How are encryption keys generated on Airbitz?

AirBitz uses AES256 for encryption and the keys are generated from the user’s login + password. The login & password are combined then hashed using Scrypt with a minimum set of (N,r,p) parameters of (16384,1,1) which is many orders of magnitude stronger than most other wallets, especially web wallets which typically only use a SHA hash with a few thousand rounds. Scrypt is way more memory and CPU intensive per round.

The minimum parameters of (16384,8,1) are only on slow iPhone 4 or old Android devices. On faster phones the parameters can go as high as (128000,8,1) which are extremely difficult to brute force.

Also note that no Scrypt ASIC miners can hash Airbitz passwords as ASIC miners only use parameters (1024,1,1).

Random number generation is a critical aspect to cryptography, and Airbitz utilizes several sources of entropy to provide randomness. First is the operating system random number generator. Airbitz calls directly into the core of the OS, bypassing potential issues with libraries such as those present in an earlier version of the Java library. Entropy is also added from various system sources such as free memory, time/date, and file system info. This combination protects from a compromise of any one of the entropy sources.

Posted in: Airbitz Wallet (Technical)