Author

Topic: How to securely generate private key with javascript? (Read 272 times)

legendary
Activity: 3472
Merit: 4801
What is the most secure way to generate a private key for a user?

Use a well reviewed, well tested, cryptographically secure pseudorandom number generator.

Is this secure?

No.

Unless you have extensive training, experience, skill, and expertise, do NOT try and create your own "secure algorithm".
legendary
Activity: 3038
Merit: 2162

Ah yes, sorry. I seem to have gotten some mixed answers. I am creating a bitcoin wallet service so the most secure is for user to generate key on the browser side but I am unsure what method to use to generate the keypair so that it cannot be easily guessed/bruteforced - Similar to how myetherwallet.com generates keys

Ethereum and Bitcoin are slightly different in their standard private key handling - for Ethereum it's usually a keystore file, while for Bitcoin it's a seed phrase, so your site should resemble sites like this one: https://iancoleman.io/bip39/

Check its github page to read its code: https://github.com/iancoleman/bip39

Note that in the site I've posted the passphrase is optional - this is because user input is very unreliable source of randomness, so you should never ask users to type random characters or long words and then simply hashing them many times.
member
Activity: 183
Merit: 25
What is the most secure way to generate a private key for a user?

Is this secure?

Hashing a password that the user inputs (longer than 10 characters with numbers, capital letters), then hashing with the current date and time, then hashing with random number generated between 1-100,000?

Does anyone know how is private key generation handled in other clients?

This sounds like you are trying to invent a Key Derivation Function (KDF), and in cryptography inventing your own algorithms is generally a bad idea. Also it's unclear what exactly are you asking - do you want your users to generate Bitcoin key-adress pair on browser side or do you want to generate keys on server side, or maybe you are doing it only for yourself?

Ah yes, sorry. I seem to have gotten some mixed answers. I am creating a bitcoin wallet service so the most secure is for user to generate key on the browser side but I am unsure what method to use to generate the keypair so that it cannot be easily guessed/bruteforced - Similar to how myetherwallet.com generates keys
legendary
Activity: 3038
Merit: 2162
What is the most secure way to generate a private key for a user?

Is this secure?

Hashing a password that the user inputs (longer than 10 characters with numbers, capital letters), then hashing with the current date and time, then hashing with random number generated between 1-100,000?

Does anyone know how is private key generation handled in other clients?

This sounds like you are trying to invent a Key Derivation Function (KDF), and in cryptography inventing your own algorithms is generally a bad idea. Also it's unclear what exactly are you asking - do you want your users to generate Bitcoin key-adress pair on browser side or do you want to generate keys on server side, or maybe you are doing it only for yourself?
sr. member
Activity: 518
Merit: 268
The most secure way is to download the bitaddress source from Github and move it to a flashdrive, like NeuroticFish describes. Then you follow this guide:

To generate your own entropy you’ll need five 6-sided dice, preferably high quality casino dice for true random numbers.

Roll the five dice and arrange in any order to create one 5-digit number. Use this dice number list [http://world.std.com/~reinhold/dicewarewordlist.pdf] to obtain a word for the roll. If, for example, you rolled 11121, your word would be aaron. Repeat this 24 times, since you’ll need 24 words for a secure seed.

Write down each word on one piece of paper like this. This will create the seed that will be used as the random entropy for your paper wallets.

Create multiple copies of the word list and store in multiple locations. Laminate each copy and store in a fireproof safe if possible.

Remember to write it down! Then afterwards click on the "brain wallet" button, like shown below:



Fill down your 24 word list two times and click view, now you have successfully generated a bitcoin address.
Write down your paper wallet (printing adds an extra attack vector) and make sure to check for errors.
Finally destroy your flashdrive and never use it again.

 
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
What is the most secure way to generate a private key for a user?

Is this secure?

Hashing a password that the user inputs (longer than 10 characters with numbers, capital letters), then hashing with the current date and time, then hashing with random number generated between 1-100,000?

Does anyone know how is private key generation handled in other clients?

I think that you best take a look what the code of https://www.bitaddress.org does, since it is available on GiHub.

Since that code is proven by time that's good, the security is mostly related to the internet.
So one pretty safe way is to download the bitaddress code locally, onto a stick, for example, unplug the computer from any internet activity (go offline), generate as many paper wallets you want (meaning public+private keys actually), print them to paper (printer connected by USB, not the network).
Afterwards stop the printer, format the HDD and after that you can reinstall and go online again.
Safe enough?
member
Activity: 183
Merit: 25
What is the most secure way to generate a private key for a user?

Is this secure?

Hashing a password that the user inputs (longer than 10 characters with numbers, capital letters), then hashing with the current date and time, then hashing with random number generated between 1-100,000?

Does anyone know how is private key generation handled in other clients?

Edit: This is for a wallet service, so all code should be run within the browser side.
Jump to: