Jump to content

T8493

Bronze Member
  • Content Count

    2,304
  • Joined

  • Last visited

  • Days Won

    9

Everything posted by T8493

  1. GateHub was hacked recently and I'm not sure everyone with the "read-only wallet" problem can access their funds...
  2. You are referring to "simple" queries. But there are some quite hard-to-do-it-right things, like transaction submission workflow or transaction parsing or serialization.
  3. Sure, but what are the other options? Unmaintaned & incomplete java and C# libraries?
  4. However, before anybody codes anything serious that deals with private keys instead of secret keys, I think this RippleAPI issue has to be sorted out: https://github.com/ripple/ripple-lib/issues/797
  5. I was thinking about something even simpler, e.g. https://github.com/Yubico/ykneo-curves/blob/master/applet/src/com/yubico/ykneo/curves/YkneoCurves.java (there are other implementations, too, I also suspect some of them are even compatible with PKCS#11) Basically this is just a wrapper around javacard.security package which supports secp256k1 natively (code just sets appropriate EC domain parameters: https://github.com/Yubico/ykneo-curves/blob/master/applet/src/com/yubico/ykneo/curves/SecP256k1.java ) This code supports only two operations: generate and sign. Maybe one could add import/export of private keys. But from the cryptographic point of view this should be probably enough.
  6. I'm not sure one needs fully-fledged "hardware wallet software" on JavaCard smartcards. There are already existing open-source JavaCard applets that can generate & store private keys and sign message digests with ECDSA. JavaCard supports secp256k1 curve AFAIK, too, and there's no need to implement this curve manually. Everything else can be implemented in software on your computer.
  7. Ripple is probably not allowed to do this (FinCEN settlement).
  8. AFAIK no. You need special orchestration service (and wallets that support this service). (my answer applies to transactions that are signed by only e.g. one signer, but there needs to be more than one signer). Hardware wallet has one advantage: it is actually a working "offline" computer and you don't need to buy a separate computer just to sign transactions using a paper wallet.
  9. No, one of the signers can use software solution (there's no need for specialized hardware). Or he/she can even use an online service. EDIT: you would need a special service that could orchestrate requests for signing, signatures, submissions, etc anyway. This could be an online service (I worked on such service in the past) and this service could also contribute one of the signatures.
  10. No. Sure, this is actually a preferred method.
  11. People who contribute in this topic tend to disregard the following: Assume that p denotes the probability of your secret key getting compromised in e.g. one year on one device. You can implement different measures which can lower this probability p, but it becomes more in more expensive (in terms of computer equipment, time, skills, etc.) to lower it more and more. If you don't use multisign, then the probability of your account getting compromised is also p. But assume that we use 2-of-3 multisign instead. The probability of your account getting compromised becomes O(p^2) instead of p. We can drastically lower the probability of account getting compromised by leaving the value of p quite large (we don't need to implement expensive security measures) and using different secret keys stored on independent devices. Numerical example: Assume p = 0.01 (probability of compromise in one year is 1%) If you don't use multisign, then the probability of your account getting compromised is 0.01 If you use 2-of-3 multisign, then the probability of your account getting compromised is only 0.000298 (around 33x less - I used Wolfram Mathematica, but you can derive it "by hand" as an exercise). Main takeaway: multisign can be much cheaper than other security measures
  12. He uses RippleAPI. Fields are named differently there: https://ripple.com/build/rippleapi/#getserverinfo
  13. This PIN is just one factor in authentication. Another factor is physical possession of device. However, you claimed biometric data could replace "any seed/key"...
  14. There is no way that transaction is not "recorded" on the ledger and the amount of XRPs in your account decreases. Transaction can sometime fail and consume fee, but it is still "recorded". Why you can't get 'reserveBaseXRP'? I wouldn't bother with this property. You can just hardcode a constant in your code instead.
  15. There is always an usability <-> security trade-off when you deal with authentication mechanisms. Fingerprints are not very good passwords: they can be stolen easily, you can't change them after they were compromised, they can be easily "guessed" (the probability of a fingerprint matching on Apple TouchID is 1:50000 - the probability of guessing long passphrases is several orders of magnitude smaller). EDIT: Biometric data can be used as a second factor when you authenticate and authorize users. But they can't be used solely instead of a password.
  16. When someone steals your seed/key, do you plan to have your retina and fingers surgically replaced? Biometric data can be used instead of usernames, not instead of "passwords".
  17. No one basically. You must trust the company that makes them. You can recover it on another device OR use special program that converts your recovery seed to (probably) a Ripple private key and can then sign a transaction.
  18. Ask GateHub support to manually approve your phone number.
  19. Secret key (or private key) is stored in a hardware wallet and it never touches e.g. any computer that is connected to the internet. Theoretically they could be seen as one of the methods for implementing cold storage (other method is e.g. a paper wallet), although they could be still connected to the online computer (via USB port).
  20. What about implementing secp256k1 signatures on ordinary smart cards or USB tokens? Or maybe just create a Ripple software wallet that uses one of the existing smartcards with secp256k1 support? I doubt there's a significant market for any Ripple specific hardware.
  21. http://highscalability.com/blog/2017/10/2/ripple-the-most-demonstrably-scalable-blockchain.html
  22. Well, many police forces have special cyber crime units that deal with such things on a daily basis, e.g. in the UK: http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/national-cyber-crime-unit http://www.actionfraud.police.uk/
  23. You need to report it to cyber crime units. Regular units are not trained for this (and sometimes they don't redirect this to cyber crime units because they don't know what to do with this). True story: bank (or its API gateway service) was under DDoS attack and they called the police. And police didn't know what to do and they sent two patrol cars to protect them.
×
×
  • Create New...