Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: How will Keyhotee guard the usage of private key for ID?  (Read 1525 times)

0 Members and 1 Guest are viewing this topic.

Offline HackFisher

  • Hero Member
  • *****
  • Posts: 883
    • View Profile
How will Keyhotee guard the usage of private key for ID?
« on: December 06, 2013, 05:34:37 AM »

As I understood, there is a private key related to Keyhotee ID, do I need to retrieve the private key each time I do an operation with Keyhotee?
Encryption of private key means need to provide the password each time of a operation/session, that reduce the easy of use, but if not, The risk could be very high if we must access private key very often, do Keyhotee have any good solution to this?

Besides, need to access private often means it is impossible to store the private key offline(cold storage), which is different with the case of Bitcoin, bitcoin  need private key only when you decide to start a transaction,  this is not very often.

And Bitcoin can easily tranfer coins in one wallet to another, but Keyhotee seems not easy to transfer the reputation and honer of one ID to another.

What should I do if my private key has potential risk to leak?

Here is a link from Chinese Forum asking the same question, refer:
keyhotee 发布在即,我有一个疑问。
就是keyhotee ID的私钥是否能够冷存储,而不影响每次的登录认证。

因为我始终担心私钥存储在联网的电脑上所面临的安全威胁。
私钥一旦泄漏,除了删除ID没有别的选择。而在连线电脑上,被木马入侵很难彻底杜绝。
不知道即将发布的keyhotee系统是否考虑了这个问题并给出了对策。
« Last Edit: December 06, 2013, 05:41:34 AM by HackFisher »
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline bytemaster

Re: How will Keyhotee guard the usage of private key for ID?
« Reply #1 on: December 06, 2013, 05:46:32 AM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline HackFisher

  • Hero Member
  • *****
  • Posts: 883
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #2 on: December 06, 2013, 06:03:38 AM »
Is the password some fixed password using md5 stored on disk like Linux OS, or some Encrypt Interface could be customized by users?

I think it may be possible to add 2-factor auth if there is such encrypt interface, ex. using SMS or Google Authenticator. I still have no idea whether it is meaningless to do this.

For the bottom line and OS level, I know there are a lot of software with root/administrator authority to the OS, can hook to api call, and capture datas, including some anti-virus softwares. I don't whether we could to do something to avoid this?

Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?
« Last Edit: December 06, 2013, 06:05:32 AM by HackFisher »
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline bytemaster

Re: How will Keyhotee guard the usage of private key for ID?
« Reply #3 on: December 06, 2013, 06:24:48 AM »
Is the password some fixed password using md5 stored on disk like Linux OS, or some Encrypt Interface could be customized by users?

I think it may be possible to add 2-factor auth if there is such encrypt interface, ex. using SMS or Google Authenticator. I still have no idea whether it is meaningless to do this.

For the bottom line and OS level, I know there are a lot of software with root/administrator authority to the OS, can hook to api call, and capture datas, including some anti-virus softwares. I don't whether we could to do something to avoid this?

Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

Authentication and Encryption are two different things.  Authentication such as google authenticator can answer a 'yes' | 'no' question but does not protect a private key.  So we could add Google Authenticator at launch but an attacker who got a copy of the wallet on your disk would still be searching for the password/key that is protecting it. 

For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline HackFisher

  • Hero Member
  • *****
  • Posts: 883
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #4 on: December 06, 2013, 06:30:11 AM »
Is the password some fixed password using md5 stored on disk like Linux OS, or some Encrypt Interface could be customized by users?

I think it may be possible to add 2-factor auth if there is such encrypt interface, ex. using SMS or Google Authenticator. I still have no idea whether it is meaningless to do this.

For the bottom line and OS level, I know there are a lot of software with root/administrator authority to the OS, can hook to api call, and capture datas, including some anti-virus softwares. I don't whether we could to do something to avoid this?

Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

Authentication and Encryption are two different things.  Authentication such as google authenticator can answer a 'yes' | 'no' question but does not protect a private key.  So we could add Google Authenticator at launch but an attacker who got a copy of the wallet on your disk would still be searching for the password/key that is protecting it.

OK, I got it, thanks.
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline microsoft

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #5 on: December 06, 2013, 03:47:20 PM »
wow

Offline bytemaster

Re: How will Keyhotee guard the usage of private key for ID?
« Reply #6 on: December 06, 2013, 04:39:22 PM »
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline lib

  • Sr. Member
  • ****
  • Posts: 243
  • liberty
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #7 on: December 06, 2013, 04:58:57 PM »
wow

Explain the nature of your 'wow'?

It seems some company names like google/apple/ebay were registered here just now. Are they robots?
Sorry to out of thread :D
Forum Donation: PforumPLfVQXTi4QpQqKwoChXHkoHcxGuA
Personal Address: PakhuBkqTu4oTHJ4ZffvzVwCGCMfuqazgm

Offline logxing

Re: How will Keyhotee guard the usage of private key for ID?
« Reply #8 on: December 07, 2013, 04:55:38 AM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

I really want to store the private key offline.
How about this way.

We use 2 private key,mainkey and subkey,with different power(or we can say:usage).
They work like this.

1,I generate a mainkey on an offline PC,then I use it to register my kehotee ID.
mainkey<->kehotee ID

2,I generate a subkey and sign this information(subkey's publickey + "active subkey") with my mainkey on offline pc.
then I broadcast this info to p2pnet.I use subkey to login,decrypt, signature and etc.
mainkey->active subkey
subkey->login
subkey->send mail
subkey->read mail
subkey->delete my mail from p2pnet

3,If my subkey was lost or leaked,I can sign information(subkey's publickey + "destroy subkey") with my mainkey
and  broadcast it to p2pnet.Attacker maybe already see my history mail,but he cannot do anything more
when I destroyed my old subkey and active a new subkey.
Most important thing is,I don't have to destroy my kehotee ID,Specifically my founder ID.And Attacker cannot
destroy my kehotee ID with only subkey too.

mainkey->destroy subkey
mainkey->destroy ID

4,My keyhotee ID is totally safe now.
We can make more function with mainkey and subkey.

:-)
« Last Edit: December 07, 2013, 08:28:50 AM by logxing »
BTS Account:logxing

Offline coolspeed

  • Hero Member
  • *****
  • Posts: 536
    • View Profile
    • My Blog
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #9 on: December 07, 2013, 04:11:04 PM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

I really want to store the private key offline.
How about this way.

We use 2 private key,mainkey and subkey,with different power(or we can say:usage).
They work like this.

1,I generate a mainkey on an offline PC,then I use it to register my kehotee ID.
mainkey<->kehotee ID

2,I generate a subkey and sign this information(subkey's publickey + "active subkey") with my mainkey on offline pc.
then I broadcast this info to p2pnet.I use subkey to login,decrypt, signature and etc.
mainkey->active subkey
subkey->login
subkey->send mail
subkey->read mail
subkey->delete my mail from p2pnet

3,If my subkey was lost or leaked,I can sign information(subkey's publickey + "destroy subkey") with my mainkey
and  broadcast it to p2pnet.Attacker maybe already see my history mail,but he cannot do anything more
when I destroyed my old subkey and active a new subkey.
Most important thing is,I don't have to destroy my kehotee ID,Specifically my founder ID.And Attacker cannot
destroy my kehotee ID with only subkey too.

mainkey->destroy subkey
mainkey->destroy ID

4,My keyhotee ID is totally safe now.
We can make more function with mainkey and subkey.

:-)

good idea
Please vote for  delegate.coolspeed    dac.coolspeed
BTS account: coolspeed
Sina Weibo:@coolspeed

Offline bytemaster

Re: How will Keyhotee guard the usage of private key for ID?
« Reply #10 on: December 07, 2013, 04:49:08 PM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

I really want to store the private key offline.
How about this way.

We use 2 private key,mainkey and subkey,with different power(or we can say:usage).
They work like this.

1,I generate a mainkey on an offline PC,then I use it to register my kehotee ID.
mainkey<->kehotee ID

2,I generate a subkey and sign this information(subkey's publickey + "active subkey") with my mainkey on offline pc.
then I broadcast this info to p2pnet.I use subkey to login,decrypt, signature and etc.
mainkey->active subkey
subkey->login
subkey->send mail
subkey->read mail
subkey->delete my mail from p2pnet

3,If my subkey was lost or leaked,I can sign information(subkey's publickey + "destroy subkey") with my mainkey
and  broadcast it to p2pnet.Attacker maybe already see my history mail,but he cannot do anything more
when I destroyed my old subkey and active a new subkey.
Most important thing is,I don't have to destroy my kehotee ID,Specifically my founder ID.And Attacker cannot
destroy my kehotee ID with only subkey too.

mainkey->destroy subkey
mainkey->destroy ID

4,My keyhotee ID is totally safe now.
We can make more function with mainkey and subkey.

:-)
good idea

I like this idea... implementing it will double the bandwidth and storage costs of the network, but it would dramatically increase security and provide much better protection for your identity.   In fact, so much better that I might be tempted to slip the release date to include it.    Thanks, send me a PTS address for a tip. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline guang384

  • Jr. Member
  • **
  • Posts: 21
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #11 on: December 07, 2013, 05:21:11 PM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

I really want to store the private key offline.
How about this way.

We use 2 private key,mainkey and subkey,with different power(or we can say:usage).
They work like this.

1,I generate a mainkey on an offline PC,then I use it to register my kehotee ID.
mainkey<->kehotee ID

2,I generate a subkey and sign this information(subkey's publickey + "active subkey") with my mainkey on offline pc.
then I broadcast this info to p2pnet.I use subkey to login,decrypt, signature and etc.
mainkey->active subkey
subkey->login
subkey->send mail
subkey->read mail
subkey->delete my mail from p2pnet

3,If my subkey was lost or leaked,I can sign information(subkey's publickey + "destroy subkey") with my mainkey
and  broadcast it to p2pnet.Attacker maybe already see my history mail,but he cannot do anything more
when I destroyed my old subkey and active a new subkey.
Most important thing is,I don't have to destroy my kehotee ID,Specifically my founder ID.And Attacker cannot
destroy my kehotee ID with only subkey too.

mainkey->destroy subkey
mainkey->destroy ID

4,My keyhotee ID is totally safe now.
We can make more function with mainkey and subkey.

:-)

nice!
PTS-PjnA9FckbPWYddRnhpa23vUKMemnVtdwib
BTC-15Dak6X4T1h7EiswEkJvy5Zyx4hbZuFa22

Offline HackFisher

  • Hero Member
  • *****
  • Posts: 883
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #12 on: December 08, 2013, 02:34:08 AM »
Keyhotee asks you for your password when you start the program and will keep your private key in memory only.  On disk it is always encrypted.

In order to process incoming messages your private key needs to be 'live' at all times.  There is no way around that. 

With the wallet system you only need your private key for sending money.

Bottom line, you are relying on the physical security of your computer and OS while Keyhotee is open.    Any bright ideas on how to improve that?

I really want to store the private key offline.
How about this way.

We use 2 private key,mainkey and subkey,with different power(or we can say:usage).
They work like this.

1,I generate a mainkey on an offline PC,then I use it to register my kehotee ID.
mainkey<->kehotee ID

2,I generate a subkey and sign this information(subkey's publickey + "active subkey") with my mainkey on offline pc.
then I broadcast this info to p2pnet.I use subkey to login,decrypt, signature and etc.
mainkey->active subkey
subkey->login
subkey->send mail
subkey->read mail
subkey->delete my mail from p2pnet

3,If my subkey was lost or leaked,I can sign information(subkey's publickey + "destroy subkey") with my mainkey
and  broadcast it to p2pnet.Attacker maybe already see my history mail,but he cannot do anything more
when I destroyed my old subkey and active a new subkey.
Most important thing is,I don't have to destroy my kehotee ID,Specifically my founder ID.And Attacker cannot
destroy my kehotee ID with only subkey too.

mainkey->destroy subkey
mainkey->destroy ID

4,My keyhotee ID is totally safe now.
We can make more function with mainkey and subkey.

:-)

Good idea! 

I think this idea may also apply to prove of stake, we may use a subkey for the purpose of verifying the owner of stake, this subkey is for this purpose only, cannot do transactions, so we can keep mainkey offline and safe.

Sent from my GT-N7100 using Tapatalk
« Last Edit: December 08, 2013, 02:51:59 AM by HackFisher »
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline coolspeed

  • Hero Member
  • *****
  • Posts: 536
    • View Profile
    • My Blog
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #13 on: December 08, 2013, 05:37:22 AM »
Good idea! 

I think this idea may also apply to prove of stake, we may use a subkey for the purpose of verifying the owner of stake, this subkey is for this purpose only, cannot do transactions, so we can keep mainkey offline and safe.

Sent from my GT-N7100 using Tapatalk

I don't quite sure if this is technically possible. Sounds nice idea, too!
Please vote for  delegate.coolspeed    dac.coolspeed
BTS account: coolspeed
Sina Weibo:@coolspeed

Offline HackFisher

  • Hero Member
  • *****
  • Posts: 883
    • View Profile
Re: How will Keyhotee guard the usage of private key for ID?
« Reply #14 on: December 09, 2013, 02:40:21 PM »
Good idea! 

I think this idea may also apply to prove of stake, we may use a subkey for the purpose of verifying the owner of stake, this subkey is for this purpose only, cannot do transactions, so we can keep mainkey offline and safe.

Sent from my GT-N7100 using Tapatalk

I don't quite sure if this is technically possible. Sounds nice idea, too!

Further more, I think we could extend this idea of mainkey-subkey to a more common model/service, used to integrate different DAC services, it can separate the risk of lost private key, increase the dynamic flexibility of Keyhotee because key relationship are stored/broadcast through blockchain.

For Keyhotee, I don't know finally how will it be implemented technically. But I think it would be very interesting if not just simple using a subkey for some purpose(e.g. send emails). How about using tag for a subkey, the tag represent some DAC service(e.g. Integrate bitcoin wallet to send BTCs), we may not want to share one key for both email and btc wallet.

We can even import the wallet key of Bitcoin as a subkey of Keyhotee, just binding to some tag and the main key, in that way, we can implement great features like direct send someone BTC just need to know his Keyhotee ID(if he has a bitcoin tag binded), and SSO, keep his btc wallet dat private. This is implemented by query his Bitcoin address by query the subkey bind to "Bitcoin" Tag of Keyhotee ID, balabala...... I can imagine more cases like this, I saw a snapshot of Keyhotee wallet, there seems already have similar feature, I have no idea whether they are implemented this way, maybe its time to views the source codes.

Willing to know more details about this, I have more interest in Keyhotee now,  for its potential to guard the privacy and ability to integrate DACs as ID management.
« Last Edit: December 09, 2013, 02:48:13 PM by HackFisher »
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

 

Google+