elective-stereophonic
elective-stereophonic
Wallet.dat file
singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: 1 2 [3] 4 5 ... 9  All

Author Topic: Wallet.dat file  (Read 56734 times)

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: Wallet.dat file
« Reply #40 on: July 21, 2014, 08:10:42 pm »

I would also not want to add dependencies on external websites. Support for storing a wallet in the core would be more acceptable than having to download it every time from a website (but no way to add a 2FA then). Instead of storing it in a file, I would use the H2 database and have a separate encrypted database directory nxt_wallet, which unlike the nxt_db should be backed up and never be deleted. H2 already supports encryption of the database files.
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #41 on: July 21, 2014, 08:51:17 pm »

I would also not want to add dependencies on external websites. Support for storing a wallet in the core would be more acceptable than having to download it every time from a website (but no way to add a 2FA then). Instead of storing it in a file, I would use the H2 database and have a separate encrypted database directory nxt_wallet, which unlike the nxt_db should be backed up and never be deleted. H2 already supports encryption of the database files.

That sounds fine. Can the database have more than one user? This way if two people (roommates) use the same computer they can both use it. The API could have a username and password to load their wallet. Plus a way to log off without necessarily shutting down the server. 

As for 2FA, according to HumanFractal, it's still possible. His solution involves reencrypting the wallet file with a new one time password (generated by an app on the phone) every time  the uses the old OTP, but that introduces more complexity and it's not a perfect solution, as a thief can steal the wallet file first then wait for the user to enter the OTP. It's still pretty cool trick and people might feel more secure.

I want the basic encrypted  wallet file first though. That should be easy to implement. 
 
« Last Edit: July 21, 2014, 08:55:08 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

k_day

  • Full Member
  • ***
  • Karma: +12/-0
  • Offline Offline
  • Posts: 149
    • View Profile
Re: Wallet.dat file
« Reply #42 on: July 21, 2014, 09:08:41 pm »

I would also not want to add dependencies on external websites. Support for storing a wallet in the core would be more acceptable than having to download it every time from a website (but no way to add a 2FA then). Instead of storing it in a file, I would use the H2 database and have a separate encrypted database directory nxt_wallet, which unlike the nxt_db should be backed up and never be deleted. H2 already supports encryption of the database files.

Just to clarify, would my wallet would only be stored in MY local encrypted db? I supposed this may be less good for people who are developing thin clients (like mobile) that are not running the full core/keeping a db and just interacting with the json api. Wallets support is pretty much a requirement for any mobile app.
Logged
NXT --> NXT-BY7Y-UB4X-6Z3C-8PP3V

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #43 on: July 21, 2014, 09:13:25 pm »

I would also not want to add dependencies on external websites. Support for storing a wallet in the core would be more acceptable than having to download it every time from a website (but no way to add a 2FA then). Instead of storing it in a file, I would use the H2 database and have a separate encrypted database directory nxt_wallet, which unlike the nxt_db should be backed up and never be deleted. H2 already supports encryption of the database files.

Just to clarify, would my wallet would only be stored in MY local encrypted db? I supposed this may be less good for people who are developing thin clients (like mobile) that are not running the full core/keeping a db and just interacting with the json api. Wallets support is pretty much a requirement for any mobile app.

marcus is developing a mobile app that has it's own wallet. There could even be an API to import it into mobile apps.  The problem with official client is that it's browser based (javascript) and it's not easy to implement wallet as the browser based client has limited access to the hard drive.  Clearing cache for example would delete the wallet file.  If it's done in Java, the client can talk to it via API to load/create new users etc.

Mobile apps should have no problem creating their own wallet or importing H2 wallet.
« Last Edit: July 21, 2014, 09:16:36 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #44 on: July 22, 2014, 04:45:50 am »

Can the database have more than one user? This way if two people (roommates) use the same computer they can both use it. The API could have a username and password to load their wallet. Plus a way to log off without necessarily shutting down the server. 

Another benefit  of including a "username" instead of just a password is that we trick users into stronger password. Username itself adds entropy to AES key (and acts as a salt).  So username+password would be both hashed 200K times to generate AES encryption key. Then one additional Hash (AESKey) could be used a file name for the wallet.



Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Wallet.dat file
« Reply #45 on: August 01, 2014, 08:29:23 am »

So what is the bounty for this guys?  Note also that this also needs to be in a separate (client only) jar (as per discussion with JL), so it's more complex than simply implementing wallet.dat. Take that into consideration when you decide on the bounty.
« Last Edit: August 01, 2014, 08:32:46 am by wesleyh »
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #46 on: August 01, 2014, 08:32:13 am »

So what is the bounty for this guys?

This is the core feature. Shouldn't the  bounty come from tech funds?
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Wallet.dat file
« Reply #47 on: August 01, 2014, 08:33:30 am »

So what is the bounty for this guys?

This is the core feature. Shouldn't the  bounty come from tech funds?

Yes of course, we are in the technical development fund committee in the applications subforum. So this is the correct place to ask for bounty size, right?  (I'm asking the tech committee)
Logged

HumanFractal

  • Full Member
  • ***
  • Karma: +29/-2
  • Offline Offline
  • Posts: 148
  • Programming is 90% logic and 10% Magic.
    • View Profile
Re: Wallet.dat file
« Reply #48 on: August 01, 2014, 09:17:31 am »

I've spoken privately with some of you, but I should probably make known publicly that I'll be available soon to develop these features, if a sufficient bounty can be raised.

I have specific experience with secure wallet implementations and password derivation. I agree that this would greatly increase the security of NXT.

Knowing what I know now about the requirements, I estimate it'll take at least 2 weeks to develop and at least 1 week to debug and test (V1).

Please correct me if I'm missing anything- features:

V1
  • Master Key unlocks wallet.dat
  • Sub-keys derived from Master Key
  • PBKDF2 Key derivation
    • To secure the wallet.dat file
    • And to generate sub-keys
  • Future-proof derivation system
  • Contacts Storage
  • On-demand full backup
  • Custom (Import) Secret Key Storage Do we want this?

V2
  • Two Factor Authentication
  • List, Data storage
  • ...
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #49 on: August 01, 2014, 09:28:48 am »

I've spoken privately with some of you, but I should probably make known publicly that I'll be available soon to develop these features, if a sufficient bounty can be raised.

I have specific experience with secure wallet implementations and password derivation. I agree that this would greatly increase the security of NXT.

Knowing what I know now about the requirements, I estimate it'll take at least 2 weeks to develop and at least 1 week to debug and test (V1).

Please correct me if I'm missing anything- features:

V1
  • Master Key unlocks wallet.dat
  • Sub-keys derived from Master Key
  • PBKDF2 Key derivation
    • To secure the wallet.dat file
    • And to generate sub-keys
  • Future-proof derivation system
  • Contacts Storage
  • On-demand full backup
  • Custom (Import) Secret Key Storage Do we want this?

V2
  • Two Factor Authentication
  • List, Data storage
  • ...


Are you going to do this in Java (that goes in the core) or Javascript client? There are problems doing it in Javascript, as clearing browser cache will delete the wallet.

 
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

HumanFractal

  • Full Member
  • ***
  • Karma: +29/-2
  • Offline Offline
  • Posts: 148
  • Programming is 90% logic and 10% Magic.
    • View Profile
Re: Wallet.dat file
« Reply #50 on: August 01, 2014, 09:29:41 am »

Are you going to do this in Java (that goes in the core) or Javascript client? There are problems doing it in Javascript, as clearing browser cache will delete the wallet.

Java.
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #51 on: August 01, 2014, 09:32:17 am »

Are you going to do this in Java (that goes in the core) or Javascript client? There are problems doing it in Javascript, as clearing browser cache will delete the wallet.

Java.

Sounds good. It will need to work with the core API


 
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

HumanFractal

  • Full Member
  • ***
  • Karma: +29/-2
  • Offline Offline
  • Posts: 148
  • Programming is 90% logic and 10% Magic.
    • View Profile
Re: Wallet.dat file
« Reply #52 on: August 01, 2014, 09:38:11 am »

Sounds good. It will need to work with the core API

Unless I'm mistaken, the wallet.dat code won't be interfacing much with the core, as its only job is to secure and retrieve wallets on the file system.

It will need to expose its own small API.
Logged

valarmg

  • Hero Member
  • *****
  • Karma: +178/-57
  • Offline Offline
  • Posts: 1766
    • View Profile
Re: Wallet.dat file
« Reply #53 on: August 01, 2014, 09:41:44 am »

I've spoken privately with some of you, but I should probably make known publicly that I'll be available soon to develop these features, if a sufficient bounty can be raised.


Fantastic news. I hope the bounty won't be a problem.
Logged
NXT-CSED-4PK5-AR4V-6UB5V

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #54 on: August 01, 2014, 09:42:15 am »

Sounds good. It will need to work with the core API

Unless I'm mistaken, the wallet.dat code won't be interfacing much with the core, as its only job is to secure and retrieve wallets on the file system.

It will need to expose its own small API.

Yes, but the client (written in Javascript) talks to  core via API. There would need to be API. That's part of the core.

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

HumanFractal

  • Full Member
  • ***
  • Karma: +29/-2
  • Offline Offline
  • Posts: 148
  • Programming is 90% logic and 10% Magic.
    • View Profile
Re: Wallet.dat file
« Reply #55 on: August 01, 2014, 09:43:37 am »

Yes, but the client (written in Javascript) talks to  core via API. There would need to be API

Then we're all on the same page.

I'll document that once I'm sure about how we want it to work.
Logged

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: Wallet.dat file
« Reply #56 on: August 01, 2014, 09:54:56 am »

Why does the wallet need to be a "wallet.dat file"? We already use a database, why add another way to store and read data?

How will it work when client and server are on separate machines? Where is the wallet? Currently the client javascript does all signing and encryption on the client side, it does not send the secret phrase to the server at all. If the wallet is implemented in java and running as part of the server, once the secret phrase is extracted from the wallet it will have to be sent back to the client. Then you need to make sure your connection is secure, and also you have the secret phrase in the server memory - which is currently avoided by handling all signing and encryption client-side.


Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #57 on: August 01, 2014, 09:58:56 am »

How will it work when client and server are on separate machines? Where is the wallet?

It will not work then. The client and server need to be on the same machine for it to work. Otherwise the feature would/should be disabled and password signing would be the only option.
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

LocoMB

  • Hero Member
  • *****
  • Karma: +101/-37
  • Offline Offline
  • Posts: 751
    • View Profile
Re: Wallet.dat file
« Reply #58 on: August 01, 2014, 11:21:24 am »

One of the issues with our wallets is that it's all brainwallet and this is bad for new users.  We've all seen a couple people were were scammed and there are probably at least 20 who didn't say anything for everyone who does.

I would like to create a brainwallet API for Nxt that allows wallets and websites(such as nxtblocks.info) to all access the same wallet file on the same computer.  So wallet file will be built into the core and accessible via API calls.

This wallet file will be password protected itself, with an easier to remember password.

Thinking I'll use something like pbkdf2 to add a time delay between the password to unlock the wallet and unencrypting the wallet: https://nxtforum.org/general-discussion/peanut-butter-keeps-dogs-friendly-too-(pbkdf2)/

New estimate, instant transaction confirmations will take at least 4 months for me to complete.  I'd like something short term that can make a little bit of money and considering 3 months of work has already gone into it, I'm trying to fundraise a little in that area.  In the meantime, this is a smaller project but in light of recent developments, maybe a more necessary one and I'd like to get it done first.

So, I would like to request a bounty for implementing this.

Basic API functions will be:
Create wallet file(requires password and security level(aka time/security trade-off for PBKDF2)
Delete wallet file
Edit wallet file
Add new account(aka secret phrase)
Delete account
Get list of public keys
Get private key associated with public key
Backup wallet file to file path

Thoughts on a bounty?  I'm ready to work on this as soon as I get the green light. Thanks.

it sounds like a nice functionality to have, but maybe it needs some more definition. it sounds like a bit of a client side feature that is forced into the code.
I have had some really bad experiences with the bitcoin wallet.dat implementation, which is a one way nightmare, which is why NXT should never make it mandatory to use such a thing.
The safest wallet is a secure physical passphrase anyway- only not very user friendly, so there is delinitely use for a convenient AND safe way to do it.

How much time and what budget would you need? 
Logged
TOX
90E54E5B5213290EE616D425CADC473038CFABFA53C913271AA8559D1937DC4AF3A354A9E4E5

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Wallet.dat file
« Reply #59 on: August 01, 2014, 11:27:48 am »

It's not forced, users will be able to choose between brainwallet or wallet.dat (in db)
Logged
Pages: 1 2 [3] 4 5 ... 9  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly