Web-based Key Management (web wallet)

Ease of use is a primary requirement for the FIO web app. The goal is to reduce friction that comes with downloading applications or linking to external wallets, key management plugins, or other external tools. At the same time, there is a tradeoff between ease-of-use and security when it comes to key management.

Creating a web-based application that incorporates the entire key management and transaction signing workflow is considered a fundamental feature to accommodate the ease-of-use requirements.

This document summarizes the transaction signing and key management requirements associated with the development of a web-based application, identifies the risks and uncertainty regarding key management in a web app, summarizes different approaches development, and attempts to estimate the scope of the various approaches.

Web-based key management

The FIO web app requirements include:

Using a password as the primary method for accessing the application:
- The user will create a password and that password would be used to encrypt seed phrases or other keys which will then be centrally stored on the dApp servers.
- This approach is used by:
  - Blockchain.com (one of the most popular wallets)
  - EDGE (mobile wallet)
The ability to generate and store seed phrases and FIO Private Keys:
- FIO Private Key(s) will be generated by the app
- FIO Private Key(s) and/or seed phrases will be encrypted using password hash and stored on dApp servers.
- Split key password recovery will be available, but set-up will be optional.

(Non-web app key management will also be available. For example, it will also be possible to connect to 3rd party wallets (e.g., Anchor and Scatter) to sign transactions. This document only focuses on evaluating the viability of the web app approach to key management.)

Web wallet security considerations

https://crypto.stackexchange.com/questions/35530/where-and-how-to-store-private-keys-in-web-applications-for-private-messaging-wi

Development strategies

Strategy	Pros	Cons

Strategy	Pros	Cons
Use of existing dev team	Leverage internal security expertise Build expertise that will be helpful for troubleshooting and ongoing maintenance	Need Key management expertise
Augment existing dev team with wallet expertise	Leverage internal security expertise Build expertise that will be helpful for troubleshooting and ongoing maintenance Increased tech transfer	Creates a dependence on a resource that may not be available in the future Need to find and vet an available resource
Outsource development	Leverage broader experience Easier planned upgrades and maintenance Unknown tech transfer	External dependency for upgrades and maintenance (can slow down response to issues)

Third-party applications and development services organizations

Refer to the dApp research page for background on research performed regarding account creation/login and signing: https://fioprotocol.atlassian.net/wiki/spaces/DAO/pages/64291585

Technology / Organization	Info

Technology / Organization	Info
Edge Security API	Notes from 2/4/21 Conversation with Paul You can use the same username namespace as Edge and reuse your password. Or you can create your own namespace. Each wallet is an encrypted bucket that has a unique "encrypted wallet key" (this is different from the private key) Keys are stored in clientdb storage. Pin requires a server. Products: Free model that implement a similar level of exchange and Edge gets a cut Per active user per month. 100 free (have they logged in once in the month); $1 / account; In volume: $0.10 - $0.15 cents per user.
WebCrypto API	One direction is to use the Web Cryptography API for client-side cryptography in the web browser. Then, you can create a keypair using the webcrypto api, and store the CryptoKey object, containing the user's private key, with the .extractable property set to false, using Indexed DB storage. This way the private key can only be used for decrypting and/or signing messages within the browser - but can not be read (even by client-side scripting in the browser). https://www.w3.org/TR/WebCryptoAPI/ https://pomcor.com/2017/06/02/keys-in-browser/ https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API https://www.w3.org/TR/IndexedDB/ https://www.boxcryptor.com/en/blog/post/building-an-app-with-webcrypto-in-2016/ https://gist.github.com/saulshanabrook/b74984677bccd08b028b30d9968623f5 https://blog.engelke.com/2014/09/19/saving-cryptographic-keys-in-the-browser/
fido alliance	https://fidoalliance.org
Oodles Blockchain (services)	https://blockchain.oodles.io/cryptocurrency-wallet-development/
Torus Labs	Binance labs funded. David has met with them. What Distributed Key Management Is: https://medium.com/toruslabs/what-distributed-key-generation-is-866adc79620 Key Assignments Resolution and Retrieval: https://medium.com/toruslabs/key-assignments-resolution-and-retrieval-afb984500612 tKey: Multi-factor Authentication for Private Keys: https://medium.com/toruslabs/tkey-multi-factor-authentication-for-private-keys-fb20cc100528