Security

How we secure API calls

HMAC uses two passes of hash computation. The secret key is first used to derive two keys – inner and outer. The first pass of the algorithm produces an internal hash derived from the message and the inner key. The second pass produces the final HMAC code derived from the inner hash result and the outer key. Thus, the algorithm provides better immunity against length extension attacks. An iterative hash function breaks up a message into blocks of a fixed size and iterates them with a compression function. For example, SHA-256 operates on 512-bit blocks. The size of the output of HMAC is the same as the underlying hash function (e.g. 256 and 1600 bits in the case of SHA-256 and SHA-3, respectively), although it can be truncated if desired.
 HMAC does not encrypt the message. Instead, the message (encrypted or not) must be sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves and if it is authentic the received and computed hashes will match.

Definition of HMAC

How we secure user accounts

2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information. On Sendbit we use a four-digit pin for 2FA - you can set this pin once you've logged into your account through the security center.

Verifying your email address allows us to send login codes when suspicious or unusual activity is detected and to send bitcoin payment alerts when you receive funds. How can I make sure my password is secure? Passwords must be at least 16 characters and be unique. Never use the same password twice - be diverse. Passwords are case-sensitive, so choose a healthy variety of upper and lowercase letters and numbers, and don’t forget to throw in some symbols such as %,#,!,*, or &.

GUID/UUID wallet ID's

You may notice your wallet ID is in a format like this (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), this makes it almost impossible for a hacker to brute force attack your account. We use UUID for the login as this is the safest option rather than emails, as these are used everywhere and it makes you vulnerable to hacks and spam attacks.

Application

We use SQL injection filters to prevent CSRF attacks and XSS attacks. We limit a variety of actions on the site (login attempts, etc.). We have an advanced error reporting and logging system and are always on top of our work in case something goes wrong somewhere

Authentication

We hash passwords stored in the database with Bcrypt with a cost factor of 12. We check all accounts for strong passwords on account creation. Wallet credentials are kept separate from the database and code base.

2-Step Verification on All Accounts

In addition to your wallet ID and password, you'll enter a code you have set from your security center, adding an extra layer of security for your account.

Private keys

The private key is what grants a cryptocurrency user ownership of funds on a given address. The Sendbit wallet automatically generates and stores private keys for you. You can always get your private keys when you backup your wallet. When you send from a Sendbit wallet, the software signs the transaction with your private key (without actually disclosing it), which indicates to the entire network that you have the authority to transfer the funds to the address you’re sending from. Not only that, but we also allow our users to backup and download their entire wallet including private keys, change addresses, and all used addresses. These are the steps taken to create, sign, and broadcast a transaction to the crypto network via Sendbit wallet.

createrawtransaction ["txid":"id","vout":n,...] ["address":amount,"data":"hex",...] ( locktime ) ( replaceable )
signrawtransactionwithkey "hexstring" ["privatekey1",...] ( ["txid":"id","vout":n,"scriptPubKey":"hex","redeemScript":"hex",...] sighashtype )
sendrawtransaction "hexstring"
Example output: c95d57202344ad583c48f4b134725ad0e59eb56941b5f62252b8d12770f84258