General Security Principles

User Master Password

Used to decrypt local data containing the user data.

Never stored in any server, nor any form of its derivatives.
Never stored locally until the user enables “Remember”.
Never transmitted over the internet.
Master Password verification is delayed by PBKDF2-SHA2 to mitigate brute force crack.

User Data

Contains sensitive information including mnemonics and private keys.

Utilize AES 256 for encryption and decryption.
A salt for encryption is generated using a web crypto random function for each setup.
The user data is stored in the web browser's local storage. This local storage is in turn stored on the user file system with the browser profile data.

Decrypted Data Usage

Private keys are saved in memory without having to ask the user for Master Password each time.
Private keys are sent from different instances through local storage or web sockets that utilize ECDH and AES.
Memory protection depends on the browser’s security.

Communication

All communication between Pawket wallet and Pawket servers is secured with HTTPS.
Only insensitive information like spend-bundle, puzzle_hash, and coin_name can be sent to the server.
Users are allowed to host the server on-premise for better security.

Air-gapped Signing

Only save your mnemonic on an offline device and sign using a QR code exchange.

Shadow Wallet

Fully compatible with BIP39, with shadow wallet support.

Super Light Wallet

Utilize server performance superiority, and mitigate the burden of Light Wallet to handle dusted accounts smoothly.

Single Mnemonic Multiple Accounts

With a single mnemonic, the user can create multiple accounts bootstrap with a sequence or shadow password.

Cross Platform

Support multiple platforms and cross-platform experiences.

dApp Integration

External API that allows other dApp to be easily integrated into the Chia Blockchain.