Air Wallet

From BiblePay Wiki
Jump to: navigation, search

BiblePay Air Wallet

The BiblePay Air Wallet is a multi-wallet that does not require the entire blockchain to use it. It is similar to electrum, in that it acts as an SPV wallet, allowing immediate access to send/receive funds. It allows you to access multiple coin balances from one home page. This wallet is written almost entirely in Javascript (with some HTML and CSS), giving the user the ability to run it as a standalone page without downloading an application.

The primary benefit of the air wallet, that differentiates itself from the rest, is this wallet does not store the public or private keypair anywhere. Instead, it derives the keypair from your e-mail address + password, and note, these values can be arbitrarily made up for a specific purpose. For example, you may create an unlimited amount of email-password combinations to suit your needs, each one will result in a new keypair. To access your funds from anywhere, be sure to log in with the correct credentials.

Security Improvement to Web Wallets

About 5 years ago, brainwallet came out with an innovative solution similar to the Air Wallet, but note that it was plagued with security problems. We want to address these now so you understand how these are mitigated.

First of all brainwallet was subject to the weak random number generator bug. Older javascript generators created patterns that were very predictable. This led hackers to try to brute force keys generated by brainwallets. To mitigate this, we do not offer random number key generation. Instead, we create the keypair using the derived hash of hashes of your existing credentials. As long as you make the password long, your derived key will be strong. This is because we hash your credentials 700 times. Please ensure you use a password that is not known globally for this purpose.

The next security problem with Web Wallets is phishing. This means that a web site developer will try to get you to navigate to a site on their domain that hosts the same files. This would get you to either type in your credentials or spend your coins on their page. To mitigate this, we will only allow the air-wallet to run on either our github domain (where you can see the source code), or, on your domain. You can run it directly off your flash drive, or even in a virtual machine, etc. Just verify the domain name in the URL is where you are running it from.

The last security issue with mobile wallets, web wallets and even the core wallet is usually your private keys are stored somewhere. For example in wallet.dat. This is not a big concern if your wallet is encrypted, and no one has physical access to your machine. However in todays age, we have many applications on phone that are able to access data not in the same directory as the app. One very nice pro about the air wallet is we don't store your keypair anywhere, so there is no risk of the key being hijacked from any file or temporary database (such as localstorage) or any cookie.

Bug Bounty/Security Exploit Bounty

We are offering a 5 million BBP reward for information that leads to a reproducible exploit in this source code. Feel free to audit the security in this solution for any vulnerabilities or attack vectors. It is eventually expected that users will store moderate amounts of value over multiple currencies in this wallet.

Backing up your Air Wallet Private Keys

Since the keys are not stored anywhere, there is nothing to back up. However, you should record your e-mail address and password (credentials) somewhere, for example on a flash drive. Then when you log in again in the future, the same private key is derived again. Think of each set of credentials as creating one public BBP address and one private BBP key.

Note that no one can help you recover a private key because it is not known to anyone.

    Some of the future goals we have for the air wallet:
  • Access your funds from anywhere without the core blockchain (characteristics of the SPV wallet)
  • Access funds from more than one blockchain, providing ability to control larger portfolios (characterists of a multi-wallet)
  • Ability to sign UTXOs for Staking rewards (allows you to do the complex signing task normally requiring the full core wallet)
  • Ability for us to add voted-in coins to the multi wallet (partner with many high quality communities, with speedy growth)
  • Ability to back up the private key securely with security on par with hardware wallets (similar to a back-up to USB flash drive, or back-up to hardware wallet)
  • Security concious (resistance to phishing attacks as a standalone solution, and not storing the private key anywhere a hacker can access it)
  • Ability to Lock coins that are staked (provide a Staking Corner widget, to show the user a list of staked coins)
  • Ability to synthesize a long cryptocurrency portfolio (Taking a list of coins in a basket, allow the user to enter or exit a portfolio to be "long" the basket)
  • Integrate with other chains through block explorer/rest/UTXO APIs (remove the necessity of syncing 20+ network SPV points, lower the integration bar for BBP plus other currencies)

The longer term goal of the air wallet is to give you the ability to send funds to the air wallet, and sign and lock the UTXOs. This gives you the ability to create portfolios. Then there will be no chance of spending these UTXOs, and it will be extremely easy to sign them and use them in BBP.