So your best sollution would be not to store your private keys on an online machine Wink

There are tons of exchanges that had excellent programmers and security audits and strict procedures but still got abused in the end... Don't make the mistake of thinking you're better than those exchanges!

zaryabbkh
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 24, 2019, 08:05:59 AM
 #6

Really Thanks for such a quick and valuable responses Pmalek, bob123, NeuroticFish and mocacinno. I'll look into this. The gist is either prepare for the hack using hot wallets or compromise the user experience over security using cold wallets.



I'm learning to be a security-minded developer and definitely be the one with the help of you peoples.  Smiley
LFC_Bitcoin
Legendary
*
Online Online

Activity: 1890
Merit: 2248


One of the world's leading Bitcoin-powered casinos


View Profile
April 24, 2019, 01:56:46 PM
 #7

OP,

FFS man, do not store your private keys on an online server. Keep them on a hardware wallet, USB stick or paper wallet. Don’t risk storing them anywhere that somebody could gain access to.

Your idea sounds like a nightmare waiting to happen. You’re clearly tech minded so you’re not a stupid guy. Common sense is priceless though, treat your private keys like you would the most valuable thing you own - i.e. away from everybody else.

buwaytress
Legendary
*
Online Online

Activity: 1162
Merit: 1040


https://bitcoin.watfordfc.com


View Profile
April 24, 2019, 02:26:56 PM
 #8

Did I misunderstand something or am I seeing something OP is saying: that for every user, he is creating a new wallet and new set of private keys? To my understanding most online services are actually only using 1 wallet (or a set of wallets) and therefore just the 1 set of private keys (or a few for a few sets of wallets). Every client gets a unique address, but they actually all belong to the same wallet, hence individual deposits get batched up and can be combined to process other client withdrawals.

So if OP is indeed creating a unique WALLET for each customer, then why not make it so you only issue them addresses from fewer wallets?

OR make their private key their responsibility (as should anyway be the case?)? It's sort of a win-win. They keep their own keys, you also de-risk.

Apologies in advance if I've veered off the reserve!

khaled0111
Hero Member
*****
Offline Offline

Activity: 882
Merit: 619



View Profile
April 24, 2019, 04:23:26 PM
Last edit: April 24, 2019, 05:54:57 PM by khaled0111
 #9

If you want 'instant' withdrawals:
- Make use of 2 wallets (hot- and cold wallet)
- Only keep a limited amount on your hot wallet (on the web server). It has to be an amount which you can afford to lose in case of an attack.
- Top it up with your cold wallet funds when necessary.

If his customers are fine with delayed withdrawals, then what you proposed is the most suitable solution.

But if they need instant withdrawals and full control over their funds (not possible with hot/cold solution), then you may consider this solution:
     -generate a private key for each user
     -save the private keys (plain text) on an offline database
     -encrypt private keys with a random key for each user
     -save the encrypted private keys on the server's database
     -give the user the key needed to decrypt his private key

This way, your customer will be able to use his private key without knowing it and it will be safe in cas the server gets compromised.


███████████████████████████
█████████▀▄▄▄▄▄██▀▀████████
█████▀▄█▀▀▄▄▄▄▄▄▄▀▀▄▄▀█████
████ █▀▄███████████▄▀██████
███▄█ ███████▀ ██████ █ ███
██▀█ ███  ▀▀█  ▀██████ █ ██
██ █ ████▄▄      ▀▀▀██ █ ██
██ █ █████▌        ▄██ ████
███▄█ █████▄▄   ▄▄███ █▀███

████▀█▄▀█████▌  ▀██▀▄█ ████

█████▄▀▀▄▄▀▀▀▀   ▄▄█▀▄█████
████████▄██▀▀▀▀▀▀██████████

███████████████████████████
|▄█████████████████████████▄
███████████████████████████
████████▀▀▄▄▄▄▄▄▄▀▀████████
██████▀▄▀▀██░░░██▀▀▄▀██████
█████░██▄░░▄▄▄▄▄░░▄██░█████
████░█▀▀░▄██▄▄▄██▄░▀░█░████
████░█▄▄░█░█░░░█░█░▄▄█░████
████░██▀░▀██▀▀▀██▀░▀▀█░████
█████░█░▄▄░▀▀▀▀▀░▄▄░█░█████
██████▄▀██░░▄██░░██▀▄██████
████████▄▄▀▀▀▀▀▀▀▄▄████████
███████████████████████████
▀█████████████████████████▀
▄█████████████████████████▄
███████████████████▀█▀░█▀▄█
████████████████████░░░░░▀▄
████▄▄▄▀██████████▄▄░░░░░░▀
███████▀▄░▀▄░░▀▀███▄█░░░░░█
██████▀▄▄▄▀░░░░░░░▀█▄█░█▄█▄
█████▀░░░░░▀▀▀░░░▀▄▀███████
█████░░░░█░███░█░░█░███████
█████▄░░░▀░▀▀▀░▀░▄▀▄███████
██████▄░░░░▀▀▀░▄▄▀▄████████
████████▄▄░░░░▀▄▄██████████
███████████████████████████
▀█████████████████████████▀
▄█████████████████████████▄
█████████████▐░░░░█████████
█████████████▐▄▄▄▄█████████
██████▀█▀███▀▀▀███▀█▀██████
███████▄▀▄▀▀░█░▀▀▄▀▄███████
█████████▀▀█▀▀▀█▀▀█████████
████████░█▀▀▀█▀▀▀█░████████
███████░█▀▀█▀▀▀█▀▀█░███████
██████░█▀▀▀█░░░█▀▀▀█░██████
█████░█▀▀█▀▀▀█▀▀▀█▀▀█░█████
████░█▀█▀▀▀█▀▀▀█▀▀▀█▀█░████
███████████████████████████
▀█████████████████████████▀
▄█████████████████████████▄
███████████████████████████
███████████████████████████
█████████▀▀▀███████████████
█████▀▀░░▄▄░░░▄████████████
█████▀▄░▀░▄▄▀▀░░▀▄░▄▀██████
█████░░▀█▀░░▀▀░▄░█▄▄▄▄█████
█████▌▀▄▐▌░█░▀░▀░█░░░░█████
██████▄░░█░░░▀▀░▄▀░▀░██████
████████▄▐▌░▄▄█████████████
███████████████████████████
███████████████████████████
▀█████████████████████████▀
▄█████████████████████████▄
████████████████████▀▀▀░███
████████████████▄░░░░░░░███
█████████████████▀░░░░░▐███
███████████████▀░░░░▄▄░████
█████████████▀░░░░▄████████
██████████▀▀░░░▄███████████
███████▀░░░▄▄██████████████
███▀▀▄▄▄███████▀▀▀▀▀███████
███████▀▀▀▀▀█░░░░░░░░▀█████
██▀▀▀▀░░░░░▄░░░░░░░░░▄░░▀▀█
░░▄░░░░▀▄░░█▄░░░▄▀░▄█░░░░░░
▀▄░▀█▄▄███▄███▄██▄███▄▄▀░▄▀
|ROULETTE
MINES
TOWERS
DICE
CRASH
──── ─── ─
aliashraf
Hero Member
*****
Offline Offline

Activity: 952
Merit: 706

always remember, remember the cause


View Profile WWW
April 24, 2019, 04:57:14 PM
 #10

op,
You need to check HD wallets concept. As @buwaytress has correctly reminded you don't need a separate key pair/wallet for each user/invoice, a single HD wallet could generate as many receiving addresses as you wish, feel free to store them in your database for further accounting references and keep the private key secure/off-line/cold. Good luck.
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1820
Merit: 2079

Use SegWit and enjoy lower fees.


View Profile WWW
April 24, 2019, 05:43:54 PM
 #11

If his customers are fine with delayed withdrawals, then what you proposed is the most suitable solution.

But if they need instant withdrawals and full control over their funds (not possible with hot/cold sokution)

IMO instant withdrawals could be limited for small transaction, so hot/cold wallet still works.

then you may consider this solution:
     -generate a private key for each user
     -save the private keys (plain text) on an offline database
     -encrypt private keys with a random key for each user
     -save the encrypted private keys on the server's database
     -give the user the key needed to decrypt his private key

CMIIW, but there are few problems :
1. Private key not supposed stored plainly, even on offline database.
2. If user have private key (access to their coins), that means :
  - User could take bake their money steal money after user done deposit (where balance amount might not be updated) or trade his coin with another currency (clearly stealing attempt).
  - It could hinder exchange to move deposited coins for consolidation or grouping

franky1
Legendary
*
Offline Offline

Activity: 2576
Merit: 1514



View Profile
April 24, 2019, 06:40:27 PM
Merited by bones261 (2), ETFbitcoin (1)
 #12

there is no such thing as "instant pay" in bitcoin. a confirm is ~10mins.
this means without having a private key anywhere on the web server you can still offer a PROMPT service within the acceptable tolerance of 10mins

the easiest method is when a user makes a withdrawal request. this request does not trigger signing a transaction on the webserver, but puts a withdrawal request into a database. and the web server never needs to list a IP address or make and calls out.. instead a remote system can securely look in on the withdrawal request database every 20seconds-2minutes. see what needs to be processed and then process it remotely knowing it will be in a block within the tolerable timescale


thus the webserver has no keys now any listing of the remote system because the webserver does not transmit anything. it just lists items

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
PrimeNumber7
Sr. Member
****
Offline Offline

Activity: 266
Merit: 310



View Profile
April 25, 2019, 05:25:14 AM
Merited by bones261 (2), ETFbitcoin (1)
 #13

For those who are suggesting to not store private keys on an online machine, for most bitcoin and crypto businesses, this is not an option. The marketplace demands quick withdrawals in most instances with exceptions for large withdrawals.

An online business will, by design, need to store SSL keys online, and this in some ways is similar to storing even cold storage keys online, to an extent, because a hacker can potentially impersonate your website and display deposit addresses for customers that belong to the hacker. In order for this attack to be successful, more than just the SSL keys will need to be compromised.

I generally agree with bob123's comments with regards to only storing limited amounts of coins on your server, and to top off your "hot" wallet when necessary. I would also warn that if your database server is compromised, a hacker may trick you into believing a certain user has a larger balance available for withdrawal than is actually true. This means you will need to independently verify the integrity of your database each time you remove coins from your "cold" wallet; this is true even if you do not keep any coins on an online server.

A good rule of thumb is to not keep more than 1-2 months expected earnings worth of crypto in your online storage so in case your server does get hacked, you can easily "earn" your way out of the losses.

I do not wish to give you specific advice or suggestions on how to protect your customer's money, in large part because I cannot ensure you will hear any of my ongoing advice, and will not be in a position to ensure you are correctly implementing what I am suggesting.

If you do not personally know how to protect your private keys and the integrity of your DB, I would suggest you hire someone who has experience doing this job function who you can independently verify to be an "expert"

smartmixer.io▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
Make your Cryptos untraceable!
(( ███████ ((    TELEGRAM    )) ███████ ))
▄▄███████▄▄
▄███████▀███████▄
▄███▀▀▀ ▄▄▄ ▀▀▀███▄
▄███ ▄▀▀▀   ▀▀▀▄ ███▄
████ █  ▄   ▄█ █ ████
████▌▐▌ ▀█▄█▀ ▐▌▐████
▀████ ▀▄  ▀  ▄▀ ████▀
▀████▄ ▀▄▄▄▀ ▄████▀
▀█████▄▄ ▄▄█████▀
▀▀███████▀▀
.

NO LOGS
▄▄███████▄▄
▄██████▀▀▀██████▄
▄█████▀ ▄▄▄ ▀█████▄
▄██████ ▀   █ ██████▄
███████   █▀  ███████
████████▄ ▄ ▄████████
▀████▀         ▀████▀
▀███   ▄   ▄   ███▀
▀███████████████▀
▀▀███████▀▀
.

NO SIGN-UP
▄▄███████▄▄
▄███████████████▄
▄███████▀   ▀█████▄
▄████▀  ▀      █████▄
████     ▄▀▄  ▀ ▀████
███    ▄▀▄ ▄▀▄    ███
▀███▄▄  ▀█ █▀   ▄███▀
▀████████ ████████▀
▀███████████████▀
▀▀███████▀▀
.

70% COMSN
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
MIX NOW!
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
▄  ▄  ▄  ▄  ▄

▀  ▀  ▀  ▀  ▀
odolvlobo
Legendary
*
Offline Offline

Activity: 2674
Merit: 1435



View Profile
April 25, 2019, 06:29:16 AM
 #14

Companies that are serious about security use this: Hardware Security Module

Buy stuff on Amazon at a discount with bitcoins or convert Amazon points to bitcoins: Purse.io
Join an anti-signature campaign: Click ignore on the members of signature campaigns.
bob123
Legendary
*
Offline Offline

Activity: 1078
Merit: 1571



View Profile WWW
April 25, 2019, 06:31:36 AM
Merited by bones261 (2)
 #15

OP,

FFS man, do not store your private keys on an online server. Keep them on a hardware wallet, USB stick or paper wallet. Don’t risk storing them anywhere that somebody could gain access to.

Your idea sounds like a nightmare waiting to happen. You’re clearly tech minded so you’re not a stupid guy. Common sense is priceless though, treat your private keys like you would the most valuable thing you own - i.e. away from everybody else.

Did you even read the OP ? I guess not..




Did I misunderstand something or am I seeing something OP is saying: that for every user, he is creating a new wallet and new set of private keys?

He wants to create one address (implies 1 private key) for each user, as mentioned in his OP.
Not a separate wallet for each user.




But if they need instant withdrawals and full control over their funds (not possible with hot/cold solution), then you may consider this solution:
     -generate a private key for each user
     -save the private keys (plain text) on an offline database
     -encrypt private keys with a random key for each user
     -save the encrypted private keys on the server's database
     -give the user the key needed to decrypt his private key

This way, your customer will be able to use his private key without knowing it and it will be safe in cas the server gets compromised.

Why does the user need the key to decrypt the private key if he doesn't have access to the private key anyway ?
Also, you most likely don't want each user to be able to have access to the private keys. This creates room for exploitation.

The funds of the user are managed in a database and the coins should get consolidated anyway (when the fees are low).




[...]
If you do not personally know how to protect your private keys and the integrity of your DB, I would suggest you hire someone who has experience doing this job function who you can independently verify to be an "expert"

^This.

No system is completely secure.
You need to hire experts which can be made liable in case of an obvious data breach. Not some random online guy.

Vulnerabilities will exist, it is important to have a plan to reduce possible damage and to make sure that the total amount of damage is limited.
For example, it has to be completely bulletproof that an attacker can't add withdrawal requests AND top up the hot wallet from your cold wallet. This would be a disaster.




Companies that are serious about security use this: Hardware Security Module

That's currently not the topic.
Such a module won't help you if an attacker can manipulate the database which handles the withdrawals.

It is necessary to have a good concept, then focus on the hardware you are using.

zaryabbkh
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 25, 2019, 01:34:39 PM
 #16

Thanks bob123 for such a great clarification.

yeah the issue is I've to generate separate address for each user and in case of ethereum the hd wallets doesn't works like bitcoin where we can just select UTXOs and make a transaction.

bob123 gives the most optimal solution
If you want 'instant' withdrawals:
- Make use of 2 wallets (hot- and cold wallet)
- Only keep a limited amount on your hot wallet (on the web server). It has to be an amount which you can afford to lose in case of an attack.
- Top it up with your cold wallet funds when necessary.

and if we add this from PrimeNumber7
A good rule of thumb is to not keep more than 1-2 months expected earnings worth of crypto in your online storage so in case your server does get hacked, you can easily "earn" your way out of the losses.

also thanks for pointing out this issue

I would also warn that if your database server is compromised, a hacker may trick you into believing a certain user has a larger balance available for withdrawal than is actually true. This means you will need to independently verify the integrity of your database each time you remove coins from your "cold" wallet; this is true even if you do not keep any coins on an online server.

i'll keep track of all these valuable suggestions and will share the final solution what I've got.

I do not wish to give you specific advice or suggestions on how to protect your customer's money, in large part because I cannot ensure you will hear any of my ongoing advice, and will not be in a position to ensure you are correctly implementing what I am suggesting.

Thanks!
aliashraf
Hero Member
*****
Offline Offline

Activity: 952
Merit: 706

always remember, remember the cause


View Profile WWW
April 25, 2019, 02:59:09 PM
 #17

yeah the issue is I've to generate separate address for each user and in case of ethereum the hd wallets doesn't works like bitcoin where we can just select UTXOs and make a transaction.
Wrong! HD wallets work just fine for both Ethereum and bitcoin and every other cryptographic system that is based on ECDSA standard. period.

Quote
bob123 gives the most optimal solution
No, he does not  Cheesy
instead of wasting your time by catching up with irrelevant topics like cold vs hot wallets and alike, just focus on the main problem, you need multiple receiving addresses mapped to each user and a single master key to spend from all or not? Decide and choose the right direction....

P.S. say hello to Sh ... Wink
bob123
Legendary
*
Offline Offline

Activity: 1078
Merit: 1571



View Profile WWW
April 26, 2019, 06:28:30 AM
 #18

Wrong! HD wallets work just fine for both Ethereum and bitcoin and every other cryptographic system that is based on ECDSA standard. period.

No.

OP is right, you are wrong.

Bitcoin is following a UTXO model, where ethereum has an account model.
This definitely makes a difference.

OP never said that HD wallets do not exist, he said that it works differently when comparing ethereum to bitcoin, which is correct.



Quote
bob123 gives the most optimal solution
No, he does not  Cheesy
instead of wasting your time by catching up with irrelevant topics like cold vs hot wallets and alike, just focus on the main problem, you need multiple receiving addresses mapped to each user and a single master key to spend from all or not? Decide and choose the right direction....

Hot- / cold wallets is an irrelevant topic when hosting an online service which handles user funds?  Roll Eyes Roll Eyes

The 'main problem' is the mapping from addresses to user ??  Roll Eyes


I really don't get what you are trying to say.

If you believe the correct handling of the funds (hot-/cold wallet) is irrelevant, you obviously don't have a clue at all.
And if you additionally think that the mapping is a problem, you absolutely don't know what you are talking about. That is probably the easiest task of creating such a service..


Also, there is no reason to have a 'single master key' to spend funds from.
That's not even possible. You need 1 private for each address. The private keys can be derived using the same seed, but thats not the topic here at all (and won't allow you to spend funds from one 'master key')..

So.. instead of posting bullshit without having any clue, what about you browse through the forum for a few month first (to learn all the stuff you obviously don't know yet) before trying to 'help' someone ?



op,
You need to check HD wallets concept. As @buwaytress has correctly reminded you don't need a separate key pair/wallet for each user/invoice

Do you even know how a HD wallet works ?
Not like HD wallets would generate private keys or something silly like that...

Please stop creating post which contain anything 'technical' regarding bitcoin. You are just embarrassing yourself.

aliashraf
Hero Member
*****
Offline Offline

Activity: 952
Merit: 706

always remember, remember the cause


View Profile WWW
April 27, 2019, 09:29:22 PM
 #19

Wrong! HD wallets work just fine for both Ethereum and bitcoin and every other cryptographic system that is based on ECDSA standard. period.

No.

OP is right, you are wrong.

Bitcoin is following a UTXO model, where ethereum has an account model.
This definitely makes a difference.

OP never said that HD wallets do not exist, he said that it works differently when comparing ethereum to bitcoin, which is correct.

No.

you are trying to justify the wrong credit op gave to you, op claimed that HD wallets are not good because s/he was confused about what the concept is and you are escalating her confusion by talking about utxo vs account model, HD wallet concept is neutral about this issue and we have a lot of both commercial and opensource wallets that support multiple coins including bitcoin and Ethereum you are escalating op's confusion by spreading misinformation. Why? Just because she applauded you ignorantly?

Quote

Quote
bob123 gives the most optimal solution
No, he does not  Cheesy
instead of wasting your time by catching up with irrelevant topics like cold vs hot wallets and alike, just focus on the main problem, you need multiple receiving addresses mapped to each user and a single master key to spend from all or not? Decide and choose the right direction....

Hot- / cold wallets is an irrelevant topic when hosting an online service which handles user funds?  Roll Eyes Roll Eyes

The 'main problem' is the mapping from addresses to user ??  Roll Eyes

If instead of trying to show-off you bother to read op's inquiry it is more than obvious that s/he is trying to handle thousands of private keys because s/he is not aware of HD wallets and the feasibility of having one master key and thousands of bitcoin addresses assigned to users, it is why s/he asks about the security of keeping track of so many private keys supposedly on a server using a database.

Quote


I really don't get what you are trying to say.

If you believe the correct handling of the funds (hot-/cold wallet) is irrelevant, you obviously don't have a clue at all.
And if you additionally think that the mapping is a problem, you absolutely don't know what you are talking about. That is probably the easiest task of creating such a service..


Also, there is no reason to have a 'single master key' to spend funds from.
That's not even possible. You need 1 private for each address. The private keys can be derived using the same seed, but thats not the topic here at all (and won't allow you to spend funds from one 'master key')..

So.. instead of posting bullshit without having any clue, what about you browse through the forum for a few month first (to learn all the stuff you obviously don't know yet) before trying to 'help' someone ?



op,
You need to check HD wallets concept. As @buwaytress has correctly reminded you don't need a separate key pair/wallet for each user/invoice

Do you even know how a HD wallet works ?
Not like HD wallets would generate private keys or something silly like that...

Please stop creating post which contain anything 'technical' regarding bitcoin. You are just embarrassing yourself.
Now you are teaching me HD wallets? Grin

It is really crazy, you give irrelevant information about hot wallet/cold wallet stuff to a confused newbie and s/he says thank you, then somebody tries to really help and you are attacking him because you desperately need the credit?  Cheesy

Of course there is always a private key corresponding to a public key, the point with HD wallets is that you don't need to store the private keys like what op thinks instead your wallet software derives the corresponding private key from the master private key. You don't need to store this master private key on the server at all because the public keys are not generated using this key but derived from a master public key which is useless for spending funds.

So, op needs to be informed about HD wallets instead of being fooled by your irrelevant poor knowledge about hot wallets and cold wallets.
zaryabbkh
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 29, 2019, 04:57:42 AM
 #20

First of all lets see how Mnemonic based HD wallets works.

SEED:
time face caught jump pony myth only doll treat clog monitor verify fabric walnut permit

This is the SEED used to generate xpub and xpriv keys for multiple coins, this single key can generate both bitcoin and ethereum addresses and many more, like the hardware walelts Trezor do, 1 single seed is enough for every coin that you stored in your wallet.

BITCOIN XPUB KEY
xpub6DCsNLV4BriXeaACJBxX3ny7vNaegKcJU2W16NKmE6MS8DzXNWj9LgcH647tNhKKDj4GJsamvRR ScD2Sg3bw6JSwJcto4awVGdg5dPM1FTu

path,address,private key for BITCOIN

m/44'/0'/0'/0/0,
197ToSUz1fHUZw6RyayGHcVgAbeMxQu5MN,
L4FSbxSNQdEC32rrwv2CbxEbGeRxP2HrzT6G5JhRUvm6Jri1wp2K

m/44'/0'/0'/0/1,
1H8m2zVwMhEgKJRfDnWsoti1K2kN87x2ym,
L4b7grTtHEtahUNeDLesHTDShRbUTXHp5Jy3Cy4j1YZiVSwLRHXt

ETHEREUM XPUB KEY
xpub6CT1Ak6RQCF4YmYX8X5vKCWMMTp553Mj4LfYEgKidavurq3xcAwnWMspcnEbMz1GLVhqSwgkK7x Y9wqRCBBQieZ7ziRqT5dT6zWiVaga79c

path,address,private key for ETHEREUM

m/44'/60'/0'/0/0,
0xB4d5Eb0A4033770ad5b7076494F5e111BEf0e900,
0xa3ff08362024f18909c7845b38455b3e03ee47e5735977dccc2e50ef825ec1b5

m/44'/60'/0'/0/1,
0x04905Da51b6DDdE795C1890096dDbbfCe3039b0F,
0x81a2fd621dc67aafb6d42791b513a9318eafc01fb63b91afda41c1cd71fc5b21


The issue is ETHEREUM has account model which means every generated address private key is required to make a transaction where as bitcoin has UTXOs model in which we can select multiple UTXOs and make a transaction

197ToSUz1fHUZw6RyayGHcVgAbeMxQu5MN => 0.1 BTC
1H8m2zVwMhEgKJRfDnWsoti1K2kN87x2ym => 1 BTC

so in Bitcoin i can use all 1.01 BTC in a single transaction by just using a function getUTXOs() rest is done by Bitcoin wallet. BTCD or BITCORE gives this functionality.

0xB4d5Eb0A4033770ad5b7076494F5e111BEf0e900 => 0.1 ETH
0x04905Da51b6DDdE795C1890096dDbbfCe3039b0F => 1 ETH

in case of ethereum to use a total of 1.01ETH in my HD wallet i've to individually use both addresses private key to make a transaction and then executing a batch transaction will do the job.


So the problem is not HD wallets its about the architecture of both Bitcoin and Ethereum

I can use a single SEED and xpub key to generate unlimited addresses of ETHEREUM but i can't make transactions like BITCOIN i'll need the private key of all the generated addresses.

To automate the withdrawal process we have to store private keys on server else we've to do manual transaction

bob123 is saying the storage of private keys on server is inevitable in case of automatic withdrawals. but we can use HOT and COLD wallet mechanism to store some of our funds in HOT wallets that will be used for automated withdrawals and rest of our funds will be stored in a COLD wallet that is an offline wallet and not connected to internet. This will save us from hackers to stole all of our exchange funds only HOT wallets funds can be stolen.   
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!