Overview & status
|Author||JP Lomas (@jplomas)|
A Proposed v3 Wallet Format & Use of scrypt/AES-256-GCM
This QIP proposes a ‘version 3’ wallet file format with enhancements to the encryption to reduce the risk of funds loss when an encrypted wallet file is publicly exposed.
Encrypted wallet files exfiltrated from a target system are at risk of (a) brute force/dictionary attacks and (b) theoretical man-in-the-middle / tampering attacks.
The risk can be reduced by using scrypt in conjunction with the existing aes256 encryption, and by swapped the aes256 mode from CTR to GCM.
Additionally, there has been no formal specification of the QRL wallet format.
1. Wallet format
Extraneous public data which can be derived from other elements, for example tree height/PK, is excluded.
Plain ASCII text file containing valid JSON detailing the version number, whether the elements are encrypted and with an array of 1 or more wallets in the format:
Retention of unencrypted wallet file support is retained for use where the environment is secured by another means (e.g. encrypted volume) but is not recommended for standard use cases.
Within the addresses array, the elements are encrypted using scrypt and aes-256-gcm as per the reference implementation and presented as a string with elements separated by a colon, formatted as:
The plain text address:
When encrypted with AES-256-GCM with scrypt, the password
My Secret Password and formatted as per above results in the following:
Existing wallet implementations should retain backwards compatibility for legacy wallet formats. It is preferable to offer the user the option to upgrade to a version 3 wallet file.
A worked example (with code peer review by @leongb - thank you Leon) is at https://runkit.com/jplomas/aes-256-gcm-with-scrypt/6.0.0
Additionally some work has been commenced in implementing this in @theqrl/wallet-helpers NPM module
A Python reference implementation is underway.
Implementation recommended by x41-D-sec; rationale, cryptography and reference code peer reviewed by @leongb. Both the existing and this use of AES256 is considered post-quantum secure.
Clearly the most secure means of protecting funds are that wallet files remain solely in the possession of their owners. This implementation reduces to some degree the risk of loss should this principle be compromised.