Wednesday, March 5, 2014

Lessons for Crypto-Currencies

There is an increasing frequency in the number of break-ins and stealing of crypto-currency wallets from individuals, online crypto-currency exchanges and cryot-currency "banks". Some "dooms-day" advocates whose agenda is to erase crypto-currency from the face of the world or to exploit such situations would hype up these break-ins.

It is not the end for crypto-currencies as the concepts and ideologies that led to the birth and blooming of crypto-currencies are rooted in the dismay and hopes of people who want to see some sort of currency that would allow them to gain more control and trust in the currencies they use.

In this post, I would give some suggestions on how to increase the security of existing and future crypto-currencies.

  1. Secure that wallet !!
  2. The weakest security in most protocols are the end-points as most protocols simply add end-point security as some sort of an after thought. Protocols should be designed secure for both data in transit and data at rest.The usual rant for end-point security...
    • Use strong and well recognized cryptographic algorithms to encrypt wallet data.
    • Use a well audited and well-known cryptographic provider API/software when coding those end-point security codes.
    • Do not use passwords as raw input for cryptographic engines or store passwords in raw form.
    • Design a time-out that would occur when users present too many wrong passwords during login.
    • Try to clear away unused sensitive materials (wallet credentials and keys) from the computer memory as soon as possible.

  3. Disposable secondary keys.
  4. Carrying a secondary "credit card" which can be disposed readily is a nice to have feature for crypto-cuurrency. Carrying one's crypto-currency all over the place would mean your wallet is prone to someone grabbing it or you losing it by accident due to carelessness. Allowing a "bank" or some form of centralized authority to govern your crypto-wallet is a bad idea as it makes you "un-anonymous" as your identity would become tied to some known crypto-wallet. Crypto-currencies were designed to be decentralized, so please keep it that way and not allow some form of central management to escrow your crypto-currency assets.

    Borrowing the idea of having your main crypto-currency private key (root key) as your root "Certificate Authority", you can independently generate as many independent transaction keys (you do not need to use the main private key as a seed to generate sub-keys of any sorts) and then use your root key to cryptographically sign (sign) your transaction keys and you carry these transaction keys with you to do crypto-currency transactions whenever you want. Any transactions using your transaction keys is as good as using your root key until your root key signs a "revocation announcement" that would disable the transaction keys (in cases where your transaction keys get stolen or you just want to disable them) you specify from performing anymore transactions. The crypto-currency protocol implementing such a method would have to support some form of invalidation and revocation of keys and auditing of keys and transactions (protecting transactions that uses invalid or disabled keys from executing while still retaining anonymity and decentralized structures).

Overall, crypto-currencies are a valid innovation and would still draw huge attention and experience large fluctuations of their values. It is about time the creators and maintainers of existing and future crypto-currency sit down and reconsider what I said above.

No comments: