Security Modules

passCrypt.js: Compounded Salting

All secrets keys are encrypted using scryptsy.

Scryptsy uses a Salt; passCrypt uses a Deterministic Salt.

The Salt is deterministic and generated using the following user inputs:

  • User ID
  • User Password
  • Extra Secret Credential(s) provided by User (optional)

Every time the salt is generated using a compounded encryption flow at each step, generating a hash and added to the next step's hash generating a new hash and going on to the next encryption until the final salt is generated.

This way with the same inputs and using the encryption method above, the same Salt can be generated.

Application

Used to store the following as a hex string on the server:

  • Passwords
  • Storing Address Pvt Key
  • HD Seed
  • Meta/Smart Contract Secret

Given slave inputs and master input:

  1. Run Scrypt algorithm recursively with the newly generated salt as new input
  2. Finally run one last time with Master password.

Compounded Salting module

wifCrypto.js: Wallet Import Format Conversion

Wallet Import Format Key Encryption

PvtWIFEncode

The AltCoin version bytes and account's pvt key are arguments. The pvt key is converted from hex to a buffer and encoded using coinstring librarys encode function along-with version byte 0x80 for bitcoin to give Base58 check enoded string.

privateKeyHex: A Buffer, Array, or Uint8Array of bytes, either the hash160 or private key.
version: Optional. Can be prepended to payload. Is an integer representing the version or a Buffer if version is greater than one byte. The case where it's typically greater than one byte is for working with BIP32.

Wallet Import Format Key Decryption

pvtKeyWIFDecode

It is the inverse. Cnverts the wallet import format into a Buffer of bytes. It throws if the address or wallet import format is not valid. Not valid means that the version doesn't match, or the checksum is incorrect.

pvtKeyBase58: A string that is either the wallet import format or public address.
version: Is an integer representing the version or Buffer.

For more, checkout the coinstring doc

kdfCrypt.js: Encryption using Key derivation function to Encrypt a secret

Encrypt

encrypt

     Input params:
      password: A User supplied password
      secret: The User Credential that needs to be encrypted and stored on server
      encryptCB: A Callback function that works on the result
           Should be encryptCB(cipherText, key, iv)
            Usually, this is either the decrypt function OR storage function;
     Returns:
      cipherText, key, iv, err

Uses pbkdf2-sha256 package with some additional constant parameters alongwith the aforementioned arguments. Uses AES-256-CTR algorithm for creating the cipher using the built-in node crypto.createCipheriv()

Decrypt

decrypt

The inverse of decrypt. After creating a key using pbkdf, until which the steps are same as in encrypt() function, crypto.createDecipheriv is used to create an inverse cipher and alongwith the CipherText passed yields the stored secret.

pvtKeyCrypt.js: Private Key Encryption and Decryption method for Server storage

Dependency: kdfCrypt

Private Key Encryption

Private Key Encryption

The key encryption uses several user dependent inputs to create a known repeatable Buffer and IV salt in a buffer format with byte size 16.

The salted buffer and IV key are then hashed with the master password to create a hex string which is then padded on the least significant bit side with 32 characters long. It is then transformed to Buffer format and sliced by a fixed byteLen of size 16.

The Private Key is converted to Base58Check encoding WIF (Wallet Import Format) string.

It then uses the kdfCrypt's encrypt() function to create a Cipher text and the dependent IV string.

The hashCipherText() function then uses this IV to create a hash of the Cipher. This Cipher, the accompanying Public Address to which the Pvt Key corresponds to and the WIF Private Key is then encrypted using BP 0038 protocol to generate a string that can be stored over the servers database.

Private Key Decryption

Private Key Decryption

Most part of this method is same as in the previous section. When the hashed Cipher is retrieved using the hashCipherText() which is in the Callback function of encrypt() method, the BIP 0038 decryption takes in the stored string on the database alongwith this hashed Cipher which yields the Private Key in WIF format. This can be converted back to the original Private Hex Key which is 64 character long.

Encrypt Wallet Seed

TODO: W.I.P.