Bitcoin Forum
December 17, 2017, 03:07:07 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: Fruitwallet (ios wallet) discussion  (Read 4724 times)
fruitwallet
Member
**
Offline Offline

Activity: 102


View Profile
April 25, 2014, 06:10:48 PM
 #61

@jbrnt, @gweedo need you help guys.
As I told we are working on secure wallet.

We have some variants how to make secure EASY-to-use mobile wallet:
1. User generates key on the client side, Key saved in device LocalStorage encrypted with 4 digit PIN. User is offered to click backup to save the key encrypted with PIN on our server.
2. User do all stated above, but he is offered to encrypt backup key one more time with additional PASSPHRASE.

If key is backup-ed:
First variant means that we can theoretically steal money, but hackers can't.
Second means that even we will hardly decrypt the key. But he will probably LOSE his key (clearing the cache) and forget PASSPHRASE.

What do you think is the best variant to do it?

Don't encrypt with just a 4 digit PIN unless you going to have a huge salt that goes with it that is very random.

I don't know what you are exactly asking? The user generated key should never leave the device, in an unencrypted form, and should be stored on the phone in an encrypted form. That requires the user to unlock.

You shouldn't need to access to the key, the javascript should be able to sign the transaction and you broadcast it for them. Unless you are doing multi-sig then you have them sign the transaction and then you sign the transaction with your own key.


We can technically do all the stuff.
I mean if we store only on device, what if user lose device? or clear cookies. He will not have any way to restore it from our server. right?
So we think probably we can store key encrypted on our server as a backup.

The questions are: Do we need a backup? Crypt one time? Or crypt 2 times?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513480027
Hero Member
*
Offline Offline

Posts: 1513480027

View Profile Personal Message (Offline)

Ignore
1513480027
Reply with quote  #2

1513480027
Report to moderator
1513480027
Hero Member
*
Offline Offline

Posts: 1513480027

View Profile Personal Message (Offline)

Ignore
1513480027
Reply with quote  #2

1513480027
Report to moderator
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 25, 2014, 06:19:20 PM
 #62

@jbrnt, @gweedo need you help guys.
As I told we are working on secure wallet.

We have some variants how to make secure EASY-to-use mobile wallet:
1. User generates key on the client side, Key saved in device LocalStorage encrypted with 4 digit PIN. User is offered to click backup to save the key encrypted with PIN on our server.
2. User do all stated above, but he is offered to encrypt backup key one more time with additional PASSPHRASE.

If key is backup-ed:
First variant means that we can theoretically steal money, but hackers can't.
Second means that even we will hardly decrypt the key. But he will probably LOSE his key (clearing the cache) and forget PASSPHRASE.

What do you think is the best variant to do it?

Don't encrypt with just a 4 digit PIN unless you going to have a huge salt that goes with it that is very random.

I don't know what you are exactly asking? The user generated key should never leave the device, in an unencrypted form, and should be stored on the phone in an encrypted form. That requires the user to unlock.

You shouldn't need to access to the key, the javascript should be able to sign the transaction and you broadcast it for them. Unless you are doing multi-sig then you have them sign the transaction and then you sign the transaction with your own key.


We can technically do all the stuff.
I mean if we store only on device, what if user lose device? or clear cookies. He will not have any way to restore it from our server. right?
So we think probably we can store key encrypted on our server as a backup.

The questions are: Do we need a backup? Crypt one time? Or crypt 2 times?

I would do a secure backup making it impossible for you to read but just hold. I would also have a way so the user can back it up without your service. So like a random string that being hashed can be regenerate their keys. Like BIP 32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
fruitwallet
Member
**
Offline Offline

Activity: 102


View Profile
April 25, 2014, 06:24:54 PM
 #63

@jbrnt, @gweedo need you help guys.
As I told we are working on secure wallet.

We have some variants how to make secure EASY-to-use mobile wallet:
1. User generates key on the client side, Key saved in device LocalStorage encrypted with 4 digit PIN. User is offered to click backup to save the key encrypted with PIN on our server.
2. User do all stated above, but he is offered to encrypt backup key one more time with additional PASSPHRASE.

If key is backup-ed:
First variant means that we can theoretically steal money, but hackers can't.
Second means that even we will hardly decrypt the key. But he will probably LOSE his key (clearing the cache) and forget PASSPHRASE.

What do you think is the best variant to do it?

Don't encrypt with just a 4 digit PIN unless you going to have a huge salt that goes with it that is very random.

I don't know what you are exactly asking? The user generated key should never leave the device, in an unencrypted form, and should be stored on the phone in an encrypted form. That requires the user to unlock.

You shouldn't need to access to the key, the javascript should be able to sign the transaction and you broadcast it for them. Unless you are doing multi-sig then you have them sign the transaction and then you sign the transaction with your own key.


We can technically do all the stuff.
I mean if we store only on device, what if user lose device? or clear cookies. He will not have any way to restore it from our server. right?
So we think probably we can store key encrypted on our server as a backup.

The questions are: Do we need a backup? Crypt one time? Or crypt 2 times?

I would do a secure backup making it impossible for you to read but just hold. I would also have a way so the user can back it up without your service. So like a random string that being hashed can be regenerate their keys. Like BIP 32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

That will be done in main web Wallet with storage, I'm telling about a wallet, which can be set up without a PC in just few seconds.
User can't copy long numbers from phone screen and so on. But we will do BIP 32 or HD wallet as a main wallet. Mobile wallet will be for spendable needs and must be a bit more easy to use.
Makes sense?

So I think your advice is encrypting on the phone local storage + having the way to encrypt it more, like one more encryption level, and backup on the server (when we don't know the pass-phrase to decrypt).
Correct?
gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
April 25, 2014, 06:58:33 PM
 #64

@jbrnt, @gweedo need you help guys.
As I told we are working on secure wallet.

We have some variants how to make secure EASY-to-use mobile wallet:
1. User generates key on the client side, Key saved in device LocalStorage encrypted with 4 digit PIN. User is offered to click backup to save the key encrypted with PIN on our server.
2. User do all stated above, but he is offered to encrypt backup key one more time with additional PASSPHRASE.

If key is backup-ed:
First variant means that we can theoretically steal money, but hackers can't.
Second means that even we will hardly decrypt the key. But he will probably LOSE his key (clearing the cache) and forget PASSPHRASE.

What do you think is the best variant to do it?

Don't encrypt with just a 4 digit PIN unless you going to have a huge salt that goes with it that is very random.

I don't know what you are exactly asking? The user generated key should never leave the device, in an unencrypted form, and should be stored on the phone in an encrypted form. That requires the user to unlock.

You shouldn't need to access to the key, the javascript should be able to sign the transaction and you broadcast it for them. Unless you are doing multi-sig then you have them sign the transaction and then you sign the transaction with your own key.


We can technically do all the stuff.
I mean if we store only on device, what if user lose device? or clear cookies. He will not have any way to restore it from our server. right?
So we think probably we can store key encrypted on our server as a backup.

The questions are: Do we need a backup? Crypt one time? Or crypt 2 times?

I would do a secure backup making it impossible for you to read but just hold. I would also have a way so the user can back it up without your service. So like a random string that being hashed can be regenerate their keys. Like BIP 32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

That will be done in main web Wallet with storage, I'm telling about a wallet, which can be set up without a PC in just few seconds.
User can't copy long numbers from phone screen and so on. But we will do BIP 32 or HD wallet as a main wallet. Mobile wallet will be for spendable needs and must be a bit more easy to use.
Makes sense?

So I think your advice is encrypting on the phone local storage + having the way to encrypt it more, like one more encryption level, and backup on the server (when we don't know the pass-phrase to decrypt).
Correct?

Yes that would work. As long as you can't decrypt, but the user can, that will work.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
fruitwallet
Member
**
Offline Offline

Activity: 102


View Profile
April 25, 2014, 09:33:32 PM
 #65

cool, thanks for help!
coinnewbit
Sr. Member
****
Offline Offline

Activity: 266



View Profile
April 25, 2014, 11:02:50 PM
 #66

cool, thanks for help!
more and more of my friends are getting interested in the idea of bitcoin. However, they do not have an android phone, so can fruitwallet also add a "what's bitcoin " introduction?
fruitwallet
Member
**
Offline Offline

Activity: 102


View Profile
April 27, 2014, 12:01:51 PM
 #67

cool, thanks for help!
more and more of my friends are getting interested in the idea of bitcoin. However, they do not have an android phone, so can fruitwallet also add a "what's bitcoin " introduction?


Sure, we think education is an important part of any Crypto currency business.
We are improving landing page and will include educational part into it!
hivewallet
Sr. Member
****
Offline Offline

Activity: 378


hivewallet.com


View Profile WWW
May 29, 2014, 07:08:17 AM
 #68

Didn't get a chance to say it before, but this looks really good! Please keep going!

Hive, a beautiful, secure wallet with an app platform for Mac OS X, Android and Mobile Web. Translators wanted! iOS and OS X devs see BitcoinKit.
Tweets @hivewallet. Skype us here. Donations appreciated at 1HLRg9C1GsfEVH555hgcjzDeas14jen2Cn
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!