How Authereum uses 3Box for Contract Wallet Keystore Backup
3Box Partner Series
Authereum, an Ethereum smart contract wallet provider, went live with a new feature that allows users to privately backup the admin keystore that controls their Authereum contract wallet to 3Box. By giving users the ability to access their admin keystore without Authereum’s services, 3Box reduces the user’s reliance on Authereum and builds more trust in the smart contract wallet ecosystem.
Dependence on Authereum for contract recovery in certain cases
When a user creates a new Authereum contract account, an admin key is generated client-side on their device to manage the contract; this key is then stored in local storage under the Authereum domain and is also encrypted (with an encryption key based on a salt + password) and kept on the Authereum service. The admin key is used to directly control the contract account from their device or to create attestations for ephemeral keys to be used by dapps. This admin key remains in local storage until the user logs out of the Authereum web app, which wipes all values from local storage.
When a user logs into Authereum again with their password, their encrypted keystore is fetched and decrypted from the Authereum service, and is then stored again in local storage to be used for signing transactions and attestations. The user also has the ability to add additional admin keys to their contract account for use with additional devices.
The user can at any point can download their admin key-encrypted keystore from within the Authereum web app to interact with their contract-based account without using any Authereum service, or in the case Authereum’s services go down.
Previously it was the case that if the user was signed out of Authereum on all their device(s), and Authereum’s services were down, the user wouldn’t be able to fetch their encrypted keystore and load it into local storage. In this case, the user would be unable to control their contract account and all funds could be locked away. This model created a dependency on the Authereum service if the user had not previously exported their initial key or added additional keys.
Because of this issue, Authereum encouraged users to add more than one admin key for additional devices, such as a hardware wallet, so users would have the keystore in local storage on a second device and could easily recover their contract account in the case mentioned above. But in the case users only had one admin key, or if they were signed out of all their devices, users needed an alternative way to access the encrypted keystore for their contract.
3Box for private, user-controlled keystore backup
3Box allows users to store arbitrary public and encrypted data on IPFS in namespaced folders called Spaces. Since IPFS functions as a decentralized CDN, this means that any IPFS node that has the user’s content cached or pinned can be retrieved by the user.
To address the keystore availability problem, Authereum is utilizing 3Box to store a copy of the user’s initial admin key-encrypted keystore. By keeping an encrypted copy of the admin key store on 3Box, in addition to on the Authereum service, this ensures the user can always access their contract account, even if Authereum’s services are down.
However, since the key to manage 3Box backup can’t be the same admin key (since they won’t have access to it in this scenario), a new 3Box management key is generated. This new key is generated based on a salt (something unique to them like an email address) and a secret (a unique password). The salt + secret are used to derive a key using PBKDF2 with 100k rounds of iterations and the key is then hashed again to generate the management key. A standalone web page can live on IPFS where the user inputs the required credentials and it generates the 3Box management key on the client-side, to which now they can retrieve their encrypted keystore.
3Box backup is a feature on Authereum that is enabled by default, so users will always have access to their encrypted keystore without relying on Authereum services.
3Box’s IdentityWallet SDK provides wallet developers with the identity management functionality they need to associate multiple Ethereum key-pair accounts to the same 3ID account, used by 3Box. This is critical for smart contract account wallet developers because their users need to be able to control a contract account using multiple device (or admin) keys.
The 3Box.js SDK allows app and wallet developers to read from and write to 3Box databases. This is used by Authereum to store private, encrypted keystore values directly with the user, outside the bounds of the Authereum service.