elective-stereophonic
elective-stereophonic
Wallet.dat file singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: [1] 2 3 ... 9  All

Author Topic: Wallet.dat file  (Read 56742 times)

mczarnek

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
Wallet.dat file
« on: July 18, 2014, 07:48:22 am »

One of the issues with our wallets is that it's all brainwallet and this is bad for new users.  We've all seen a couple people were were scammed and there are probably at least 20 who didn't say anything for everyone who does.

I would like to create a brainwallet API for Nxt that allows wallets and websites(such as nxtblocks.info) to all access the same wallet file on the same computer.  So wallet file will be built into the core and accessible via API calls.

This wallet file will be password protected itself, with an easier to remember password.

Thinking I'll use something like pbkdf2 to add a time delay between the password to unlock the wallet and unencrypting the wallet: https://nxtforum.org/general-discussion/peanut-butter-keeps-dogs-friendly-too-(pbkdf2)/

New estimate, instant transaction confirmations will take at least 4 months for me to complete.  I'd like something short term that can make a little bit of money and considering 3 months of work has already gone into it, I'm trying to fundraise a little in that area.  In the meantime, this is a smaller project but in light of recent developments, maybe a more necessary one and I'd like to get it done first.

So, I would like to request a bounty for implementing this.

Basic API functions will be:
Create wallet file(requires password and security level(aka time/security trade-off for PBKDF2)
Delete wallet file
Edit wallet file
Add new account(aka secret phrase)
Delete account
Get list of public keys
Get private key associated with public key
Backup wallet file to file path

Thoughts on a bounty?  I'm ready to work on this as soon as I get the green light. Thanks.
« Last Edit: July 18, 2014, 07:51:17 am by mczarnek »
Logged
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Wallet.dat file
« Reply #1 on: July 18, 2014, 07:55:17 am »

Great, I'd just like to add that the reason this should be done via Java API is that due to browser security issues you can't access files, so no wallet.dat is possible in the browser. It would theoretically be possible to add such functionality to my mac and windows application, but I'd like it to work in all cases, even if the user is using his browser and the command line client, so an API as described above is the answer to that.

I think this is a pretty important topic so the bounty should be significant enough.
Logged

farl4bit

  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3466
    • View Profile
    • Crypto Advies
Re: Wallet.dat file
« Reply #2 on: July 18, 2014, 09:11:05 am »

Good luck with this project! :)
Logged

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: Wallet.dat file
« Reply #3 on: July 18, 2014, 09:23:46 am »

I disagree. Instant transactions is more important. Wallet.dat is a vanity feature as far as the core is concerned, the core is a server, not a desktop application. What do you mean by "websites(such as nxtblocks.info) to all access the same wallet file on the same computer"?
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

cc001

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 829
    • View Profile
Re: Wallet.dat file
« Reply #4 on: July 18, 2014, 09:32:20 am »

Very nice idea!
Would it be possible to use multiple wallet files? Or the possibility to select which addresses should be exported/imported. This would allow the classical wallet-cold-storage of some specific addresses. This would allow the easy management of several addresses/accounts and it would allow a lot of different scenarios of brainwallet/coldstorage/walletfile, and every user could use the method he likes the most (or combine them).

But I think it is more a client feature (how to handle/manage different accounts/addresses/wallets) and should not be included into the core. Well there seems to be some issues using wallet files in the browser... hmm...

Logged
cc001 Personal - NXT-8RXS-2SSK-RNF2-HSNL8
NxtReporting.com - The Nxt Asset Exchange Portfolio Manager with Profitability Tracking - Donations are greatly appreciated on NXT-5W4G-GAR6-JHJP-H8ZTW

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #5 on: July 18, 2014, 10:50:12 am »

I disagree. Instant transactions is more important. Wallet.dat is a vanity feature as far as the core is concerned,

Wallet.dat  is far easy to implement than "Instant transactions" . It shouldn't take even a week to implement Wallet.dat. It greatly increases usability and security for the users. 



Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #6 on: July 18, 2014, 11:25:44 am »

Get private key associated with public key

Why? It should be "Get get secret phrase associated with public key'" That's what the client would need
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Re: Wallet.dat file
« Reply #7 on: July 18, 2014, 12:42:24 pm »

Great, I'd just like to add that the reason this should be done via Java API is that due to browser security issues you can't access files, so no wallet.dat is possible in the browser. It would theoretically be possible to add such functionality to my mac and windows application, but I'd like it to work in all cases, even if the user is using his browser and the command line client, so an API as described above is the answer to that.

I think this is a pretty important topic so the bounty should be significant enough.

What about HTML5 web storage? http://www.w3schools.com/html/html5_webstorage.asp

Quote
Web storage is supported in Internet Explorer 8+, Firefox, Opera, Chrome, and Safari.

Note: Internet Explorer 7 and earlier versions, do not support Web Storage.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #8 on: July 18, 2014, 12:45:18 pm »

One of the issues with our wallets is that it's all brainwallet and this is bad for new users. We've all seen a couple people were were scammed and there are probably at least 20 who didn't say anything for everyone who does.

I assume by "scammed" you mean that they picked an insecure password and as a consequence their account has been emptied by an attacker.

Quote
I would like to create a brainwallet API for Nxt that allows wallets and websites(such as nxtblocks.info) to all access the same wallet file on the same computer.  So wallet file will be built into the core and accessible via API calls.

This will require sweeping changes to the client UI as well. The API calls will be the easy tasks. Implementing multiple account functionality in the wallet, while simultaneously keeping the user experience as simple as possible is a much more time consuming task.

Quote
This wallet file will be password protected itself, with an easier to remember password.

The wallet password should be secure, so you must follow the same password creation/generation method as in creating an account in the first place. Using a KDF such as PBKDF2 doesn't mean one can get away with an insecure password.

Quote
Basic API functions will be:
<snip>
Add new account(aka secret phrase)

If you can specify a custom secret phrase for an account, then the behavior is virtually the same as it is right now as far as a single NXT account's security is concerned. Users will still be able to enter insecure passwords (at their own risk, of course) like now. Having a wallet with multiple accounts is primarily a usability feature, not a security one, unless you force automatic account creation as well and completely discard accounts with custom passphrases. Unfortunately, this behavior will be backwards incompatible with the current user experience people expect from the client. Which means even more UI complications, if you want to remain compatible and offer a way for the user to import his old passphrases.

Having said the above, feel free to browse the encryption/decryption code in the wallet.js file from nxtblocks.info, as well as the decrypted wallet format. We have no problem giving code back for inclusion into the NXT core.

What about HTML5 web storage?

The users will lose their wallets whenever they clean their browser cache.
Logged

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Re: Wallet.dat file
« Reply #9 on: July 18, 2014, 12:48:14 pm »

The users will lose their wallets whenever they clean their browser cache.

Not with HTML5 web storage:

Quote
The localStorage Object
The localStorage object stores the data with no expiration date. The data will not be deleted when the browser is closed, and will be available the next day, week, or year.

There are a few examples if you follow the link http://www.w3schools.com/html/html5_webstorage.asp, so you can try it yourself!
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #10 on: July 18, 2014, 12:58:34 pm »

The HTML5 web storage is cleared up whenever the user uses a private ("incognito") window and closes it afterwards, or when he empties his cookies/cache (depending on the browser). My point is that there are too many things that can go wrong and the users will accidentally lose their wallets.
Logged

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Re: Wallet.dat file
« Reply #11 on: July 18, 2014, 01:12:16 pm »


The HTML5 web storage is cleared up whenever the user uses a private ("incognito") window and closes it afterwards, or when he empties his cookies/cache (depending on the browser). My point is that there are too many things that can go wrong and the users will accidentally lose their wallets.

Ok, I understand that, but you can prevent that by offering a backup of the pass phrase:  maybe a printout with qr code or the user must write it down. If you use a wallet.dat file, you need a backup as well.

How many users uses the "incognito" mode with the NXT client? You can't even save your contacts with that! I don't know if you could detect incognito mode and warn the user about it, maybe that would be a solution for this problem.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #12 on: July 18, 2014, 01:14:39 pm »

Incognito mode is undetectable.
Logged

v39453

  • Full Member
  • ***
  • Karma: +12/-2
  • Offline Offline
  • Posts: 155
    • View Profile
Re: Wallet.dat file
« Reply #13 on: July 18, 2014, 01:57:20 pm »

How many users uses the "incognito" mode with the NXT client?

A recommendation was made on this forum to use incognito mode.

Here's an alternative to wallet.dat:

The client could refuse to accept a passphrase for a new account that was not generated by it. This would be inconvenient for users who want to pick their own passphrases, but would prevent accounts getting stolen because of weak passwords.
Logged

mczarnek

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
Re: Wallet.dat file
« Reply #14 on: July 18, 2014, 04:25:15 pm »

I disagree. Instant transactions is more important. Wallet.dat is a vanity feature as far as the core is concerned, the core is a server, not a desktop application. What do you mean by "websites(such as nxtblocks.info) to all access the same wallet file on the same computer"?

So, maybe it hasn't been fully thought through but this is how NEM intends to do it and Wesley was waiting to implement something like this in the wallet, hoping that the core would implement it instead.  The idea is that you go to Nxtblocks.info, give them your wallet password, and they have access to the core API, and can make calls to communicate with the same wallet.dat file that Wesley's wallet accesses.

I do need a little bit of feedback regarding wallet.dat vs Instant Transactions.  If I don't implement this, it looks like HumanFractal may be able to do it, though he's got a couple other things to finish up first.


Wallet.dat  is far easy to implement than "Instant transactions" . It shouldn't take even a week to implement Wallet.dat. It greatly increases usability and security for the users. 


That's the idea, though I'm thinking a little longer than that, I'm only just learning the core code and don't know how I'd go about testing this, though it certainly is a simpler system.

Also, it'd be nice to have some funds to slightly more comfortably last me through IT implementation.  Maybe the TechDev committee would be willing to restructure the IT bounty?  When I get it onto the test net and have features x,y, and z implemented, I'll get partial payment. Either that or I may try to do a little bit of fundraising, especially, considering how much work has already gone into it and is still needed, I don't think the current funding for IT even comes close to minimum wage at these prices and I need to make sure I can cover the mortgage.

One of the issues with our wallets is that it's all brainwallet and this is bad for new users. We've all seen a couple people were were scammed and there are probably at least 20 who didn't say anything for everyone who does.

I assume by "scammed" you mean that they picked an insecure password and as a consequence their account has been emptied by an attacker.
Yes but we need to hold onto new dumb/naive users who are going to do that not knowing any better.

Quote
This wallet file will be password protected itself, with an easier to remember password.

The wallet password should be secure, so you must follow the same password creation/generation method as in creating an account in the first place. Using a KDF such as PBKDF2 doesn't mean one can get away with an insecure password.
Agreed, but you need both the wallet.dat and to crack the password and the same password is more secure if run through PBKDF2.. maybe even semi-memorable passwords could provide a decent level of security if you run PBKDF2 on it.

Quote
Quote
I would like to create a brainwallet API for Nxt that allows wallets and websites(such as nxtblocks.info) to all access the same wallet file on the same computer.  So wallet file will be built into the core and accessible via API calls.

This will require sweeping changes to the client UI as well. The API calls will be the easy tasks. Implementing multiple account functionality in the wallet, while simultaneously keeping the user experience as simple as possible is a much more time consuming task.
[/quote]

Yeah, will need big changes there. But I'm not touching implementing it into the wallet.. Wesley can do that.  I'm talking API only.
Logged
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

mczarnek

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
Re: Wallet.dat file
« Reply #15 on: July 18, 2014, 05:01:50 pm »

And I think the big difference is if you are trying to hack a wallet.dat file, there is one magic password.  If trying to hack the blockchain, you are trying to simultaneously hack everyone's account at once.  So, especially combined with PBKDF2, you can use a somewhat memorable password and it's still fairly secure, longer is obviously still better, but wallet.dat holding onto long complicated passwords also needs to be stolen too.

And if a user does use a stupid insecure, very memorable password.. they are still safer because their wallet.dat needs to be stolen too and can't be hacked using public knowledge.
Logged
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #16 on: July 18, 2014, 07:26:36 pm »

The wallet password should be secure, so you must follow the same password creation/generation method as in creating an account in the first place. Using a KDF such as PBKDF2 doesn't mean one can get away with an insecure password.

This is absolutely not true and total nonsense. A "weak" account password means instantaneous stolen funds by bots that are running constantly and checking these account. A "weak"  wallet password doesn't mean a hacked account. The attacker first needs access to the wallet file file itself (unlike account password) , which isn't easy without tricking the user into installing some kind of trojan/malware.

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #17 on: July 18, 2014, 07:30:44 pm »

And I think the big difference is if you are trying to hack a wallet.dat file, there is one magic password.

Yes, and the hacker first need to "steal" wallet.dat which isn't on the blockchain like account passwords.

There is big difference.

It's still possible to never get hacked in your life even if your wallet is not encrypted at all (like bitcoin wallet isn't by default nor the wallets on the phone). Don't confuse the issue. wallet is far more secure than letting users enter insecure account passwords that are one hash to private keys on the blockchain.  It increases security and usability which are serious problems with Nxt,

Forget instant transactions, we need  wallet implementation which should not take more than a week to implement. It's easy solution to serious security problem.

 
« Last Edit: July 18, 2014, 07:34:12 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #18 on: July 18, 2014, 08:07:57 pm »

The wallet password should be secure, so you must follow the same password creation/generation method as in creating an account in the first place. Using a KDF such as PBKDF2 doesn't mean one can get away with an insecure password.

This is absolutely not true and total nonsense. A "weak" account password means instantaneous stolen funds by bots that are running constantly and checking these account. A "weak"  wallet password doesn't mean a hacked account. The attacker first needs access to the wallet file file itself (unlike account password) , which isn't easy without tricking the user into installing some kind of trojan/malware.

You didn't understand my post. I'm saying that password strength rules should be enforced when encrypting the wallet as well, not just when creating an account. Obviously, an attacker needs to have the wallet in the first place in order to try to hack it.
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #19 on: July 18, 2014, 08:17:57 pm »

You didn't understand my post. I'm saying that password strength rules should be enforced when encrypting the wallet as well, not just when creating an account. Obviously, an attacker needs to have the wallet in the first place in order to try to hack it.

The password doesn't have to be as strong as account password. That's why it's more user friendly. Your site nxtblocks needs to enforce stronger encryption password rules as the user is trusting you (and your server which is public) with keeping a copy of encrypted wallet. Plus hack to your server means the attacker steals hundreds/thousands of wallet files.

When it comes to local copy on user computer, let the user choose their own passwords that they can remember. Use pbkdf2 to make it stronger.

 
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS
Pages: [1] 2 3 ... 9  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly