Carbon Wallet, a new service seeking to be the next great innovation in secure online wallets, is launching today. Currently, there are two major types of online wallet: server-side controlled wallets and client-side controlled wallets. In a server-side wallet (eg. Coinbase), the actual wallet is controlled by a server which independently maintains all of its’ users like a bank account, and in a client-side wallet there is an actual fully-functional Bitcoin wallet operating inside the user’s browser, and the server only holds encrypted backups of each user’s wallet – to which only the user knows the decryption key. Carbon Wallet is adding a third paradigm to this mix: the server holds no backups at all, and the wallet is instead deterministically regenerated from the user’s password each time the client loads.
Reconstructing an entire Bitcoin wallet from nothing more than a password may seem like a magical feat, but in reality it is quite feasible. Essentially, a wallet is made up of two parts: private keys, and transaction information. Private keys are the secret numbers that let owners of Bitcoin addresses sign transactions to spend money from them, and the transaction information that wallets need is essentially how much money they have, and the content of the individual transactions that sent the money to them. The Bitcoin Wiki describes a number of ways to generate a potentially infinite set of private keys from a single root seed; the simplest one to explain relies on a cryptographic hash function also used elsewhere in Bitcoin called SHA256. Essentially, SHA256 can take anything as an input, and uses a series of highly chaotic transformations to generate a seemingly random 256-bit number as an output – exactly the right format for a Bitcoin private key. The private key generation algorithm is simple: private key 1 = SHA256(password+”1″), private key 2 = SHA256(password+”2″), and so on, and there exists an algorithm to generate the corresponding Bitcoin address given a private key. The mechanism used by Carbon Wallet is more complicated, replicating the one used internally by Electrum, but it shares the same ability to generate as many addresses as the user requires. Transaction information, just like in the popular client-side wallet blockchain.info, is simply downloaded with the help of the Carbon Wallet servers.
Currently, Carbon Wallet does not let users choose their own passwords; it instead relies on twelve-word “passphrases” of the same format as Electrum wallets. If you do not want to create your own twelve-word passphrase from Electrum’s 1700-word dictionary, Carbon Wallet can create new passphrases for you; “naked goose realize except concrete attack strange tightly thorn note memory church” is one example of a passphrase that Carbon Wallet generated.
The question is, will Carbon Wallet be actually more secure than its alternatives? On the one hand, this does significantly reduce the level of involvement that the server has in the Bitcoin wallet’s use. On the other hand, however, the main weakness of blockchain.info – namely, the fact that its operators are theoretically capable of introducing malicious code into the client to, for example, immediately empty a user’s wallet upon launch, is just as present in Carbon Wallet. Blockchain.info has provided a solution to the problem in the form of a Firefox and Chrome extension, and Carbon Wallet will soon implement a similar feature, but in this regard the security of the two models remains exactly the same.
But there are a number of ways in which Carbon Wallet’s model does win out. The first is reliability. Even if the Carbon Wallet servers go down, users can simply convert their Carbon Wallet password into a seed for Electrum, and they will then have an Electrum wallet with all of the same addresses. With blockchain.info, users must either take advantage of blockchain.info’s email or Dropbox wallet backup feature or risk losing access to their wallets if, for whatever reason, the site disappears or all copies of the database are erased. Another advantage is portability; anyone can make their own Carbon Wallet-compatible wallet with superior features or a better interface, and Carbon Wallet users will be free to simply hop between whatever providers they want at a moment’s notice; because the wallet is deterministically generated from nothing but their password, every provider will be able to give the user access to their money in an instant.
There are several features that Carbon Wallet will add in the future. One is the ability to store a long password in local browser storage, and then use a shorter password to decrypt it. This would also help mitigate the brute force guessing issue, and would be necessary when Carbon Wallet expands into mobile applications, as it is very inconvenient to type in a genuinely secure password on a smartphone. The wallet will also soon add at the very least a “validator” extension to protect against someone hacking the Carbon Wallet servers and secretly inserting malicious code into the client that ultimately gets delivered to the user’s browser. Support for mobile devices and QR code support is also a high priority. For those interested in what this new model of wallet storage that Carbon Wallet has to offer, the wallet is now available for use at http://carbonwallet.com.