Jump to content

Signing with regular keys in GateHub wallet


T8493
 Share

Recommended Posts

Is it possible to use regular keys for signing transaction when you use GateHub wallet?

Regular keys can be disabled and in case of a breach one can simply disable regular key outside of the GateHub wallet.

This is maybe the only proactive way of how can one actively defend himself in case of a breach.

 

 

 

Edited by T8493
Link to comment
Share on other sites

3 minutes ago, rippleric said:

What exactly is a regular key used for? 

Regular key can be used for signing transactions. However, it can be disabled or changed at will.

From https://ripple.com/build/transactions/#setregularkey :

 

Quote

 

In addition to the master key, which is mathematically-related to an address, you can associate at most 1 additional key pair with an address using this type of transaction. The additional key pair is called aregular key. If your address has a regular key pair defined, you can use the secret key of the regular key pair to authorize transactions.

A regular key pair is generated in the same way as any other Ripple keys (for example, withwallet_propose), but it can be changed. A master key pair is an intrinsic part of an address's identity (the address is derived from the master public key). You can disable a master key but you cannot change it.

You can protect your master secret by using a regular key instead of the master key to sign transactions whenever possible. If your regular key is compromised, but the master key is not, you can use a SetRegularKey transaction to regain control of your address. In some cases, you can even send a key reset transaction without paying the transaction cost.

 

 

Link to comment
Share on other sites

On 5. 8. 2016 at 3:17 AM, T8493 said:

Is it possible to use regular keys for signing transaction when you use GateHub wallet?

Regular keys can be disabled and in case of a breach one can simply disable regular key outside of the GateHub wallet.

This is maybe the only proactive way of how can one actively defend himself in case of a breach.

This is a very interesting idea.

The only question I have is which cold storage "solution" might be used for easily deactivating the regular key.

Did the old Ripple Trade client allowed you to "manage" regular keys for an account?

 

 

Link to comment
Share on other sites

33 minutes ago, enej said:

This is a very interesting idea.

The only question I have is which cold storage "solution" might be used for easily deactivating the regular key.

Did the old Ripple Trade client allowed you to "manage" regular keys for an account?

@enej, I don't believe the client offered any functionality associated with the regular key. Put me down as a "yes, please" in the "add a way to import a wallet given the wallet's public address and a regular key." Or, at least a way, to set a regular key on a given wallet and use that.

Link to comment
Share on other sites

46 minutes ago, enej said:

The only question I have is which cold storage "solution" might be used for easily deactivating the regular key.

Someone will have to build a (trusted) app which can be used to deactivate regular key by entering the secret key manually. Whether this app should be offline or online is debatable.

I think the whole Ripple ecosystem has one big problem: how to distribute/deploy apps (wallets, etc.) in a trusted way. Javascript/HTML per-se doesn't support code signing (except maybe subresource integrity feature, which is just hashing and not supported by all major browsers).

I think the proper solution is probably outside of the pure javascript/HTML scope.

 

Link to comment
Share on other sites

5 minutes ago, T8493 said:

Someone will have to build a (trusted) app which can be used to deactivate regular key by entering the secret key manually. Whether this app should be offline or online is debatable.

I think the whole Ripple ecosystem has one big problem: how to distribute/deploy apps (wallets, etc.) in a trusted way. Javascript/HTML per-se doesn't support code signing (except maybe subresource integrity feature, which is just hashing and not supported by all major browsers).

I think the proper solution is probably outside of the pure javascript/HTML scope.

 

One solution is to use this:

Quote

Another important working feature is creating and revoking regular keys. This is awesome because it allows managing an account without using the Master Key, so the later can be kept totally private and offline, and used only in an emergency situation.

Than use the regular key to create a wallet at gatehub, using it when gatehub asks for your secret key.

Link to comment
Share on other sites

41 minutes ago, RafOlP said:

Than use the regular key to create a wallet at gatehub, using it when gatehub asks for your secret key.

 

Ok, this is one possibility.

But how can users get this application?

First option is via this link: https://s3.amazonaws.com/static.rippex.net/client/carteira-ripple-win64-1.4.0-rc3.zip

But:

  • how can users be sure that the compiled code doesn't do anything malicious?
  • how can users be sure that the package wasn't tampered with while it is on Amazon servers?

 

If user wants to compile code for himself, he has to (according to https://github.com/rippex/ripple-client-desktop)

  • Fork and clone the ripple-client-desktop repository
  • Run npm install
  • Download nw.js
  • In the ripple-client-desktop repository, make a copy of the config_example.js file and name it config.js
  • Run gulp in your command line for development
  • Run gulp packages in your command line for the production ready client
  • Your desktop client is in the packages/RippleAdminConsole directory

99% of the users can't do this. They need something that works with one click.

 

 

Edited by T8493
Link to comment
Share on other sites

4 hours ago, T8493 said:

 

Ok, this is one possibility.

But how can users get this application?

First option is via this link: https://s3.amazonaws.com/static.rippex.net/client/carteira-ripple-win64-1.4.0-rc3.zip

But:

  • how can users be sure that the compiled code doesn't do anything malicious?
  • how can users be sure that the package wasn't tampered with while it is on Amazon servers?

 

If user wants to compile code for himself, he has to (according to https://github.com/rippex/ripple-client-desktop)

  • Fork and clone the ripple-client-desktop repository
  • Run npm install
  • Download nw.js
  • In the ripple-client-desktop repository, make a copy of the config_example.js file and name it config.js
  • Run gulp in your command line for development
  • Run gulp packages in your command line for the production ready client
  • Your desktop client is in the packages/RippleAdminConsole directory

99% of the users can't do this. They need something that works with one click.

 

 

Even checking download hashes helps only a minority (because of tech limits or laziness or a sense that trusting someone says an opensource software is what is says it is).

I think I understand what you are trying to achieve but being technically sure about something requires technical knowledge. One example: even a developer who has a technical understanding about java or Go or JS or Python will have to have specific knowledge about how cryptography works and what are the best practices for implementing it in order to be sure it is a safe code. Then what happens is that everybody trusts all the experienced cryptographers who are unlikely to collude because they are good people or because they fear other groups of developers might prove them wrong. So when those reputable and accountable experts say something in chorus, it is very unlikely they are wrong or misguiding everyone on purpose.

Edited by RafOlP
Link to comment
Share on other sites

2 hours ago, yxxyun said:

https://yxxyun.github.io  this support set and use regular key. 

@yxxyun, is your wallet just redesigned (material design) Ripple labs wallet? Or have you changed anything else (significantly)?

Does this repository contain the source code of your (redesigned) wallet:

https://github.com/yxxyun/ripple-wallet

?

What is this repository:

https://github.com/yxxyun/ripple-client-desktop

?

Edited by T8493
Link to comment
Share on other sites

1 hour ago, T8493 said:

@yxxyun, is your wallet just redesigned (material design) Ripple labs wallet? Or have you changed anything else (significantly)?

Does this repository contain the source code of your (redesigned) wallet:

https://github.com/yxxyun/ripple-wallet

?

What is this repository:

https://github.com/yxxyun/ripple-client-desktop

?

The source code is https://github.com/yxxyun/ripple-wallet , it is a redesign of the ripplerm's wallet. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.