0

I am implementing a web application that deals with signing blockchain transactions similar to what all cryptocurrency stock exchange applications are doing. I am wondering how do they store private keys?

When creating a user account an online wallet is created that is public/private key pairs. Suppose that someone gets unauthorized access to the database, how to prevent him/her from stealing the credentials?

Solutions for protecting the password:

  • Hashing the password prevents the cracker from seeing the actual text
  • Salt the password before hashing prevents the use of rainbow tables or look-up tables.

Private key can't be hashed, we need its actual text.

A suggestion is to symmetrically encrypt the private key before storing in the database with the user's password. But this means that the user needs to decrypt the private on every transaction, which is kinda user unfriendly. I would like to implement something like Poloniex, Coinbase ...

schroeder
  • 123,438
  • 55
  • 284
  • 319
Adelin
  • 111
  • 5
  • 2
    Lots of useful posts in the Related column to this question: https://security.stackexchange.com/questions/124019/how-do-i-securely-encrypt-and-store-database-encryption-keys?rq=1 and https://security.stackexchange.com/questions/95289/how-to-store-passwords-in-database-so-that-they-can-be-retrieved?rq=1 and https://security.stackexchange.com/questions/177990/what-is-the-best-practice-to-store-private-key-salt-and-initialization-vector-i?rq=1 – schroeder Jan 25 '19 at 12:46
  • There are open source wallets for you to explore for inspiration: https://github.com/bitpay/copay and https://github.com/kvhnuke/etherwallet and the like – schroeder Jan 25 '19 at 13:03

0 Answers0