Switch to ArdorForum

Page http://wiki.nxtcrypto.org/wiki/How-To:Automate_Nxt_for_your_website recommends using for example MasterSecret + userId as user's key.
 

Hi,
I'm really interested in using NXT for my online store but there is a problem.

As a business owner I want:
1. accept payments from my clients online
2. hide my balance and transactions from competitors
3. protect the client so that their purchases can't be tracked (or hard to be tracked) by 3d party

As a customer I want
1. an ability to somehow verify the target of my payment.
2. more privacy. I'm not sure if possible but need to hide account balance.



Thanks
Mikhail




Is it possible with NXT?

Thanks
Mikhail

At the moment the best way to do this is to generate a new payment address for each purchase. As in Bitcoin, transactions can be tracked, but is not easy because real identities of the accounts are not known. There have also been ideas for more privacy in Nxt.

Somebody correct me if I'm wrong.

I would like to look into helping with this.  Where would I find information about how to build something on top of the NXT blockchain?
I've started looking into the NXT API, but that seems to be more about access information from NXT nodes.

Thank you for any help

You can use the 'send message' call from the Nxt API for user-to-user communication and broadcasting messages. If you don't encrypt, messages are readable by everybody.

You can find an example workflow from BCNext in the thread I linked to earlier.

To send an encrypted message to somebody you can use the 'get shared secret' call from the Nxt source code and encrypting with AES. There is no API call for this, but I have tested it in Java, and it seems to work.

Quote from: v39453 on April 06, 2014, 03:41:01 pm

I am also offering a bounty for a service like this.

My thoughts on how it should work in this thread: https://bitcointalk.org/index.php?topic=317607.msg5699472#msg5699472

But I think it shouldn't be a web application. The user should run it on his local machine for added privacy.

My proposal also includes encrypting messages with the marketplace password, which also acts as the name for the marketplace.

I am building a prototype, which works as a command line program. But I'm also offering a bounty for somebody to implement it with a real GUI.

So as far as I understand it this would be an anonymous marketplace?

About local client vs. web based client:
Lets assume you are living in a country where buying oranges is forbidden. But you do like to buy oranges over the anonymous marketplace. Unfortunately your parcel with the oranges got intercepted by the police. The police is searching your computer and finds this client. Would this make you look better in front of the Judge? Probably not. I would recommend to have the client webbased. Reachable through Tor.

Yes, it would be an anonymous marketplace.

Having the program installed should be completely legal, as well as developing the software. If somebody were to use it to set up an illegal orange marketplace, I would have no way of knowing because all messages are encrypted.

A web server, even if hidden, has an owner who can be attacked legally or technically.  A blockchain has no owner. You can also run Nxt using Tor. In this case there would be four layers of security: knowing the existence of the marketplace, encryption of messages, blockchain, and Tor.

So client devs should make their own decision about what algo they want to use.

Different clients would need to be able to read each others messages. I understand the messages will have a prefix. Can't different algorithms have different prefixes? (I would use AES if it is available.)

Quote from: v39453 on April 07, 2014, 09:05:04 am

I'm not an expert, but I'm a little worried if xor is used to encrypt messages. To use xor you need a key - with true randomness - as long as the message. I don't think it matters what extra steps you add if you don't have that.

Like I said I'm not an expert, but I remember reading that xor is one of the things that does not work.

XoredData satisfies these conditions. Pay attention that it's a little bit different from https://nextcoin.org/index.php?topic=727.0

Well, I am not qualified to say if it works or not. Let me just say this: if it doesn't implement a well-known method of doing the encryption, it at least raises the question of being secure.

For the record, I just use AES.

I'm not an expert, but I'm a little worried if xor is used to encrypt messages. To use xor you need a key - with true randomness - as long as the message. I don't think it matters what extra steps you add if you don't have that.

Like I said I'm not an expert, but I remember reading that xor is one of the things that does not work.