Abount Address Security

About secretKey

When a new ServerWallet is created using createAddress, a new privateKey is created in ServerWallet Server, and mnemonic and secretKey are returned along with address. mnemonic is used to restore using importAddress after saving.

The secretKey is generated per address and stored securely in ServerWallet Server. This is used for authentication when performing a signature operation using address . The hashKey generated through hash (tempKey + "|" + secretKey) is sent to the Token Server to authenticate using the secretKey stored in the ServerWallet Server and the delivered tempKey.

hashKey = CryptoUtil.getSah256(tempKey +"|" + secretKey)

How to create a signature

When using an API that generates a transaction such as create, transfer, etc., a signature must be created and delivered as a parameter. signature creates a signature using signData of ServerWallet API. For example, in the case of transfer, the result of hashing a string made of "fromAddress | toAddress | amount | hashKey" with sha256 is made into a hex string, and then passing it as the data parameter of signData to generate a signature value.

String data = fromAddress + "|" + toAddress + "|" + amount + "|" + tempKey + "|" + hashKey;
log.debug("data=" + data);
String hashData = CryptoUtil.getSha256(data);
log.debug("hashData=" + hashData);
resultMessage = tokenApiService.signData(fromAddress, hashData, tempKey, hashKey);
...
public static String getSha256(String msg) throws NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    md.update(msg.getBytes());
    byte[] mdBytes = md.digest();
    String mdStr = bytesToHex(mdBytes);
 
    return mdStr;
}