Yadda Kraken Wallet ke magance Kalubale a Tsaron Tsaron Crypto Waya

Mun yi imanin cewa mafi amintaccen walat ɗin crypto na wayar hannu shine wanda ya shawo kan ƙaƙƙarfan ƙaƙƙarfan tsarin aiki na wayar hannu. Misali, akan iOS, Apple's CryptoKit baya goyan bayan secp256k1 elliptic lankwasa, ma'auni na Bitcoin, Ethereum da sauran blockchain da yawa.

Wannan ƙayyadaddun yana hana masu haɓaka amfani da amintaccen ɓangaren na'urori don maɓalli na ajiya da sa hannun ma'amala. Sakamakon haka, walat ɗin crypto ta wayar hannu ana rarraba su azaman walat ɗin zafi tunda dukkansu an haɗa su da intanit kuma suna sanya hannu kan ma'amaloli a waje da wani amintaccen abu ta amfani da aiwatar da software na algorithms cryptographic.

Wannan yana nufin cewa dole ne a fallasa maɓallai masu zaman kansu - aƙalla yayin sa hannu - a cikin ƙwaƙwalwar mahallin aikace-aikacen sandboxed. Wannan yana barin su ƙarin fallasa ga yuwuwar barazanar fiye da walat wanda ke amfani da amintaccen abu don sanya hannu kan ma'amaloli.

Duk da rashin iya yin sa hannun a kan amintattun abubuwa kai tsaye, wanda zai ba da ƙarin kariya, mun himmatu wajen samar da wani Bude-source wayar hannu crypto walat wanda ke ba da fifiko ga tsaro, bayyana gaskiya da sarrafa mai amfani.

Tsarin gine-ginen tsaron mu an gina shi ne don:

Goyi bayan blockchain da yawa
Ƙirƙirar maɓallai masu zaman kansu tare da babban entropy, ma'aunin rashin tabbas wanda ke ƙarfafa tsaro
Yi amfani da bayanan sirrin da aka gwada yaƙi don ɓoye sirrin maɓallan masu amfani, yin amfani da kayan aikin tsaro na wayar hannu da fasalin tsaro na OS.
Bayar da ingantaccen tsaro tare da kalmar sirri ta mai amfani don masu amfani masu ci gaba waɗanda ke son ƙarin matakin ɓoyewa (a saman kariyar keychain OS don maɓallin yankewa)
Ƙirƙirar tushe mai ƙarfi don haɗawa da sabbin nau'ikan sarrafa maɓalli na gaba, kamar walat ɗin kayan aiki da tsarin tushen ƙididdiga na MPC

Amfanin buɗe tushen

A matsayin daya daga cikin muhimman ka'idojin tsaro, Kraken Wallet software ce kyauta kuma buɗaɗɗen tushe, rarraba karkashin lasisin MIT. Gina sabon walat daga ƙasa zuwa sama, yana da mahimmanci a gare mu don taimakawa wajen haɓaka buɗaɗɗen tushen da rarrabawar yanayin muhalli.

Ba tare da lambar buɗe tushen ba, Kraken Wallet zai buƙaci babban adadin amana ba tare da bayyana gaskiya ba. Wannan zai ba abokan ciniki ƙarancin kariya; ba za ku iya tabbatarwa, gyara ko gudanar da abokin ciniki da kanku ba idan kuna so. "Kada ku amince, tabbatar!" ba kawai babban masana'antu ba ne, yana ɗaya daga cikin ka'idodinmu na jagora.

Bude tushen software ɗin mu ya cika mahimman manufofi guda biyu da muka fara saitawa don wannan samfurin: tabbatacce, rage girman amana:

Tabbatarwa: Ikon tabbatar da cewa tsammanin tsaro da aka gabatar a cikin wannan gidan yanar gizon gaskiya ne. Kowa zai iya duba lambar tushe musamman don fahimtar abin da yake da kuma ba a yi a cikin wannan wallet.

Dubawa: Ikon tabbatar da cewa fitar da ayyukan tsaro namu daidai ne da kuma bayar da rahoto idan ba haka ba. Mun haɗu da ƙungiyoyi na ciki da na waje don yin binciken tsaro sau da yawa kafin a saki. Ci gaba, kowa zai iya duba lambar kuma ya samar da rahoto kan binciken da ya samu.

Ƙirƙirar mahimmanci da shigo da maɓalli

React Native, yayin da kayan aiki mai ƙarfi, bashi da ginanniyar ƙirar crypto. Don kewaya kewaye da wannan mun yi amfani da aiwatar da pure-js (crypto-browserify) na NodeJS's crypto module. Hanyar crypto.randomBytes() - wacce ke haifar da ainihin bazuwar bytes da muke buƙata yayin tsara maɓalli - ana sarrafa ta amsa-na asali-samu-bazuwar-daraja cikawa.

React-native-get-random-values yana amfani da lambar asali don amfani da Amintaccen Lamban Lamba na Rubutun Cryptographically (CSPRNG) da ke kan na'urar don samar da lambobi bazuwar. A kusan duk na'urori na zamani, wannan janareta na lambar bazuwar yana samun goyan bayan amintaccen janareta na lambar bazuwar hardware.

A lokacin farawa walat, muna zana entropy daga CSPRNG kuma mu canza shi zuwa nau'in mnemonic ta amfani da ingantattun fakitin npm (Saukewa: BIP32, Saukewa: BIP39).

Ana canza maɓallan, adanawa kuma an gabatar da su ga mai amfani a ƙarƙashin ma'auni na BIP39, wanda ke ba da hanya mai sauƙi-zuwa-ajiyayyen mnemonic tare da aiki tare don yawancin wallets a cikin yanayin halitta. Siffar shigo da kayayyaki tana goyan bayan dawo da tsaba masu jituwa na BIP39, waɗanda ke ba da mafi kyawun haɗin gwiwa a cikin yanayin muhalli.

Gudanarwa mai mahimmanci

Kraken Wallet yana ƙunshe da ƙima biyu na sirri - iri da mnemonic - da ƙima marasa sirri da yawa (amma har yanzu masu zaman kansu) kamar adireshi na walat, sunayen walat da bayanin ma'amaloli.

Ana adana kayan maɓalli masu zaman kansu (iri/mnemonic) a Keychain (akan iOS) da Keystore (akan Android). Maɓalli na jama'a da bayanan da ba su da hankali (fiɗaɗɗen maɓallan jama'a, adireshi da kwatance) ana adana su a cikin rufaffen bayanai na aikace-aikacen (ta amfani da Sarauta).

Akwai matakan tsaro da yawa masu kare bayanan:

Kulle App: Keɓaɓɓen kirtani mai 64-byte ba da gangan da aka adana a cikin Keychain ko Keystore. Ana kiyaye damar shiga sirrin tare da buƙatun kasancewar mai amfani - tantancewar biometric ko lambar wucewa.

Kalmar siri: An samar da mai amfani kuma ba a ajiye shi akan na'ura ba. Madadin haka, dole ne mai amfani ya samar da kalmar wucewa da hannu a duk lokacin da aikace-aikacen ya tambaye shi. Wallet ɗin yana ƙayyade ko ana buƙatar kalmar sirri ta hanyar tuntuɓar tutoci guda biyu (is_storage_encrypted and is_seed_encrypted) da aka adana a Keychain ko Keystore. Ana amfani da Algorithm na Argon2 azaman maɓalli na aikin samowa.

Bayanan shafukan yanar gizo: Ana amfani da rumbun adana bayanai (Realm) don adana bayanan da ba na sirri ba. An rufaffen bayanan tare da maɓallin bazuwar 64-byte.

Tsarin kullewaShigar da kalmar sirri ba daidai ba yana haifar da jinkiri kafin a iya yin ƙoƙari na gaba. Wannan tsarin yana hana kai harin kalmar sirri yadda ya kamata. Bayani game da sigogin kullewa, kamar adadin yunƙurin da tsawon lokacin jinkiri, ana adana su cikin amintaccen Keychain ko Keystore.

Ana adana iri, mnemonic da maɓallin ɓoye bayanan bayanai koyaushe cikin rufaffen tsari

Lokacin da ba a kunna kariya ba: Ana adana iri, mnemonic da maɓallin boye-boye na Realm kai tsaye a cikin Keychain ko Keystore ba tare da ikon samun damar halartan mai amfani ba.
Lokacin da aka kunna kulle app: An fara rufaffen nau'in mnemonic da iri tare da sirrin kulle app sannan a adana su cikin amintaccen Keychain ko Keystore. Hakanan ana adana maɓalli na ɓoyewa kai tsaye a cikin Keychain ko Keystore.
Lokacin da aka kunna kariyar kalmar sirri: An rufaffen mnemonic da iri tare da kalmar sirri, yayin da maɓallin ɓoyewar Realm ana ɓoye shi da kalmar sirri kawai idan an saita_storage_encrypted zuwa gaskiya.
Lokacin da aka kunna kulle app da kariyar kalmar sirri: An rufaffen mnemonic da iri tare da kalmar sirri (na farko) da kulle app (na biyu). Ana rufaffen maɓalli na ɓoyewa na Realm tare da kalmar sirri kawai kuma idan an saita_storage_encrypted zuwa gaskiya.

Mabuɗin amfani

Ana adana iri/mnemonic a cikin Keychain ko Keystore kuma yana taka muhimmiyar rawa a ayyukan sirri. Lokacin da ake buƙatar samar da sabon adireshi na walat ko kuma ana buƙatar sanya hannu kan ciniki, muna samun bayanan da suka dace, kamar maɓalli na sirri, daga wannan iri.

Koyaya, yana da mahimmanci a lura cewa maɓalli na sirri dole ne a loda shi cikin ƙwaƙwalwar ajiya yayin waɗannan ayyukan. Wannan larura ta samo asali ne daga ƙuntatawa da muka ambata a baya game da walat ɗin hannu da kuma rashin samun dama kai tsaye ga amintaccen kashi don sa hannun ciniki.

Sa hannun ciniki (aika alamu)
WalletConnect rattaba hannu kan bayanai (buƙatun zaman kulawa)
Ƙara sabon walat
Kunna sarƙoƙin testnet (ƙara walat ɗin testnet)
Nuna mnemonic
Tabbatar da mnemonic
Kunna da kashe makullin app
Kunna da kashe kalmar wucewa

Ana yin ƙarin tantancewar biometric don ayyuka masu zuwa:

Ana kunna kulle app
Shafa duk bayanai
Goge wallet (account)
Kunna ko kashe kalmar sirri (ban da dawo da kulle app)
Bude aikace-aikacen
Matsar da aikace-aikacen zuwa gaba
Duban maɓallan jama'a da aka fadada
Haɗa zuwa aikace-aikacen da aka raba (dApp)

Bugu da ƙari, ana iya buƙatar kalmar sirri don buɗe aikace-aikacen. Keychain da Keystore ana amfani da su koyaushe ta hanyar amsa-na asali-keychain nannade:

Kundin yana haifar da sabon maɓalli a Keychain ko Maɓalli na kowane abu
Kundin yana da alhakin ƙaddamar da ingantattun tutocin maɓalli na Keychain da Keystore
Wallet koyaushe yana buƙatar nannade don saita tutoci ta yadda dole ne a buɗe na'urar don samun damar maɓalli.
An saita rajistan kasancewar mai amfani (biometric) don zama tushen lokaci, kuma cak ɗin yana aiki na 5 seconds; ba a yin rajistan kasancewar mai amfani ta kowane hanya

Algorithm na boye-boye iri ɗaya ne ga duk abubuwa:

An samo maɓalli tare da Argon2id daga sirrin-NFC-na al'ada
Gishiri na Argon2id shine ID na musamman na na'urar
Yanayin ɓoyewa shine AES-GCM
Siffar farawa (IV) don AES shine bazuwar bytes 16
Ana buƙatar alamar auth na AES ya zama tsayin bytes 16

Sa hannun ciniki

Bugu da ƙari ga matakan da aka ambata a baya game da maɓalli na ma'auni, nazarin halittu da kariyar kalmar sirri, sanya hannu kan ma'amala ya kasance yanki mai mahimmanci don ci gaba da haɓakawa. A matsayin mataki na farko, mun aiwatar da matakai masu mahimmanci a wannan yanki, gami da:

Ma'amalar ciniki

Muna amfani da sabis na API na waje (kamar Blowfish da sauransu) don bincika yiwuwar matakan "nauyin" wanda ma'amala zai iya kawowa ga mai amfani (makin haɗari). Wannan yana fitowa daga cikakken allon toshe don yuwuwar mu'amala (ko sa hannun saƙo) zuwa gargaɗin matakan taka tsantsan da mai amfani ya kamata ya yi kafin sanya hannu ko tabbatar da ciniki.

Sauran matakan sun hada da:

Tabbatar da adireshi don tabbatar da cewa baka aika zuwa adireshin da ba daidai ba
Adireshin da koyaushe ake bayyane gaba ɗaya don tabbatar da cewa mai amfani ba shi da niyya ga takamaiman harin da ke kewaye da abun da ke ciki
Tabbatar da hanyar sadarwa da faɗakarwa don tabbatar da mai amfani bai aika zuwa hanyar sadarwa mara kyau ba
Ana duba lafiyar lafiyar kuɗi don tabbatar da cewa mai amfani bai cika biyan kuɗi na ma'amala ba

Sirrin hanyar sadarwa

Don kare sirrin masu amfani da bayanan sirri ta hanyar da wannan bayanan ba a yabo akan buƙatun hanyar sadarwa - musamman ga sabis na ɓangare na uku - mun ƙirƙiri hanyar API zuwa buƙatun wakili. Wannan wakili yana ba mu damar ƙaddamar da buƙatun mai amfani zuwa sabis na ɓangare na uku kuma baya bayyana IP na abokin ciniki ga masu samar da waje ko na jama'a.

Wannan sabis ɗin baya shine ainihin API don neman bayanan toshewar jama'a. A cikin gine-ginen tsaro na walat, manufarsa ita ce ta tattara wannan aikin a bayan API gama gari a duk faɗin blockchain don kada Kraken Wallet ya aiwatar da takamaiman halaye na toshe don neman bayanai.

Wannan sabis ɗin baya yana bayyana wannan API gama gari. A ƙarshe yana ƙaddamar da buƙatun zuwa wasu ɓangarori waɗanda daga ciki suke samo ainihin bayanai. Ba ya nuna blockchain kanta kuma baya kula da yanayin.

Zato na tsaro

Tsarin gine-ginen tsaro namu yana aiki akan ƴan mahimmin zato don ingantacciyar kariya. Muna tsammanin:

Na'urar mai amfani ba ta da tushe, kuma OS ɗin ba ta daɗe ba kuma tana da rauni ga mummunan rauni wanda zai iya baiwa maharin damar yin amfani da ƙwaƙwalwar na'urar.
Kunshin Keychain ko Keystore yana ba da kariya mai ƙarfi
OS ta hannu tana ba da ingantaccen sandboxing tsakanin hanyoyin aikace-aikacen, tabbatar da cewa ƙwaƙwalwar ajiyar da ke ɗauke da mahimman bayanai kamar tsaba ana sarrafa su yadda ya kamata.

Functionalityarin ayyuka

Ka'idar tana aiki akan ƙa'idar kawai adana mafi ƙarancin bayanan da yake buƙata don gudanar da walat
Babu wani nazari na ɓangare na uku ko na'urorin haɓaka software (SDKs) da ake amfani da su akan abokin ciniki
- Tare da ƙoƙarce-ƙoƙarcen da muke yi na kar a ba da kowane bayani ga wasu na uku, ba zai yi ma'ana ba a haɗa ƙarin bin diddigin bayanai - wanda ke nufin ba za ku sami wani nazari ko software na rahoton faɗuwa a cikin abokin ciniki ba.
Ba a yarda ko aiwatar da sabuntawar kan-iska ba (a waje da na yau da kullun na AppStore/Play Store) da aka yarda ko aiwatar da su akan codebase.
- Mai amfani zai iya tsammanin haɗaɗɗen software wanda ba za a iya sabuntawa ba tare da izinin shiga su ba
Lissafin alamomi da tsarin suna
- Domin taimaka wa masu amfani don sarrafa alamun su, mun aiwatar da jeri da tsarin suna dangane da kadarorin da Kraken da wasu kamfanoni suka bayar.
NFTs spam
- Ƙoƙari na farko da muke shirin ci gaba da haɓakawa shine gano spam da kuma gano harin da ke da alaƙa, inda ake ajiye spam ta atomatik a cikin babban fayil ɗin mai amfani.

Binciken tsaro na waje

An kimanta tsaro na walat ɗinmu mai ƙarfi ta hanyar binciken da Trail of Bits, wani kamfani mai binciken tsaro a masana'antar ya gudanar. Wannan bita ya ƙunshi cikakken bincike na tushen lambar mu da gine-ginen abokin ciniki, da nufin ganowa da magance yuwuwar raunin tsaro.

Don tabbatar da gaskiya da kuma ba da haske game da tsaro na dandalinmu, sakamakon wannan binciken yana samuwa ga jama'a. Wannan buɗaɗɗen damar damar masu amfani da masu sha'awar yin bitar binciken binciken tsaro da Trail of Bits ke gudanarwa. Rahoton yana aiki a matsayin muhimmin tushe don fahimtar matakan tsaro da muke da su da kuma jajircewarmu na kiyaye muhalli mai aminci ga masu amfani da mu.

Gabatar da tsaro, nuna gaskiya da sarrafa mai amfani

Kraken Wallet yana haifar da ma'auni mai ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun sauƙi da ƙaƙƙarfan karewa ta fuskar ƙaƙƙarfan dandamali. Hanyarmu koyaushe ita ce farawa tare da tsarin walat ɗin da za a iya haɗa shi wanda aka san shi sosai. Wannan ƙaƙƙarfan tushe yana saita mataki a gare mu don ƙirƙira da ƙara sabbin ƙwarewa, tare da manufar baiwa masu amfani da mu damar samun ci gaba, mafi girman matakin tsaro don ɗaukar kanku kadarorin su na crypto.

Waɗannan kayan don dalilai ne na gabaɗaya kawai kuma ba shawarwarin saka hannun jari ba ne ko shawarwari ko neman siye, siyarwa, hannun jari ko riƙe kowane kadara ta crypto ko shiga kowane takamaiman dabarun ciniki. Kraken baya aiki kuma ba zai yi aiki don haɓaka ko rage farashin kowane irin cryptoasset ɗin da yake samarwa ba. Wasu samfuran crypto da kasuwanni ba su da ka'ida, kuma ƙila ba za a kiyaye ku ta hanyar diyya na gwamnati da/ko tsare-tsaren kariyar tsari ba. Halin rashin tabbas na kasuwannin cryptoasset na iya haifar da asarar kuɗi. Ana iya biyan haraji akan kowane dawowa da/ko akan kowane haɓakar ƙimar cryptoasset ɗin ku kuma yakamata ku nemi shawara mai zaman kanta akan matsayin ku na haraji. Ana iya amfani da ƙuntatawa na yanki.

Ƙunshin Ƙarfafa SEO & Rarraba PR. Samun Girma a Yau.
PlatoData.Network Tsaye Generative Ai. Karfafa Kanka. Shiga Nan.
PlatoAiStream. Web3 Mai hankali. Ilmi Ya Faru. Shiga Nan.
PlatoESG. Carbon, CleanTech, Kuzari, Muhalli, Solar, Gudanar da Sharar gida. Shiga Nan.
PlatoHealth. Biotech da Clinical Trials Intelligence. Shiga Nan.
Source: https://blog.kraken.com/product/kraken-wallet/kraken-wallet-security

Generative Data Intelligence

Yadda Kraken Wallet ke magance kalubale a cikin tsaro na crypto ta wayar hannu

Tsarin gine-ginen tsaron mu an gina shi ne don:

Amfanin buɗe tushen

Ƙirƙirar mahimmanci da shigo da maɓalli

Gudanarwa mai mahimmanci

Akwai matakan tsaro da yawa masu kare bayanan:

Ana adana iri, mnemonic da maɓallin ɓoye bayanan bayanai koyaushe cikin rufaffen tsari

Mabuɗin amfani

Sa hannun ciniki

Ma'amalar ciniki

Sirrin hanyar sadarwa

Zato na tsaro

Functionalityarin ayyuka

Binciken tsaro na waje

Gabatar da tsaro, nuna gaskiya da sarrafa mai amfani

Taskokin Kwamfuta - Cibiyar Singularity

Takaitattun Labarai na Quantum: Mayu 11, 2024: Labarai Daga DOE, Infleqtion, Mesa Photonics, Atlantic Quantum, HighRI Optics, da Binciken Amethyst • BBVA • NICT, RIKEN,...

Sabbin Hankali

Gaby Diamant, Wanda ya kafa & Shugaba na Bridgewise

Gaby Diamant, Wanda ya kafa & Shugaba na Bridgewise

Halayen Kyakkyawan Ring Diamond Girma

Sin da Indiya al'adu ne da ake girmama lokaci, makwabcin junansu ne mai muhimmanci: manzon kasar Sin Xu Feihong

Cibiyar Fasahar Watsa Labarai ta Duniya-Hyderabad ta Haɓaka Mahimmanci A Yankin Semiconductor

OpenAI ya rage jita-jita na injin binciken gidan yanar gizo, GPT-5