Any progress in your project? Did you get response from the NXT community?
No response yet. I am going to take it to the other Stag dev to check out sometime this week. In the mean time, I am going to continue developing the RPC interface.
Edit: I found the problem and have been able to progress with debugging!
The error was a single extra whitespace in the code. No wonder it took me so long to find it!
Good news, good work.
Debugging has been
MUCH smoother since I got rid of that one bug! I fixed 5 bugs in the forging code just this morning! (I have only been awake for about 2 hours).
Hopefully nothing that tricky comes up again so I can get Stag 0.0.1 out sooner rather than later.
Stag 0.0.1 most likely won't have all the additional security features (such as the pseudowallet file and second public key) enabled but will have some of them fully implemented (such as the enhanced password generator).
In case you don't know, the pseudowallet is like having a second public/private key pair, except, rather then being generated via a password, the private key is generated directly through a random byte array and is capable of providing higher entropy because it is not dependent on a password (providing better security). In addition, the public key is also capable of being much larger, making it more difficult to brute force the private key which corresponds to the public key. The pseudowallet file contains a reference to the transaction that contains its public key so it is quickly found.
To provide extra security, the pseudowallet file is encrypted using the standard Stag password. This forces potential attackers to find the password before they can find the second private key. Because the wallet file in encrypted with a different algorithm than is used to generate the standard private key, the attacker would need the exact password used to create the account rather than just finding the account's private key and using it to unlock both the standard login and the pseudowallet file.
So basically, with the pseudowallet file, an attacker would to do one of the following:
- Brute force both the standard private key (which is already difficult) and larger, more difficult, pseudowallet private key.
- Brute force both the account's password and the pseudowallet private key.
- Brute force the account's password and steal the pseudowallet file.
- Steal the account's password and steal the pseudowallet file.
- Steal the account's password and brute force the the pseudowallet private key.
In other words, it would be quite difficult to hack someone' account if they have a pseudowallet implemented.
The enhanced password generator, which will be implemented in Stag 0.0.1, is also really cool. First of all, it implements a larger array on English words than the NXT password generator, providing better entropy. It optionally, implements the HotBits true random number generator on top of a pseudorandom number generator (the pseudorandom number is meant to provide security in case HotBits becomes insecure for whatever reason e.g. they are hacked, the connection is intercepted, something goes wrong with their generator, etc.) which provides higher password entropy. It will support multiple password sizes (so no one can just find the password and know what it belongs to based on number of words or characters). It will support multiple password languages for easier commitment to memory for speakers of languages other than English, and it will, optionally, allow creation of passwords using random characters rather than words for the extra paranoid who wish to save passwords in something like KeePass.
In other words, it will provide better security than the NXT password generator by adding new features, both for the standard user and the paranoid user, and it will be more user friendly by allowing passwords to be generated in the user's native language.
Like I said, the enhanced password generator will be avalible in Stag 0.0.1.
Expect Stag 0.0.1 to be released sometime around New Years (may be sooner, may be later; I want to make sure it is as secure as possible before it's release; I don't want anyone to lose any money).
