WO2023123151A1 - Systems and methods for cold wallets - Google Patents
Systems and methods for cold wallets Download PDFInfo
- Publication number
- WO2023123151A1 WO2023123151A1 PCT/CN2021/142825 CN2021142825W WO2023123151A1 WO 2023123151 A1 WO2023123151 A1 WO 2023123151A1 CN 2021142825 W CN2021142825 W CN 2021142825W WO 2023123151 A1 WO2023123151 A1 WO 2023123151A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- based system
- computer based
- processor
- wallet application
- data
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 132
- 230000004044 response Effects 0.000 claims abstract description 65
- 230000008569 process Effects 0.000 claims description 78
- 230000009471 action Effects 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 17
- 230000003287 optical effect Effects 0.000 claims description 16
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 230000000694 effects Effects 0.000 claims description 11
- 230000002401 inhibitory effect Effects 0.000 claims 4
- 238000004519 manufacturing process Methods 0.000 claims 1
- 230000008676 import Effects 0.000 abstract description 7
- 230000006854 communication Effects 0.000 description 53
- 238000004891 communication Methods 0.000 description 50
- 238000012552 review Methods 0.000 description 33
- 238000007726 management method Methods 0.000 description 29
- 238000012546 transfer Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 15
- 230000000875 corresponding effect Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 11
- 230000008901 benefit Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000012550 audit Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 230000008520 organization Effects 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 4
- 230000001413 cellular effect Effects 0.000 description 4
- 230000006835 compression Effects 0.000 description 4
- 238000007906 compression Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000004900 laundering Methods 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000001976 improved effect Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 150000003839 salts Chemical class 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000002567 autonomic effect Effects 0.000 description 2
- 230000001939 inductive effect Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 240000005020 Acaciella glauca Species 0.000 description 1
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- RWSOTUBLDIXVET-UHFFFAOYSA-N Dihydrogen sulfide Chemical compound S RWSOTUBLDIXVET-UHFFFAOYSA-N 0.000 description 1
- 241001441724 Tetraodontidae Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000005672 electromagnetic field Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003340 mental effect Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 235000003499 redwood Nutrition 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000000344 soap Substances 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
Definitions
- This disclosure generally relates to transacting in digital assets, and more particularly to secure asset custody systems for digital assets.
- Cryptocurrency or digital asset networks such as, for example, the Bitcoin network may be a peer-to-peer payment system having a plurality of nodes that are connected to one another.
- Digital asset exchange computer systems allow for users to exchange local currency into or out of a desired cryptocurrency. Users send payments by broadcasting digitally signed messages to the cryptocurrency network. Users may, for example, send and receive payments using mobile applications on mobile devices, client software or a web browser. Transactions do not explicitly identify the payor and payee by name or wallet. Instead, a bitcoin transaction transfers ownership to a new address, referred to as a "currency address" .
- the currency address is derived from the public portion of one or more cryptographic key pairs. The private portion of a key pair is not disclosed to the public.
- To send a cryptocurrency to an address a user broadcasts a payment message that is digitally signed with the associated private key.
- Host computer systems reside at various nodes and may host accounts or "wallets” that allow users to make and accept payments using cryptocurrency.
- the wallet stores the public key of the cryptocurrency address and its associated private key.
- the transfer of cryptocurrency may be an onerous task if the entire public key of the cryptocurrency address has to be copied and transmitted.
- the cryptocurrency network may be a Distributed Ledger Technology (DLT) network such as a blockchain network. Network participants may verify the transaction and append the transaction to a shared database of transactions.
- DLT Distributed Ledger Technology
- Cryptocurrency transacting requires the use of a public key and a private key. The private key is used to sign an authorization and the public key is used to verify the signature. Some users may require control over their private keys in order to ensure to such users that the cryptocurrency transacting will not take place without their express authorization.
- a system, method, and computer readable medium (collectively, the “system” ) is disclosed for cold wallets.
- the system may create a wallet of a cold wallet application in response to a request to create a wallet from a user, generate a cold wallet cryptocurrency address of the cold wallet application, import a hot wallet cryptocurrency address to the cold wallet application, import a transaction data of an exchange platform to the cold wallet application, sign the transaction via the cold wallet application to generate a signed transaction, and export the signed transaction from the cold wallet application to the exchange platform.
- the system may generate a first QR code comprising the hot wallet cryptocurrency address and the transaction data of the exchange platform, and receive the hot wallet cryptocurrency address and the transaction data of the exchange platform at the cold wallet application in response to optical recognition of the first QR code.
- the system may generate via the cold wallet application, a second QR code comprising the signed transaction, and receive the signed transaction at the exchange platform in response to optical recognition of the second QR code.
- the system may receive an access request from a first super admin at the cold wallet application.
- the system may create a user account for the user in the cold wallet application in response to a user creation request from the first super admin.
- the system may set permissions for the user account in response to a permission setting from the first super admin, wherein the permissions include enabling the request to create a wallet.
- the system may create an activity log associated with the cold wallet application and the user and record each of an action, the user associated with the action, and a timestamp in the activity log, wherein the action is an operation performed via the cold wallet application in response to a user request.
- the system may receive each of the access request from the first super admin, an access request from a second super admin, and an access request from a third super admin at the cold wallet application.
- the system may assign a root user in response to receiving each of the access requests at the cold wallet application.
- the system may enable an accessible during runtime status for a data file in response to a request from the root user.
- the system may compare the signed transaction with an asset outflow threshold.
- the system may compare the signed transaction with a time horizon threshold.
- the system may inhibit processing of the signed transaction in response to the signed transaction exceeding the asset outflow threshold, and may inhibit processing of the signed transaction in response to the signed transaction exceeding the time horizon threshold.
- the system may receive N key components.
- the system may discretize the N key components via a hashing algorithm into a plurality of N key component parts.
- the system may combine the plurality of N key component parts to generate X keys.
- the system may encrypt the X keys to generate X key seeds.
- the system may perform an encryption process and a decryption process.
- FIGs. 1A through 1G are a block diagram illustrating an exchange platform system, in accordance with various embodiments.
- FIG. 2 is a block diagram illustrating the access control system, in accordance with various embodiments
- FIG. 3 is flowchart illustrating a transaction process of a cold wallet, in accordance with various embodiments
- FIG. 4 is a diagram illustrating an independent wallet system and a temporary wallet, in accordance with various embodiments
- FIG. 5 is flowchart illustrating a deposit process, in accordance with various embodiments.
- FIG. 6 is flowchart illustrating a transaction process, in accordance with various embodiments.
- FIGs. 7A through 7C are a flowchart illustrating a withdrawal process, in accordance with various embodiments.
- FIG. 8 illustrates an optical communication process, in accordance with various embodiments
- FIG. 9 illustrates a key security process, in accordance with various embodiments.
- FIG. 10 illustrates a wallet generation process and an address generation process, in accordance with various embodiments
- FIG. 11 illustrates an optical communications and signature process, in accordance with various embodiments
- FIG. 12 illustrates an encryption process of an exchange platform system, in accordance with various embodiments
- FIG. 13 illustrates an decryption process of an exchange platform system, in accordance with various embodiments and
- FIG. 14 illustrates an account creation and data importation process, in accordance with various embodiments.
- a cryptocurrency wallet may be a device, a physical media, a program, or a web service which stores the public and/or private keys for cryptocurrency transactions.
- the cryptocurrency wallet can be an online wallet, an offline wallet, or a combination thereof.
- An offline cryptocurrency wallet is also called a ‘cold’ wallet (in contrast to ‘hot’ wallet, which refers to the online cryptocurrency wallet) .
- a cold wallet is provided as a program, a software, or an application.
- a cold wallet may be provided as hardware (or a physical device) , such as USB-Key, and other hardware based on Near-Field Communication (NFC) technology such as Wallets provided as hardware or a physical device are often referred to as a hardware wallet (or ‘hard’ wallet) .
- NFC Near-Field Communication
- Such hardware wallets tend to be suited for individual and personal use. Hardware wallets tend to be limited in the amount and frequency of transactions which can be processed. In this regard, hard wallets and cold wallets tend to be unable to handle corporate level cryptocurrency transaction volumes. In order to meet corporate level transaction volumes, existing cold wallet systems tend to compromise with regard to security as described below.
- the existing cold wallet system are physically connected with the online cryptocurrency networks (for example, via an exchange system) through wireless networks, near-field communication (e.g., ) , or physical ports such as, for example USB. Therefore, current cold wallet systems are not completely offline, they still need to be connected with the internet at some point during the transaction.
- more than one employee may be assigned permissions to transact digital assets (e.g., cryptocurrency) in order to help manage the large transaction volume.
- digital assets e.g., cryptocurrency
- some cold wallets may be limited in storage capacity. For example, some cold wallets can only store keys for certain digital assets (e.g., a Bitcoin wallet may not be able to store Ethereum. An Ethereum wallet may not be able to store Dash) . Where multiple employees have access to a cold wallet security concerns arise, but where a single employee has access throughput issues arise.
- the present system may solve the problem of enabling enterprise scale transitions with cold wallet storage systems and providing enhanced transparency of transactions to regulators.
- the system may increase data reliability or accuracy by enabling data logging.
- the system may increase data security by enabling separation to between online and offline storage elements and by segregating permissions between differing sets of users.
- Benefits of the present disclosure may apply to any suitable trading environment.
- the present disclosure may apply in equity trading, currencies trading, futures trading, and/or any other financial instrument, as well as in information analysis or fraud prevention contexts.
- This process improves the functioning of the computer.
- the systems and processes described herein may tend to accelerate secure storage operations of digital assets thereby reducing network processing overhead.
- “electronic communication” means communication of at least a portion of the electronic signals with physical coupling (e.g., “electrical communication” or “electrically coupled” ) and/or without physical coupling and via an electromagnetic field (e.g., “inductive communication” or “inductively coupled” or “inductive coupling” ) .
- “transmit” may include sending at least a portion of the electronic data from one system component to another (e.g., over a network connection) .
- “data, ” “information, ” or the like may include encompassing information such as commands, queries, files, messages, data for storage, and the like in digital or any other form.
- “satisfy, ” “meet, ” “match, ” “associated with” , or similar phrases may include an identical match, a partial match, meeting certain criteria, matching a subset of data, a correlation, satisfying certain criteria, a correspondence, an association, an algorithmic relationship, and/or the like.
- “authenticate” or similar terms may include an exact authentication, a partial authentication, authenticating a subset of data, a correspondence, satisfying certain criteria, an association, an algorithmic relationship, and/or the like.
- references to “various embodiments, ” “one embodiment, ” “an embodiment, ” “an example embodiment, ” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. After reading the description, it will be apparent to one skilled in the relevant art (s) how to implement the disclosure in alternative embodiments.
- System 100 may include various computing devices, software modules, networks, and data structures in communication with one another.
- System 100 may also contemplate uses in association with web services, utility computing, pervasive and individualized computing, security and identity solutions, autonomic computing, cloud computing, commodity computing, mobility and wireless solutions, open source, biometrics, grid computing and/or mesh computing.
- system 100 may comprise a client service module 102, an asset custody module 104, a data center module 106, an exchange system module 108, a basic services module 110, and a web client interface module 112.
- the system may include a settlement service 178 configured to provide settlement data 180 to the data center module 106.
- the system may include a risk management system 182 configured to communicate with the asset custody module 104, the exchange system module 108 and the client service module 102.
- the risk management module 182 may provide risk data 184 to the data center module 106.
- System 100 may be computer based, and may comprise a processor, a tangible non-transitory computer-readable memory, and/or a network interface, along with other suitable system software and hardware components.
- system 100 may be configured as a central network element or hub to access various systems, engines, and components of system 100.
- System 100 may comprise a network, computer-based system, and/or software components configured to provide an access point to various systems, engines, and components of the system.
- Web client interface 112 may be in operative and/or electronic communication with the client service module 102, asset custody module 104, data center module 106, exchange system module 108, and basic services module 110.
- the web client interface 112 may allow communication from a user 114 to systems, engines, and components of system 100.
- the user may communicate with the web client interface 112 via a user device.
- the user device may comprise software and/or hardware in communication with the web client interface 112 via a network comprising hardware and/or software configured to allow an account owner, an administrator, a user, a customer, a super admin and/or the like, access service provider 102.
- User device 104 may comprise any suitable device that is configured to allow a user to communicate with a network and the system 100.
- the user device may include, for example, a personal computer, personal digital assistant, cellular phone, kiosk, a mobile device, and/or the like and may allow a user to transmit voice communications and/or data.
- the user device includes a camera and a display screen.
- the client service module 102 may be configured to provide various client services such as, for example, client identity management.
- Client service module 102 may include user services 116 such as, for example, user interfaces to the exchange system, deposit and withdrawal services, transaction services and/or the like.
- Client service module 102 may be configured perform Know Your Customer (KYC) services 118 including background checking 120 and identity authentication 122 services.
- KYC Know Your Customer
- data center module 106 may include any number of database structures 124 or data elements such, for example, exchange data, client data, marketing data, and operation data.
- Data center module 106 may be configured to maintain exchange data such as, for example, data sets relating to exchange platform transactions such an exchange, a transaction type, a financial instrument, a currency, a price, a quantity, a date, a timestamp, risk management data, financial data, and/or the like.
- Any of the database structures 124 may include metadata and system 100 performance data and event logs and/or the like.
- Data center module 106 may be configured to maintain client data such as, for example, past orders, past transactions, bills, user information, client service module data, and/or the like.
- Data center module 106 may be configured to maintain marketing data such as, for example, event tracking statistics, external data, referral data, partner data, promotional data, and/or the like. Data center module 106 may be configured to maintain operations data such as, for example, monitoring statistics, devops statistics, performance data, and/or the like. In various embodiments, the data center module 106 may provide a historical data query service 126 and a reporting service 128.
- Asset custody center module 104 may be configured to provide physical control over one or more virtual assets such as, for example, cryptocurrencies, tokens, and/or the like.
- the virtual asset may comprise one of reward points such as, for example, those associated with a reward program, coupons, credit cards, hotels, frequent flyer program, online services, and/or the like.
- the virtual asset may comprise a token of or representation of a fiat currency, or a relatively closed currency such as, for example, a currency of a game economy.
- the virtual asset includes cryptocurrencies which may be supported by a distributed ledger and/or blockchain network such as, for example, Bitcoin, Bitcoin Cash, EOS, Litecoin, Tron, Ripple, DASH TM , Monero, and/or the like
- the asset custody center module 104 may be configured to provide various asset related services such as, for example, deposit and withdrawal service 130, Anti-Money Laundering (AML) service 132, whitelist service 134 and custody account service 136.
- Custody account service 136 may include one or more wallets such as a hot wallet or a cold wallet configured to communicate with an asset custody database 138.
- the exchange system module 108 may comprise hardware or software configured to process market transactions in a plurality of virtual assets.
- the exchange system module 108 may comprise or interact with an order service 140 and a clearing service 142 via an exchange mainline 144 to match orders and execute transactions based on the matching orders.
- exchange mainline 144 may be configured to generate market data such as, for example, price data and volume associated with the order book and may provide the market data to a market data service 146.
- the exchange mainline 144 may be supported by one or more mainline services 148 such as a main order service and a primary matching engine 150 and a standby matching engine 152.
- exchange mainline 144 may be configured to match order book entries received form order service 140 and enable redundant operations tending thereby to enhance transaction reliability and system uptime.
- Exchange system module 108 may be accessible via a trading account service 154 configured to communicate with the various systems, engines, and components of the exchange system module 108.
- the trading account service 154 may be configured to record data in an internal storage database 156 and communicate with a persistence service 158.
- clearing service 142 may be configured to provide cleared transaction data 160.
- the basic services module 110 may be configured to provide operations staff with command and control functions of the system 100.
- the basic service module may include one or more web client interfaces 164 having features, processes, and architecture similar to the web client interface module 112.
- the web client interface 164 may be tailored to administration, command, and control functions of system 100.
- Basic services module 110 includes one or more administrative services such as product configuration service 166, exchange configuration service 168, review service 170, operator audit service 172, message center 174, and access control service 176.
- the web client interface 164 may be configured to provide the operations staff 162 access to each of the services 166, 168, 170, 172, 174, and 176.
- an access control system 200 may be established in system 100 by giving different permissions of the system (such as, for example, a wallet system) to various users.
- the access control system may have permission levels, including a super admin 210 and a user 212.
- the super admin 210 may have user management controls 236, including management of the user maintenance 240, the permission management 238, and the audit log 234.
- the user 212 may have the ability to conduct wallet management 224, address management 226, perform transactions 228, system setup 230, and conduct currency management 232.
- Each of these user permissions may include sets of associated actions which may be requested by the user and execute by the system such as wallet management actions 214, address management actions 216, transaction related actions 218, system management actions 220, and currency management actions 222.
- a user is created by the super admin.
- the super admin may have control of user management.
- Each user may be given relevant permissions by the super admin.
- Each user can only access the relevant sets of actions (or individual actions within the set) and the associated GUI that he or she has been assigned access to (i.e., permissioned for) , and cannot access the part that he or she does not have.
- the user when using a cold wallet in a transaction, the user records/initiates the transaction, the managers (e.g. five mangers or corporate executives) authorize/approves the transaction, respectively, using their keys. For example, as a preset condition, if at least any three of the five keys are provided, this transaction may complete.
- the managers e.g. five mangers or corporate executives
- an audit log may be managed.
- the system may create an audit log (or activity log) of events in the cold wallet, and trace what events happened, when the events occurred, and who caused the events, if necessary, auditors (e.g., the administrator of the exchange platform) can locate problems and accountability through the audit log afterwards.
- the activity log may include records of actions taken by the super admin.
- the system may create an activity log associated with the cold wallet and the user.
- the system may record each of an action (e.g., delete a file, publish a transaction, create an address) , the user associated with the action, and a timestamp in the activity log.
- the action may be an operation performed via the cold wallet application and in response to a user request.
- a benefit of the access control system is that the system tends to avoid the risks inherent to centralized control in which only one or a limited set of persons have the permission of approving the transaction.
- a cold wallet process 300 of system 100 is illustrated.
- the process 300 may start in response to receiving an access request comprising a login information from a first super admin at a cold wallet application 1400 (step 302) .
- the system may create a user account for a user in the cold wallet application in response to receiving a user creation request 1402 from the first super admin 1410 account (step 304) .
- the cold wallet application 1400 may return an account creation success message 1404 do the first super admin 1410.
- the system may set one or more permissions for the user account in response to receiving a permissions setting 1406 from the first super admin 1410 (step 306) .
- the permissions include enabling a request to create a wallet.
- the permissions may include assignments of address management.
- Employee A (as an operation role/user) may be assigned the responsibility of trading and Employee B may be assigned permissions for address management.
- the admin could assign a temporary permission to Employee A for address management until a permanent replacement for Employee B is found. Then, the temporary permission of Employee A for address management would be revoked.
- the cold wallet application 1400 may return a permission setting success message 1408 to the first super admin 1410.
- the cold wallet application may check the user's permission list after login, and may present only those functions that the user has received permission to use. Thus, the user can only see the operation interface and buttons according to the assigned permissions, and those not assigned are not presented to the user.
- the process 300 may continue in response to receiving an access request comprising a login information from the user at the cold wallet application (step 308) .
- the system may generate a wallet of the cold wallet application in response to receiving a request to create a wallet 1002 form the user 1000 (step 310) .
- the system may start a wallet generation process 1004.
- the cold wallet application 1400 may send a key generation request message 1006 to a security proxy 1008.
- the security proxy 1008 may pass a forwarding message 1010 to a hardware security module 1012.
- the hardware security module may generate a wallet keyname 1014.
- the hardware security module may return the wallet keyname 1014 to the security proxy 1008.
- the security proxy 1008 may forward the wallet keyname via a forward message 1016 to the cold wallet application 1400.
- the cold wallet application may return a wallet creation success message 1018 to the user 1000.
- process 300 may continue by generating a cold wallet cryptocurrency address of the cold wallet application (step 312) .
- Cold wallet application 1400 may receive a create address request 1020 from the user 1000 and start an address generation process 1030. In response the cold wallet application 1400 may pass a generate address message 1022 to the security proxy 1008.
- the security proxy 1008 may pass a forwarding message 1024 to the hardware security module 1012.
- the hardware security module 1012 may generate an address keyname 1026.
- the hardware security module 1012 may return the address keyname 1026 to the security proxy 1008.
- the security proxy 1008 may forward the address keyname 1026 via a forward message 1028 to the cold wallet application 1400.
- the cold wallet application may return an address creation success message 1032 to the user 1000.
- the system may import a hot wallet cryptocurrency address to the cold wallet application (step 314) .
- a user e.g., user 100
- the super admin 1400 may send a hot wallet cryptocurrency address 1412 to the cold wallet application 1400.
- the cold wallet application 1400 may return an import success message 1414.
- the system may import transaction data of the exchange platform to the cold wallet application 1400 (step 316) .
- the system may obtain transaction data from exchange system module 108 via the trading account service 154.
- steps 314 and 316 may include optical communication process 800.
- the system may generate a QR code 804 such as a first QR code 1104 comprising the hot wallet cryptocurrency address of the hot wallet 802 and the transaction data of the exchange system.
- the first QR code 1104 may be generated by comprising the data via a zstd algorithm (step 806) .
- the system may receive the hot wallet cryptocurrency address and the transaction data of the exchange system module at the cold wallet application 1400 in response to optical recognition of the first QR code 1104.
- the cold wallet application may be native to a mobile device 1102 of the system which may recognize the displayed QR code via a camera of the mobile device and, in response, may decompress the first QR code 1104 via the zstd algorithm (step 808) .
- the system may apply a binary message exchange protocol (e.g., protobuf) for message encoding.
- the zstd algorithm may be used to compress the binary data gain.
- the system may employ a low binary loss encoding algorithm (e.g., base64) for transcoding.
- the optical communication process tends to ensure complete physical separation of any hot wallet of the exchange system module and any cold wallets of the asset custody module.
- the user 1000 may login to the cold wallet application 1400 (step 318) .
- the cold wallet application 1400 may be a micro-app as discussed below.
- the user 1000 may login via a mobile device (e.g., mobile device 1102) may sign a transaction (signature request 1106) of the imported transaction data via the cold wallet application to generate a signed transaction.
- the signature request 1106 may be provided to the security proxy which may forward the request to the hardware security module and/or a keystore 1108.
- the cold wallet application may generate a second QR code 1110 comprising the signed transaction.
- the cold wallet application may display the second QR code 1110.
- the cold wallet application may be native to a mobile device (e.g., mobile device 1102) of the system and may display the second QR code 1110 via a display screen of mobile device.
- the system may scan the QR code via the cold wallet application 1400 (step 320) .
- the system may receive the signed transaction at the exchange system module in response to optical recognition of the second QR code.
- the system may send the transaction to the blockchain 1112 (step 322) .
- each of platform A 1114 and platform B 1116 may receive the signed transaction from the mobile device 1102. Each of platform A 1114 and platform B 1116 needs to accept the signed transaction thereby tending to improve transaction security and fidelity.
- the system may provide a transaction confirmation to the mobile device.
- the system may send the transaction to the blockchain 1112.
- the cold wallet application 1400 may be configured to communicate with platform B 1116 to authenticate the transaction, only in response to receiving a transaction request from platform A 1114. In this regard, the system may tend to inhibit forged transactions in the event platform A 1114 is compromised. An attacker must compromise both platform A 1114 and platform B 11116 at the same time to forge a transaction.
- platform A 1114 and platform B 11116 may be deployed in different networks, tending thereby to reduce the possibility of simultaneous attack.
- the transaction may be signed and encrypted in the transmission process, which tends to ensure that the transaction message cannot be intercepted or altered during the process.
- the asset custody module includes a wallet system 400.
- System 400 may include temporary wallets 402, 418, 434 and cold wallets 410, 426, 442.
- a plurality of temporary wallets 402, 418, 434 may be associated with a plurality of cold wallets 410, 426, 442.
- the wallet system 400 may include a temporary wallet 402 associated with a cold wallet 410.
- Client A may own at least one wallet address. For example, Client A is associated with Address A 404, and Address B 406 of the temporary wallet 402.
- Address A 404 may be associated with a cryptocurrency, such as Bitcoin.
- Address B 406 may be associated with a cryptocurrency, such as Ethereum.
- the temporary wallet 402 may have a plurality of digital assets stored at locations accessible to the temporary wallet 402.
- the wallet system 400 may contain a temporary wallet 418 associated with a cold wallet 426.
- the exchange platform system 100 may, via wallet system 400, support three types of cold wallets, namely Hardware Security Module (HSM) -Hierarchical Deterministic (HD) wallets, HSM-random wallets, and software wallets.
- HSM Hardware Security Module
- HD Hierarchical Deterministic
- Key management and signatures of the software wallets may be based on a software keystore, while HSM-HD wallets and HSM-random wallets may be based on HSM.
- all addresses under HSM-HD wallet are derived from one seed; however, all addresses of HSM-random wallet are randomly generated without seeds.
- Assets in the cold wallet application may only be transferred to the hot address (i.e., the address generated by the hot wallet, which contains the private key and can be connected to the Internet) registered in the cold wallet application.
- the wallet system 400 may ensure that the transfer destination of the assets is controllable.
- Such hot addresses are listed in a whitelist of the cold wallet.
- Process 900 includes a multi-component key generation process 902 and a key recovery process 904.
- a plurality of users 906 may each enter an independent key component associated on a one to one basis with each of the plurality of users.
- the system may receive five key components 908 at the cold wallet application 1400.
- the cold wallet application 1400 may start process 902 and pass a key generation request 910 to the security proxy 1008.
- Security proxy 1008 may pass a forward message 912 to the keystore 1108.
- the keystore 1108 returns a keyname 914 to the security proxy 1008.
- security proxy 1008 passes a forward message 916 including the keyname to the cold wallet application 1400.
- the cold wallet application 1400 returns a create success massage 918 to the users 906.
- an encryption process 1200 of system 100 is illustrated in accordance with various embodiments. Keys generated by wallet system 400 may be protected via process 1200.
- Process 1200 may be described by the following pseudocode:
- the system may add salt values 1202 to the keys 1204 and then hash them via a hashing algorithm 1206 to generate a corresponding hash 1208.
- the purpose of hash is to make the passwords of different lengths entered by the user get the same length of AES keys
- the purpose of adding salt values is to make the key deviate from the original track to prevent the person who entered the key from using the vulnerability of XOR to control the result of the final merged key. They system XOR every two keys among three keys is to generate three final keys 1210 for encrypting data 1212 (the same as the number of keys used for decryption) .
- the system may apply an encryption algorithm 1214 to encrypt the seeds with the three keys which are merged to obtain the seeds of the final ciphertext.
- the hash of the seed may be calculated by the system to ensure the integrity of the seed, that is, the hash calculated from the decrypted data must be consistent with this hash to prove that the seed has been decrypted normally.
- Process 1300 may be used to recover the keys and corresponding key seeds of the wallet system 400.
- Process 1300 may be described by the following pseudocode:
- the system may add salt values 1302 to two keys 1304 and hash them via hashing algorithm 1306 to generate hashes 1308.
- the hashes 1308 may be combined in order to recover one of the final keys 1310 used in encryption of process 1200.
- the system may use the recovered keys 1310 to decrypt the encrypted data (such as, for example, key seeds) one by one in order to parse out a match (e.g., a key seed matching the reconstructed final key) .
- the process may generate decryption errors 1312 where there is no match.
- the system may to calculate whether the hash of the seed is consistent with the previously saved hash. Where they are consistent, the system may determine decryption is successful, and that the two keys are correct.
- the system may enable an M-of-N protection mechanism. N number of people, each input a part of the key. The system may then discretize the N key components (e.g., via SHA256) , and then combine the key components of each of the N parts to obtain a total of X different keys. In various embodiments, the system may then separate the X keys. The system may encrypt the seed (e.g., via AES256) to get X different key seeds and may save the X key seeds. In this regard, for use of the seed the system need only receive M (M ⁇ X, M ⁇ N) keys. For components, the system may combine the M keys into one key and try to decrypt X key seeds. The system may then compare them with the key component of the seeds. Where they are consistent, the system may determine that the input components are correct.
- M M ⁇ X, M ⁇ N
- the key component may be entered when the seed is created and used, and the key may be deleted after use by the system.
- the data layer may only save its security seed and corresponding discrete value.
- the key is entered when the seed is created and used, and then destroyed (the key plaintext will be covered) . Under this condition, only the seed and its discrete values of the ciphertext are saved. Therefore, the seed can be unlocked only when the physical device, the keys controlled by external personnel (i.e., multiple keys) , and the key algorithm are mastered at the same time. In this regard, security of the seed is enhanced by the methods and process of system 400.
- a number of key seeds (e.g., 10) protected by N key components (e.g. 10) in the KeyStore will be backed up.
- the completeness/integrity of the ten key seeds may be verified through checking any three of the ten key components.
- the system may, record the backed up data to at least three non-rewritable ROMs and store the ROMs in three different locations.
- physical security of the backed up data is enhanced. For example, once one or two of the ROMs in somewhere are destroyed by natural disasters, the left copy or copies of ROM (s) may still work and the stored data (key seeds) of the ROM (s) could be obtained to back up and recovery the keys. If the current wallet is damaged (e.g. data is manually deleted and not recoverable, the hard drive for storing data is damaged, and other situations that data is not recoverable) , it may be restored through the backup seed combined with the cold wallet application.
- the current wallet is damaged (e.g. data is manually deleted and not recoverable, the
- wallet system 400 may maintain information such as, for example, audit logs which may be stored in local data files of the wallet (for example, the cold wallet application) .
- the cold wallet application may be able to access the data files only when it is running.
- users of the Cold Wallet Application are inhibited from altering or destroying the data file. For example, a user who has performed an improper operation may want to delete the audit log and destroy the record of the improper operation.
- the system may enable enhanced data quality and security by allowing only a root user to set permissions for data files to be ‘accessible during runtime’ .
- the system may receive and access request form each of a first super admin, a second super admin, and a third super admin at the cold wallet application.
- the system may assign a root user in response to receiving each of the access requests from the super users. having assigned the root user, the system may enable an accessible during runtime status of the data file in response to a request from the root user.
- the cold wallet application may receive three key components 920 at the cold wallet application 1400.
- the cold wallet application may start process 904 and pass a generate address request message 922 to the security proxy 1008.
- security proxy 1008 may send forward message 924 to keystore 1008.
- the key store 1008 may unlock the key (e.g., generated in by process 902) and provide a return address 926 to the security proxy 1008.
- security proxy 1008 may send a forward message 928 comprising the return address to the cold wallet application 1400.
- the cold wallet application 1400 may return a create success message 930 to the users 906.
- the logical processing functions may be centralized in the cold wallet application, while sensitive information is stored in the HSM or keystore.
- the HSM and the keystore may be both physically and logically separated.
- a review of the digital asset may be performed to transfer the digital asset from a temporary wallet 402, 418, 434 to the associated cold wallet 410, 426, 442.
- the review of the digital asset may be an Anti-Money Laundering review (AML) .
- AML Anti-Money Laundering review
- if the digital asset passes the review the digital asset may be transferred to a cold wallet (See FIGs 5 and 6) .
- the cold wallet 410, 426, 442 may be a be a client wallet.
- the cold wallet 410, 426, 442 may be an offline wallet.
- the cold wallet 410, 426, 442 may be connected to a network or the internet.
- a benefit of using temporary wallet may be to separate client’s asset to be transferred and reviewed from the other assets.
- the temporary wallet may be used for anti-money laundering review or audit when the client deposit new funds.
- the temporary wallet may be arranged in the asset custody module 104 as an online or hot wallet.
- the exchange platform system may verify the digital asset by checking the hash (or other features related to the source of the funds) to determine that it meets certain standards. For example, the system may check the addresses of the incoming funds against a whitelist of addresses. In another example, the system may mark or report source features such as large inflows or outflows of assets from a client account. In another example, the system may check behavioral features such as an increase in the number of withdrawals from a previously low activity account. For example, the system may calculate an average rate variance for an account over a selectable time horizon (e.g., transactions per minute per week) and may generate an alert where the rate variance exceeds a rate variance threshold value. The exchange platform system may store the hash of digital asset associated with the temporary wallet.
- the exchange platform system may store the hash of digital asset associated with the temporary wallet.
- the exchange platform may then submit the hash to a third-party administration agency (e.g., risk management system 182) .
- the third party administration agency may be a secondary review system.
- the third-party administration agency may run AML review using the hash of the wallet.
- the third-party administration agency may return a YES or NO result to the exchange platform based on the AML review.
- the third-party administration agency may use the hash as a key.
- the hash may enable the third-party review system to review AML required information, such as transactional records without having to receive the associated private keys. If the review result is YES, the system tags the digital asset as passed AML review, and enables transfer to the cold wallet. If the review result is NO, it fails AML review, and the digital asset does not transfer to the cold wallet. If the asset meets the AML requirement, the asset may be transferred to a wallet address of the system.
- the temporary wallet is associated with a user, and a cold wallet is associated with a user.
- the temporary wallet may comprise many addresses where data can be stored.
- a digital asset may be stored at an address in the temporary wallet.
- the digital asset is stored at an address using an identifier or key that is used to assess the digital asset.
- the digital asset may be a cryptocurrency.
- a deposit process 500 of the exchange platform system 100 is illustrated.
- steps marked in the ‘exchange’ lane may be performed by the exchange system module 108 and steps marked in the ‘asset custody system lane’ may be performed by asset custody module 104.
- the exchange system module 108 and asset custody module 104 are separate servers connected to the exchange system platform 100 via a network.
- a client may start process 500 and by initiating a deposit (step 502) .
- the system may receive the digital asset or data related to the digital asset.
- the system may complete a KYC process (step 504) (i.e. know your client/customer, a form of system-client authentication) .
- the system may deposit the cryptocurrency or digital asset to the temporary wallet allocated by the exchange for the client.
- the asset custody system may detect the transfer of digital assets (step 506) and subsequently notify the exchange of the transfer (step 508) .
- the system conducts an Anti-Money Laundering (AML) review process on the digital asset in the temporary wallet (step 510) .
- the system will determine whether the digital asset passes the review (step 512) . If the digital asset does not pass the AML review, the system may freeze the assets and accounts under the client’s name and notify the operation specialist to deal with it (step 514) . If the digital asset does pass the AML review, then the review of the digital asset may also comprise determining whether the incoming fund is accepted by the system (step 516) . The acceptance by the system may be based on whether the assets are supported by the exchange system module 108.
- AML Anti-Money Laundering
- the assets may not be included in the account and the system may notify the operations specialist to deal with it (step 518) . If the assets are supported by the exchange system module 108, the digital asset may then pass to an additional review process. The system may determine whether the amount of incoming digital assets is less than the minimum deposit amount required (step 520) . If the amount of incoming digital assets is less than a minimum deposit amount, the digital assets may not be included in the account and the system may notify the operations specialist to address the issue (step 522) .
- the system may notify the asset custody system to transfer the assets to a corresponding cold wallet (step 524) .
- the system may then transfer the digital assets to the cold wallet pre-configured for the client (step 526) .
- the system may display that the clients’ assets have increase correspondingly on (step 528) , the system may then send a notification message to the client regarding the increase (step 530) , and the client may receive the notification of the increase (step 532) .
- the corresponding account and digital assets may be frozen by the system so that it temporarily stays at the buffer address and may not be collected or merged to permanent wallet address of the asset custody module such as, for example, a cold wallet address.
- a notification may be triggered by the system and forwarded to a regulatory agency such as, for example, the Securities and Financial Commission (SFC) or other government agencies functioned similarly as the SFC in response to a digital asset not passing review.
- SFC Securities and Financial Commission
- a transaction process 600 may be performed by an independent wallet of the system 100.
- Process 600 may be started where a buyer conducts an entrusted transaction at the exchange system module 108 (step 602) and/or a seller conducts an entrusted transaction at the exchange system module 108 (step 604) .
- the buyer and seller may both engage in a transaction, and entrust the exchange system module 108 to perform the transaction.
- the system may check whether both parties have sufficient underlying assets to cover the transaction value and the transaction fees. If there are insufficient underlying assets and fees the exchange system module 108 may freeze the buyer’s corresponding underlying assets and transaction fees of the transaction (step 606) .
- the exchange system module 108 may freeze the corresponding target assets and transaction fees of the transaction (step 608) . Where both the buyer and seller have sufficient assets to cover the transaction and the transaction fees, the exchange system module 108 may perform a transaction matchmaking process (step 610) . In response, the exchange system module 108 may generate an order ID associated with desired transaction (step 611) .
- the exchange system module 108 may conduct transaction clearing process whereby, after the clearing, the asset may be kept in a frozen state until the settlement is completed (step 612) .
- Exchange system module 108 may notify the asset custody module 104 of the settlement completion (step 614) .
- the asset custody module 104 may then transfer the underlying assets from the buyer’s wallet to the sellers wallet (step 616) and/or transfer the target assets from the seller’s wallet to the buyer’s wallet (step 618) .
- the system may transfer the underlying assets from the buyer's wallet address to the seller's address and transfers the target assets from the seller's wallet to the buyer's wallet, simultaneously, or in an order, or step-by-step.
- the asset custody module 104 may then notify the exchange system module 108 of the settlement success, the corresponding results, and the on-chain transaction hash (step 620) .
- the exchange system module 108 then may bind the on-chain transaction hash to the order ID associated with the transaction (step 622) .
- the exchange system module 108 may update the asset accounts, transaction fee accounts, and miner fee accounts of the clients (step 624) .
- the exchange system module 108 may then notify the clients that the transaction is complete (step 626) .
- a withdrawal process 700 of system 100 is illustrated.
- the withdraw process 700 includes a plurality of withdrawal steps, the of the withdrawal process 700 may be conducted in any order.
- the client may initiate a withdraw via the web client interface 112 (step 702) .
- the client might also select a withdrawal address from a saved withdrawal address whitelist.
- the client may enter a cryptocurrency type and amount (step 704) and chose a withdraw address from the whitelist (step 706) .
- the client may add an address for withdrawal. Specifically, if it is the first time for a client to initiate a withdrawal, the client may input the withdrawal address manually. The client may then confirm the withdrawal (step 708) .
- the exchange system module 108 may then conduct a review process.
- the review process may include, determining by the exchange system module 108 whether the market is closed (step 710) .
- the review process may include, determining by the exchange system module 104 whether the client account is frozen (step 714) .
- the review process may include, determining by the exchange system module 104 whether withdrawals are disabled (step 718) . If the market is closed, the exchange system module 108 will notify the client (via the web client interface 112) that the market is closed (step 712) . If the account is frozen the exchange system module 108 may notify the client via the web client interface 112) , the account is frozen (step 716) .
- the exchange system module 108 may notify the client via the web client interface 112 that withdrawals are disabled (step 720) .
- the exchange system module 108 may determine if a password free period is used (step 722) . If a password free period is not used the exchange system module 108 may be configured to wait for entry of the withdrawal password (step 724) .
- the exchange system module 108 may further determine if the type of currency is restricted to be withdrawn (step 728) . If so, the exchange system module 108 may notify the client this type of currency is restricted (step 726) .
- the exchange system module 108 may then determine if there are sufficient assets to enable the withdrawal (step 730) . If the assets are not sufficient, the system may notify the client of insufficient assets (step 732) . The exchange system module 108 may determine if the assets exceed daily withdrawal maximum (e.g., an asset outflow threshold) (step 733) . If the assets exceed a daily withdrawal maximum then the exchange system module 108 will notify the client that he/she exceeds the daily withdrawal maximum (step 734) . The exchange may determine if the digital asset exceeds the face ID-free limit for daily use or single use withdrawal (step 736) . If so, the system proceeds to perform facial authentication (step 738) .
- daily withdrawal maximum e.g., an asset outflow threshold
- the system may then freeze the relevant assets in the account pending withdrawal (step 740) .
- the system may also be configured to conduct an AML review process on the pending withdrawal (step 742) . If the withdrawal does not pass the AML review 742, the system will unfreeze the corresponding assets in real time (step 744) , update the status: to withdraw failed (step 748) and notify the client that withdrawal failed (step 750) . If the withdrawal passes AML Review, exchange system module 108 may to notify the asset custody module 104 to transfer the assets (step 746) .
- the address may be added to the systems withdrawal whitelist which may be maintained by the asset custody module 104.
- the asset custody module 104 may notify the operations specialist to initiate withdrawal in the cold wallet (step 760) .
- the ops specialist may perform the optical communications process described above herein to conduct a manual withdrawal from the cold wallet (step 758) .
- the asset custody module 104 may notify the result to the exchange system module 108 (step 756) .
- the exchange system module 108 may then deduct the amount frozen in assets (step 754) , and notify the client of the transaction result (step 752) .
- the terms “comprises, ” “comprising, ” or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
- Terms and phrases similar to “associate” and/or “associating” may include tagging, flagging, correlating, using a look-up table or any other method or system for indicating or creating a relationship between elements, such as, for example, (i) a transaction account and (ii) an item (e.g., offer, reward, discount) and/or digital channel.
- the associating may occur at any point, in response to any suitable action, event, or period of time.
- the associating may occur at pre-determined intervals, periodically, randomly, once, more than once, or in response to a suitable request or action. Any of the information may be distributed and/or accessed via a software enabled link, wherein the link may be sent via an email, text, post, social network input, and/or any other method known in the art.
- non-transitory is to be understood to remove only propagating transitory signals per se from the claim scope and does not relinquish rights to all standard computer-readable media that are not only propagating transitory signals per se. Stated another way, the meaning of the term “non-transitory computer-readable medium” and “non-transitory computer-readable storage medium” should be construed to exclude only those types of transitory computer-readable media which were found in In re Nuijten to fall outside the scope of patentable subject matter under 35 U.S.C. ⁇ 101.
- components, modules, and/or engines of system 100 may be implemented as micro-applications or micro-apps.
- Micro-apps are typically deployed in the context of a mobile operating system, including for example, a mobile operating system, an operating system, an iOS operating system, a company’s operating system, and the like.
- the micro-app may be configured to leverage the resources of the larger operating system and associated hardware via a set of predetermined rules which govern the operations of various operating systems and hardware resources. For example, where a micro-app desires to communicate with a device or network other than the mobile device or mobile operating system, the micro-app may leverage the communication protocol of the operating system and associated device hardware under the predetermined rules of the mobile operating system.
- the micro-app desires an input from a user, the micro-app may be configured to request a response from the operating system which monitors various hardware components and then communicates a detected input from the hardware to the micro-app.
- system and method may be described herein in terms of functional block components, screen shots, optional selections, and various processing steps. It should be appreciated that such functional blocks may be realized by any number of hardware and/or software components configured to perform the specified functions.
- the system may employ various integrated circuit components, e.g., memory elements, processing elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices.
- the software elements of the system may be implemented with any programming or scripting language such as C, C++, C#, Object Notation (JSON) , VBScript, Macromedia COLD FUSION, COBOL, company’s Active Server Pages, assembly, PHP, awk, Visual Basic, SQL Stored Procedures, PL/SQL, any shell script, and extensible markup language (XML) with the various algorithms being implemented with any combination of data structures, objects, processes, routines or other programming elements.
- the system may employ any number of conventional techniques for data transmission, signaling, data processing, network control, and the like.
- the system could be used to detect or prevent security issues with a client-side scripting language, such as VBScript, or the like.
- the software elements of the system may also be implemented using a run-time environment configured to execute code outside of a web browser.
- the software elements of the system may also be implemented using components.
- programs may implement several modules to handle various core functionalities.
- a package management module such as may be implemented as an open source library to aid in organizing the installation and management of third-party programs.
- programs may also implement a process manager, such as, for example, Parallel Multithreaded Machine ( “PM2” ) ; a resource and performance monitoring tool, such as, for example, Node Application Metrics ( “appmetrics” ) ; a library module for building user interfaces, and/or any other suitable and/or desired module.
- PM2 Parallel Multithreaded Machine
- appmetrics Node Application Metrics
- Middleware may include any hardware and/or software suitably configured to facilitate communications and/or process transactions between disparate computing systems.
- Middleware components are commercially available and known in the art.
- Middleware may be implemented through commercially available hardware and/or software, through custom hardware and/or software components, or through a combination thereof.
- Middleware may reside in a variety of configurations and may exist as a standalone system or may be a software component residing on the internet server.
- Middleware may be configured to process transactions between the various components of an application server and any number of internal or external systems for any of the purposes disclosed herein.
- MQTM formerly MQSeries
- Inc. Armonk, NY
- An Enterprise Service Bus ( “ESB” ) application is another example of middleware
- the computers discussed herein may provide a suitable website or other internet-based graphical user interface which is accessible by users.
- company Internet Information Services (IIS) , Transaction Server (MTS) service, and an SQL database
- IIS Internet Information Services
- MTS Transaction Server
- SQL database WINDOWS web server software
- SQL database WINDOWS web server software
- Commerce Server WINDOWS web server software
- components such as software, SQL database, software, software, software, software, software, etc., may be used to provide an Active Data Object (ADO) compliant database management system.
- the web server is used in conjunction with a operating system, a database, and PHP, Ruby, and/or programming languages.
- the methods described herein are implemented using the various particular machines described herein.
- the methods described herein may be implemented using the below particular machines, and those hereinafter developed, in any suitable combination, as would be appreciated immediately by one skilled in the art. Further, as is unambiguous from this disclosure, the methods described herein may result in various transformations of certain articles.
- the system and various components may integrate with one or more smart digital assistant technologies.
- exemplary smart digital assistant technologies may include the system developed by the company, the GOOGLE system developed by Alphabet, Inc., the system of the company, and/or similar digital assistant technologies.
- the system, GOOGLE system, and system may each provide cloud-based voice activation services that can assist with tasks, entertainment, general information, and more. All the devices, such as the AMAZON AMAZON ECHO AMAZON and AMAZON TV, have access to the system.
- the system, GOOGLE system, and system may receive voice commands via its voice activation technology, activate other functions, control smart devices, and/or gather information.
- the smart digital assistant technologies may be used to interact with music, emails, texts, phone calls, question answering, home improvement information, smart home communication/activation, games, shopping, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and providing weather, traffic, and other real time information, such as news.
- the GOOGLE and systems may also allow the user to access information about eligible transaction accounts linked to an online account across all digital assistant-enabled devices.
- a host server or other computing systems including a processor for processing digital data; a memory coupled to the processor for storing digital data; an input digitizer coupled to the processor for inputting digital data; an application program stored in the memory and accessible by the processor for directing processing of digital data by the processor; a display device coupled to the processor and memory for displaying information derived from digital data processed by the processor; and a plurality of databases.
- Various databases used herein may include: client data; merchant data; financial institution data; and/or like data useful in the operation of the system.
- user computer may include an operating system (e.g., etc. ) as well as various conventional support software and drivers typically associated with computers.
- the present system or any part (s) or function (s) thereof may be implemented using hardware, software, or a combination thereof and may be implemented in one or more computer systems or other processing systems.
- the manipulations performed by embodiments may be referred to in terms, such as matching or selecting, which are commonly associated with mental operations performed by a human operator. No such capability of a human operator is necessary, or desirable, in most cases, in any of the operations described herein. Rather, the operations may be machine operations or any of the operations may be conducted or enhanced by artificial intelligence (AI) or machine learning.
- AI may refer generally to the study of agents (e.g., machines, computer-based systems, etc. ) that perceive the world around them, form plans, and make decisions to achieve their goals.
- Foundations of AI include mathematics, logic, philosophy, probability, linguistics, neuroscience, and decision theory. Many fields fall under the umbrella of AI, such as computer vision, robotics, machine learning, and natural language processing. Useful machines for performing the various embodiments include general purpose digital computers or similar devices.
- the embodiments are directed toward one or more computer systems capable of carrying out the functionalities described herein.
- the computer system includes one or more processors.
- the processor is connected to a communication infrastructure (e.g., a communications bus, cross-over bar, network, etc. ) .
- a communication infrastructure e.g., a communications bus, cross-over bar, network, etc.
- Various software embodiments are described in terms of this exemplary computer system. After reading this description, it will become apparent to a person skilled in the relevant art (s) how to implement various embodiments using other computer systems and/or architectures.
- the computer system can include a display interface that forwards graphics, text, and other data from the communication infrastructure (or from a frame buffer not shown) for display on a display unit.
- the computer system also includes a main memory, such as random access memory (RAM) , and may also include a secondary memory.
- the secondary memory may include, for example, a hard disk drive, a solid-state drive, and/or a removable storage drive.
- the removable storage drive reads from and/or writes to a removable storage unit in a well-known manner.
- the removable storage unit includes a computer usable storage medium having stored therein computer software and/or data.
- secondary memory may include other similar devices for allowing computer programs or other instructions to be loaded into a computer system.
- Such devices may include, for example, a removable storage unit and an interface. Examples of such may include a program cartridge and cartridge interface (such as that found in video game devices) , a removable memory chip (such as an erasable programmable read only memory (EPROM) , programmable read only memory (PROM) ) and associated socket, or other removable storage units and interfaces, which allow software and data to be transferred from the removable storage unit to a computer system.
- a program cartridge and cartridge interface such as that found in video game devices
- EPROM erasable programmable read only memory
- PROM programmable read only memory
- computer program medium “computer usable medium, ” and “computer readable medium” are used to generally refer to media such as removable storage drive and a hard disk installed in hard disk drive. These computer program products provide software to a computer system.
- the computer system may also include a communications interface.
- a communications interface allows software and data to be transferred between the computer system and external devices. Examples of such a communications interface may include a modem, a network interface (such as an Ethernet card) , a communications port, etc.
- Software and data transferred via the communications interface are in the form of signals which may be electronic, electromagnetic, optical, or other signals capable of being received by communications interface. These signals are provided to communications interface via a communications path (e.g., channel) . This channel carries signals and may be implemented using wire, cable, fiber optics, a telephone line, a cellular link, a radio frequency (RF) link, wireless and other communications channels.
- RF radio frequency
- the server may include application servers (e.g., POSTGRES PLUS ADVANCED etc. ) .
- the server may include web servers (e.g., Apache, IIS, Web Server, SUN System Web Server, Virtual Machine running on or operating systems) .
- a web client includes any device or software which communicates via any network, such as, for example any device or software discussed herein.
- the web client may include internet browsing software installed within a computing unit or system to conduct online transactions and/or communications.
- These computing units or systems may take the form of a computer or set of computers, although other types of computing units or systems may be used, including personal computers, laptops, notebooks, tablets, smart phones, cellular phones, personal digital assistants, servers, pooled servers, mainframe computers, distributed computing clusters, kiosks, terminals, point of sale (POS) devices or terminals, televisions, or any other device capable of receiving data over a network.
- the web client may include an operating system (e.g., WINDOWS operating systems, operating system, operating systems, operating systems, etc. ) as well as various conventional support software and drivers typically associated with computers.
- the web-client may also run INTERNET software, software, GOOGLE CHROME TM software, software, or any other of the myriad software packages available for browsing the internet.
- the web client may or may not be in direct contact with the server (e.g., application server, web server, etc., as discussed herein) .
- the web client may access the services of the server through another server and/or hardware component, which may have a direct or indirect connection to an internet server.
- the web client may communicate with the server via a load balancer.
- web client access is through a network or the internet through a commercially-available web-browser software package.
- the web client may be in a home or business environment with access to the network or the internet.
- the web client may implement security protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) .
- a web client may implement several application layer protocols including HTTP, HTTPS, FTP, and SFTP.
- the various system components may be independently, separately, or collectively suitably coupled to the network via data links which includes, for example, a connection to an Internet Service Provider (ISP) over the local loop as is typically used in connection with standard modem communication, cable modem, DISH ISDN, Digital Subscriber Line (DSL) , or various wireless communication methods.
- ISP Internet Service Provider
- DSL Digital Subscriber Line
- the network may be implemented as other types of networks, such as an interactive television (ITV) network.
- ITV interactive television
- the system contemplates the use, sale, or distribution of any goods, services, or information over any network having similar functionality described herein.
- the system contemplates uses in association with web services, utility computing, pervasive and individualized computing, security and identity solutions, autonomic computing, cloud computing, commodity computing, mobility and wireless solutions, open source, biometrics, grid computing, and/or mesh computing.
- web page as it is used herein is not meant to limit the type of documents and applications that might be used to interact with the user.
- a typical website might include, in addition to standard HTML documents, various forms, applets, programs, active server pages (ASP) , common gateway interface scripts (CGI) , extensible markup language (XML) , dynamic HTML, cascading style sheets (CSS) , AJAX (Asynchronous JAVASCRIPT And XML) programs, helper applications, plug-ins, and the like.
- a server may include a web service that receives a request from a web server, the request including a URL and an IP address (192.168.1.1) .
- the web server retrieves the appropriate web pages and sends the data or applications for the web pages to the IP address.
- Web services are applications that are capable of interacting with other applications over a communications means, such as the internet. Web services are typically based on standards or protocols such as XML, SOAP, AJAX, WSDL and UDDI. Web services methods are well known in the art, and are covered in many standard texts. For example, representational state transfer (REST) , or RESTful, web services may provide one way of enabling interoperability between applications.
- the computing unit of the web client may be further equipped with an internet browser connected to the internet or an intranet using standard dial-up, cable, DSL, or any other internet protocol known in the art. Transactions originating at a web client may pass through a firewall in order to prevent unauthorized access from users of other networks. Further, additional firewalls may be deployed between the varying components of CMS to further enhance security.
- Encryption may be performed by way of any of the techniques now available in the art or which may become available-e.g., Twofish, RSA, El Gamal, Schorr signature, DSA, PGP, PKI, GPG (GnuPG) , HPE Format-Preserving Encryption (FPE) , Voltage, Triple DES, Blowfish, AES, MD5, HMAC, IDEA, RC6, and symmetric and asymmetric cryptosystems.
- the systems and methods may also incorporate SHA series cryptographic methods, elliptic curve cryptography (e.g., ECC, ECDH, ECDSA, etc. ) , and/or other post-quantum cryptography algorithms under development.
- the firewall may include any hardware and/or software suitably configured to protect CMS components and/or enterprise computing resources from users of other networks. Further, a firewall may be configured to limit or restrict access to various systems and components behind the firewall for web clients connecting through a web server. Firewall may reside in varying configurations including Stateful Inspection, Proxy based, access control lists, and Packet Filtering among others. Firewall may be integrated within a web server or any other CMS components or may further reside as a separate entity. A firewall may implement network address translation ( “NAT” ) and/or network address port translation ( “NAPT” ) . A firewall may accommodate various tunneling protocols to facilitate secure communications, such as those used in virtual private networking.
- NAT network address translation
- NAPT network address port translation
- a firewall may accommodate various tunneling protocols to facilitate secure communications, such as those used in virtual private networking.
- a firewall may implement a demilitarized zone ( “DMZ” ) to facilitate communications with a public network such as the internet.
- DZ demilitarized zone
- a firewall may be integrated as software within an internet server or any other application server components, reside within another computing device, or take the form of a standalone hardware component.
- Any databases discussed herein may include relational, hierarchical, graphical, blockchain, object-oriented structure, and/or any other database configurations.
- Any database may also include a flat file structure wherein data may be stored in a single file in the form of rows and columns, with no structure for indexing and no structural relationships between records.
- a flat file structure may include a delimited text file, a CSV (comma-separated values) file, and/or any other suitable flat file structure.
- Common database products that may be used to implement the databases include by (Armonk, NY) , various database products available from Corporation (Redwood Shores, CA) , MICROSOFT or MICROSOFT SQL by Corporation (Redmond, Washington) , by MySQL AB (Uppsala, Sweden) , Redis, APACHE by MapR-DB by the corporation, or any other suitable database product.
- any database may be organized in any suitable manner, for example, as data tables or lookup tables. Each record may be a single file, a series of files, a linked series of data fields, or any other data structure.
- big data may refer to partially or fully structured, semi-structured, or unstructured data sets including millions of rows and hundreds of thousands of columns.
- a big data set may be compiled, for example, from a history of purchase transactions over time, from web registrations, from social media, from records of charge (ROC) , from summaries of charges (SOC) , from internal data, or from other suitable sources. Big data sets may be compiled without descriptive metadata such as column types, counts, percentiles, or other interpretive-aid data points.
- Association of certain data may be accomplished through any desired data association technique such as those known or practiced in the art.
- the association may be accomplished either manually or automatically.
- Automatic association techniques may include, for example, a database search, a database merge, GREP, AGREP, SQL, using a key field in the tables to speed searches, sequential searches through all the tables and files, sorting records in the file according to a known order to simplify lookup, and/or the like.
- the association step may be accomplished by a database merge function, for example, using a “key field” in pre-selected databases or data sectors.
- Various database tuning steps are contemplated to optimize database performance. For example, frequently used files such as indexes may be placed on separate file systems to reduce In/Out ( “I/O” ) bottlenecks.
- a “key field” partitions the database according to the high-level class of objects defined by the key field. For example, certain types of data may be designated as a key field in a plurality of related data tables and the data tables may then be linked on the basis of the type of data in the key field.
- the data corresponding to the key field in each of the linked data tables is preferably the same or of the same type.
- data tables having similar, though not identical, data in the key fields may also be linked by using AGREP, for example.
- any suitable data storage technique may be utilized to store data without a standard format.
- Data sets may be stored using any suitable technique, including, for example, storing individual files using an ISO/IEC 7816-4 file structure; implementing a domain whereby a dedicated file is selected that exposes one or more elementary files containing one or more data sets; using data sets stored in individual files using a hierarchical filing system; data sets stored as records in a single file (including compression, SQL accessible, hashed via one or more keys, numeric, alphabetical by first tuple, etc. ) ; data stored as Binary Large Object (BLOB) ; data stored as ungrouped data elements encoded using ISO/IEC 7816-6 data elements; data stored as ungrouped data elements encoded using ISO/IEC Abstract Syntax Notation (ASN. 1) as in ISO/IEC 8824 and 8825; other proprietary techniques that may include fractal compression methods, image compression methods, etc.
- BLOB Binary Large Object
- the ability to store a wide variety of information in different formats is facilitated by storing the information as a BLOB.
- any binary information can be stored in a storage space associated with a data set.
- the binary information may be stored in association with the system or external to but affiliated with the system.
- the BLOB method may store data sets as ungrouped data elements formatted as a block of binary via a fixed memory offset using either fixed storage allocation, circular queue techniques, or best practices with respect to memory management (e.g., paged memory, least recently used, etc. ) .
- the ability to store various data sets that have different formats facilitates the storage of data, in the database or associated with the system, by multiple and unrelated owners of the data sets.
- a first data set which may be stored may be provided by a first party
- a second data set which may be stored may be provided by an unrelated second party
- a third data set which may be stored may be provided by a third party unrelated to the first and second party.
- Each of these three exemplary data sets may contain different information that is stored using different data storage formats and/or techniques. Further, each data set may contain subsets of data that also may be distinct from other subsets.
- the data can be stored without regard to a common format.
- the data set e.g., BLOB
- the annotation may comprise a short header, trailer, or other appropriate indicator related to each data set that is configured to convey information useful in managing the various data sets.
- the annotation may be called a “condition header, ” “header, ” “trailer, ” or “status, ” herein, and may comprise an indication of the status of the data set or may include an identifier correlated to a specific issuer or owner of the data.
- the first three bytes of each data set BLOB may be configured or configurable to indicate the status of that particular data set; e.g., LOADED, INITIALIZED, READY, BLOCKED, REMOVABLE, or DELETED. Subsequent bytes of data may be used to indicate for example, the identity of the issuer, user, transaction/membership account identifier or the like. Each of these condition annotations are further discussed herein.
- the data set annotation may also be used for other types of status information as well as various other purposes.
- the data set annotation may include security information establishing access levels.
- the access levels may, for example, be configured to permit only certain individuals, levels of employees, companies, or other entities to access data sets, or to permit access to specific data sets based on the transaction, merchant, issuer, user, or the like.
- the security information may restrict/permit only certain actions, such as accessing, modifying, and/or deleting data sets.
- the data set annotation indicates that only the data set owner or the user are permitted to delete a data set, various identified users may be permitted to access the data set for reading, and others are altogether excluded from accessing the data set.
- other access restriction parameters may also be used allowing various entities to access a data set with various permission levels as appropriate.
- the data may be received by a standalone interaction device configured to add, delete, modify, or augment the data in accordance with the header or trailer.
- the header or trailer is not stored on the transaction device along with the associated issuer-owned data, but instead the appropriate action may be taken by providing to the user, at the standalone device, the appropriate option for the action to be taken.
- the system may contemplate a data storage arrangement wherein the header or trailer, or header or trailer history, of the data is stored on the system, device or transaction instrument in relation to the appropriate data.
- any databases, systems, devices, servers, or other components of the system may consist of any combination thereof at a single location or at multiple locations, wherein each database or system includes any of various suitable security features, such as firewalls, access codes, encryption, decryption, compression, decompression, and/or the like.
- Data may be represented as standard text or within a fixed list, scrollable list, drop-down list, editable text field, fixed text field, pop-up window, and the like.
- methods for modifying data in a web page such as, for example, free text entry using a keyboard, selection of menu items, check boxes, option boxes, and the like.
- the data may be big data that is processed by a distributed computing cluster.
- the distributed computing cluster may be, for example, a software cluster configured to process and store big data sets with some of nodes comprising a distributed storage system and some of nodes comprising a distributed processing system.
- distributed computing cluster may be configured to support a software distributed file system (HDFS) as specified by the Apache Software Foundation at www. hadoop. apache. org/docs.
- HDFS software distributed file system
- Any database discussed herein may comprise a distributed ledger maintained by a plurality of computing devices (e.g., nodes) over a peer-to-peer network. Each computing device maintains a copy and/or partial copy of the distributed ledger and communicates with one or more other computing devices in the network to validate and write data to the distributed ledger.
- the distributed ledger may use features and functionality of blockchain technology, including, for example, consensus-based validation, immutability, and cryptographically chained blocks of data.
- the blockchain may comprise a ledger of interconnected blocks containing data.
- the blockchain may provide enhanced security because each block may hold individual transactions and the results of any blockchain executables. Each block may link to the previous block and may include a timestamp.
- Blocks may be linked because each block may include the hash of the prior block in the blockchain.
- the linked blocks form a chain, with only one successor block allowed to link to one other predecessor block for a single chain. Forks may be possible where divergent chains are established from a previously uniform blockchain, though typically only one of the divergent chains will be maintained as the consensus chain.
- the blockchain may implement smart contracts that enforce data workflows in a decentralized manner.
- the system may also include applications deployed on user devices such as, for example, computers, tablets, smartphones, Internet of Things devices ( “IoT” devices) , etc.
- the applications may communicate with the blockchain (e.g., directly or via a blockchain node) to transmit and retrieve data.
- a governing organization or consortium may control access to data stored on the blockchain. Registration with the managing organization (s) may enable participation in the blockchain network.
- Data transfers performed through the blockchain-based system may propagate to the connected peers within the blockchain network within a duration that may be determined by the block creation time of the specific blockchain technology implemented. For example, on an based network, a new data entry may become available within about 13-20 seconds as of the writing. On a Fabric 1.0 based platform, the duration is driven by the specific consensus algorithm that is chosen, and may be performed within seconds. In that respect, propagation times in the system may be improved compared to existing systems, and implementation costs and time to market may also be drastically reduced. The system also offers increased security at least partially due to the immutable nature of data that is stored in the blockchain, reducing the probability of tampering with various data inputs and outputs.
- the system may also offer increased security of data by performing cryptographic processes on the data prior to storing the data on the blockchain. Therefore, by transmitting, storing, and accessing data using the system described herein, the security of the data is improved, which decreases the risk of the computer or network from being compromised.
- the particular blockchain implementation described herein provides improvements over conventional technology by using a decentralized database and improved processing environments.
- the blockchain implementation improves computer performance by, for example, leveraging decentralized resources (e.g., lower latency) .
- the distributed computational resources improves computer performance by, for example, reducing processing times.
- the distributed computational resources improves computer performance by improving security using, for example, cryptographic protocols.
- the system may also reduce database synchronization errors by providing a common data structure, thus at least partially improving the integrity of stored data.
- the system also offers increased reliability and fault tolerance over traditional databases (e.g., relational databases, distributed databases, etc. ) as each node operates with a full copy of the stored data, thus at least partially reducing downtime due to localized network outages and hardware failures.
- the system may also increase the reliability of data transfers in a network environment having reliable and unreliable peers, as each node broadcasts messages to all connected peers, and, as each block comprises a link to a previous block, a node may quickly detect a missing block and propagate a request for the missing block to the other nodes in the blockchain network.
- the term “network” includes any cloud, cloud computing system, or electronic communications system or method which incorporates hardware and/or software components. Communication among the parties may be accomplished through any suitable communication channels, such as, for example, a telephone network, an extranet, an intranet, internet, point of interaction device (point of sale device, personal digital assistant (e.g., an device, a device) , cellular phone, kiosk, etc. ) , online communications, satellite communications, off-line communications, wireless communications, transponder communications, local area network (LAN) , wide area network (WAN) , virtual private network (VPN) , networked or linked devices, keyboard, mouse, and/or any suitable communication or data input modality.
- LAN local area network
- WAN wide area network
- VPN virtual private network
- the system may also be implemented using IPX, program, IP-6, NetBIOS, OSI, any tunneling protocol (e.g. IPsec, SSH, etc. ) , or any number of existing or future protocols.
- IPX IPX
- program IP-6
- NetBIOS NetBIOS
- OSI any tunneling protocol
- any tunneling protocol e.g. IPsec, SSH, etc.
- Specific information related to the protocols, standards, and application software utilized in connection with the internet is generally known to those skilled in the art and, as such, need not be detailed herein.
- Cloud or “Cloud computing” includes a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
- Cloud computing may include location-independent computing, whereby shared servers provide resources, software, and data to computers and other devices on demand.
- “transmit” may include sending electronic data from one system component to another over a network connection.
- “data” may include encompassing information such as commands, queries, files, data for storage, and the like in digital or any other form.
- Any communication, transmission, and/or channel discussed herein may include any system or method for delivering content (e.g. data, information, metadata, etc. ) , and/or the content itself.
- the content may be presented in any form or medium, and in various embodiments, the content may be delivered electronically and/or capable of being presented electronically.
- a channel may comprise a website, mobile application, or device (e.g., APPLE AMAZON GOOGLE CHROMECAST TM , etc. ) a uniform resource locator ( “URL” ) , a document (e.g., a Word or EXCEL TM , an Portable Document Format (PDF) document, etc.
- PDF Portable Document Format
- a channel may be hosted or provided by a data partner.
- the distribution channel may comprise at least one of a merchant website, a social media website, affiliate or partner websites, an external vendor, a mobile device communication, social media network, and/or location based service.
- Distribution channels may include at least one of a merchant website, a social media site, affiliate or partner websites, an external vendor, and a mobile device communication. Examples of social media sites include and the like. Examples of affiliate or partner websites include AMERICAN and the like.
- examples of mobile device communications include texting, email, and mobile applications for smartphones.
- phrases and terms similar to an “item” may include any good, service, information, experience, entertainment, data, offer, discount, rebate, points, virtual currency, content, access, rental, lease, contribution, account, credit, debit, benefit, right, reward, points, coupons, credits, monetary equivalent, anything of value, something of minimal or no value, monetary value, non-monetary value and/or the like.
- the “transactions” or “purchases” discussed herein may be associated with an item.
- a “reward” may be an item.
- a “consumer profile” or “consumer profile data” may comprise any information or data about a consumer that describes an attribute associated with the consumer (e.g., a preference, an interest, demographic information, personally identifying information, and the like) .
- an account number may identify a consumer.
- a consumer may be identified by a variety of identifiers, including, for example, an email address, a telephone number, a cookie id, a radio frequency identifier (RFID) , a biometric, and the like.
- RFID radio frequency identifier
- phrases and terms similar to a “party” may include any individual, consumer, customer, group, business, organization, government entity, transaction account issuer or processor (e.g., credit, charge, etc. ) , merchant, consortium of merchants, account holder, charitable organization, software, hardware, and/or any other type of entity.
- transaction account issuer or processor e.g., credit, charge, etc.
- the term “end user, ” “consumer, ” “customer, ” “user, ” “business, ” or “merchant” may be used interchangeably with each other, and each shall mean any person, entity, government organization, business, machine, hardware, and/or software.
- a bank may be part of the system, but the bank may represent other types of card issuing institutions, such as credit card companies, card sponsoring companies, or third party issuers under contract with financial institutions. It is further noted that other participants may be involved in some phases of the transaction, such as an intermediary settlement institution, but these participants are not shown.
- the customer may be identified as a customer of interest to a merchant based on the customer’s transaction history at the merchant, types of transactions, type of transaction account, frequency of transactions, number of transactions, lack of transactions, timing of transactions, transaction history at other merchants, demographic information, personal information (e.g., gender, race, religion) , social media or any other online information, potential for transacting with the merchant, and/or any other factors.
- phrases and terms similar to “business” or “merchant” may be used interchangeably with each other and shall mean any person, entity, distributor system, software, and/or hardware that is a provider, broker, and/or any other entity in the distribution chain of goods or services.
- a merchant may be a grocery store, a retail store, a travel agency, a service provider, an on-line merchant, or the like.
- the disclosure and claims do not describe only a particular outcome of a system for cold wallets, but the disclosure and claims include specific rules for implementing the outcome of a cold wallets and that render information into a specific format that is then used and applied to create the desired results of a system for cold wallets, as set forth in McRO, Inc. v.Bandai Namco Games America Inc. (Fed. Cir. case number 15-1080, Sept 13, 2016) .
- the outcome of a system for cold wallets can be performed by many different types of rules and combinations of rules, and this disclosure includes various embodiments with specific rules. While the absence of complete preemption may not guarantee that a claim is eligible, the disclosure does not sufficiently preempt the field of a system for cold wallets at all.
- the disclosure acts to narrow, confine, and otherwise tie down the disclosure so as not to cover the general abstract idea of just a system for cold wallets.
- other systems and methods exist for a system for cold wallets, so it would be inappropriate to assert that the claimed invention preempts the field or monopolizes the basic tools of a system for cold wallets.
- the disclosure will not prevent others from a system for cold wallets, because other systems are already performing the functionality in different ways than the claimed invention.
- the claimed invention includes an inventive concept that may be found in the non-conventional and non-generic arrangement of known, conventional pieces, in conformance with Bascom v. AT&T Mobility, 2015-1763 (Fed. Cir. 2016) .
- the disclosure and claims go way beyond any conventionality of any one of the systems in that the interaction and synergy of the systems leads to additional functionality that is not provided by any one of the systems operating independently.
- the disclosure and claims may also include the interaction between multiple different systems, so the disclosure cannot be considered an implementation of a generic computer, or just “apply it” to an abstract process.
- the disclosure and claims may also be directed to improvements to software with a specific implementation of a solution to a problem in the software arts.
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A system for cold wallets is disclosed. The system may create a wallet of a cold wallet application in response to a request to create a wallet from a user, generate a cold wallet cryptocurrency address of the cold wallet application, import a hot wallet cryptocurrency address to the cold wallet application, import a transaction data of an exchange platform to the cold wallet application, sign the transaction via the cold wallet application to generate a signed transaction, and export the signed transaction from the cold wallet application to the exchange platform.
Description
This disclosure generally relates to transacting in digital assets, and more particularly to secure asset custody systems for digital assets.
Cryptocurrency or digital asset networks such as, for example, the Bitcoin network may be a peer-to-peer payment system having a plurality of nodes that are connected to one another. Digital asset exchange computer systems allow for users to exchange local currency into or out of a desired cryptocurrency. Users send payments by broadcasting digitally signed messages to the cryptocurrency network. Users may, for example, send and receive payments using mobile applications on mobile devices, client software or a web browser. Transactions do not explicitly identify the payor and payee by name or wallet. Instead, a bitcoin transaction transfers ownership to a new address, referred to as a "currency address" . The currency address is derived from the public portion of one or more cryptographic key pairs. The private portion of a key pair is not disclosed to the public. To send a cryptocurrency to an address, a user broadcasts a payment message that is digitally signed with the associated private key.
Host computer systems reside at various nodes and may host accounts or "wallets" that allow users to make and accept payments using cryptocurrency. The wallet stores the public key of the cryptocurrency address and its associated private key. The transfer of cryptocurrency may be an onerous task if the entire public key of the cryptocurrency address has to be copied and transmitted. When a transaction is made between two wallets at the same or different host computer systems, the transaction is broadcast to the cryptocurrency network for verification. The cryptocurrency network may be a Distributed Ledger Technology (DLT) network such as a blockchain network. Network participants may verify the transaction and append the transaction to a shared database of transactions.
It may be a security concern for users that their cryptocurrency addresses may be stolen from their wallets. Existing systems do not provide a solution for maintaining security of cryptocurrency addresses while still allowing the users to use cryptocurrency addresses within their wallets for transacting with other users. In order for a user to access their wallet, the user may log into their account through the website using a user name and password. If the user name and password become compromised then it may be possible for cryptocurrency to be stolen out of the wallet. Users may therefore be reluctant to store cryptocurrency in their wallets without any additional security features. Cryptocurrency transacting requires the use of a public key and a private key. The private key is used to sign an authorization and the public key is used to verify the signature. Some users may require control over their private keys in order to ensure to such users that the cryptocurrency transacting will not take place without their express authorization.
SUMMARY
A system, method, and computer readable medium (collectively, the “system” ) is disclosed for cold wallets. In various embodiments, the system may create a wallet of a cold wallet application in response to a request to create a wallet from a user, generate a cold wallet cryptocurrency address of the cold wallet application, import a hot wallet cryptocurrency address to the cold wallet application, import a transaction data of an exchange platform to the cold wallet application, sign the transaction via the cold wallet application to generate a signed transaction, and export the signed transaction from the cold wallet application to the exchange platform.
In various embodiments, the system may generate a first QR code comprising the hot wallet cryptocurrency address and the transaction data of the exchange platform, and receive the hot wallet cryptocurrency address and the transaction data of the exchange platform at the cold wallet application in response to optical recognition of the first QR code. In various embodiments, the system may generate via the cold wallet application, a second QR code comprising the signed transaction, and receive the signed transaction at the exchange platform in response to optical recognition of the second QR code.
In various embodiments, the system may receive an access request from a first super admin at the cold wallet application. The system may create a user account for the user in the cold wallet application in response to a user creation request from the first super admin. The system may set permissions for the user account in response to a permission setting from the first super admin, wherein the permissions include enabling the request to create a wallet.
In various embodiments, the system may create an activity log associated with the cold wallet application and the user and record each of an action, the user associated with the action, and a timestamp in the activity log, wherein the action is an operation performed via the cold wallet application in response to a user request. In various embodiments, the system may receive each of the access request from the first super admin, an access request from a second super admin, and an access request from a third super admin at the cold wallet application. The system may assign a root user in response to receiving each of the access requests at the cold wallet application. The system may enable an accessible during runtime status for a data file in response to a request from the root user.
In various embodiments, the system may compare the signed transaction with an asset outflow threshold. The system may compare the signed transaction with a time horizon threshold. The system may inhibit processing of the signed transaction in response to the signed transaction exceeding the asset outflow threshold, and may inhibit processing of the signed transaction in response to the signed transaction exceeding the time horizon threshold.
In various embodiments, the system may receive N key components. The system may discretize the N key components via a hashing algorithm into a plurality of N key component parts. The system may combine the plurality of N key component parts to generate X keys. The system may encrypt the X keys to generate X key seeds. The system may perform an encryption process and a decryption process.
The forgoing features and elements may be combined in various combinations without exclusivity, unless expressly indicated herein otherwise. These features and elements as well as the operation of the disclosed embodiments will become more apparent in light of the following description and accompanying drawings.
BRIEF DESCRIPTION
The subject matter of the present disclosure is particularly pointed out and distinctly claimed in the concluding portion of the specification. However, a more complete understanding of the present disclosure may be obtained by referring to the detailed description and claims when considered in connection with the drawing figures, wherein like numerals denote like elements.
FIGs. 1A through 1G are a block diagram illustrating an exchange platform system, in accordance with various embodiments;
FIG. 2 is a block diagram illustrating the access control system, in accordance with various embodiments;
FIG. 3 is flowchart illustrating a transaction process of a cold wallet, in accordance with various embodiments;
FIG. 4 is a diagram illustrating an independent wallet system and a temporary wallet, in accordance with various embodiments;
FIG. 5 is flowchart illustrating a deposit process, in accordance with various embodiments;
FIG. 6 is flowchart illustrating a transaction process, in accordance with various embodiments;
FIGs. 7A through 7C are a flowchart illustrating a withdrawal process, in accordance with various embodiments;
FIG. 8 illustrates an optical communication process, in accordance with various embodiments;
FIG. 9 illustrates a key security process, in accordance with various embodiments;
FIG. 10 illustrates a wallet generation process and an address generation process, in accordance with various embodiments;
FIG. 11 illustrates an optical communications and signature process, in accordance with various embodiments;
FIG. 12 illustrates an encryption process of an exchange platform system, in accordance with various embodiments;
FIG. 13 illustrates an decryption process of an exchange platform system, in accordance with various embodiments and
FIG. 14 illustrates an account creation and data importation process, in accordance with various embodiments.
The detailed description of various embodiments herein makes reference to the accompanying drawings and pictures, which show various embodiments by way of illustration. While these various embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosure, it should be understood that other embodiments may be realized and that logical and mechanical changes may be made without departing from the spirit and scope of the disclosure. Thus, the detailed description herein is presented for purposes of illustration only and not of limitation. For example, the steps recited in any of the method or process descriptions may be executed in any order and are not limited to the order presented. Moreover, any of the functions or steps may be outsourced to or performed by one or more third parties. Furthermore, any reference to singular includes plural embodiments, and any reference to more than one component may include a singular embodiment.
With the development of the cryptocurrency/blockchain/digital asset industry, the compliance and security of online exchanges have attracted more and more attention. On one hand, as the management system of an exchange's core assets, the asset custody system is considered as the corner stone of an exchange; on the other hand, the cold wallet retains and keeps most digital asset of the exchange center. Therefore, the security of the cold wallet is of great importance to online exchange systems. Existing solutions for cold wallet struggle to meet enterprise level needs such as, for example, managing large amount and quantity of digital asset transactions, in transaction security management, and in fulfilling government/legally required ethics and compliance program requirements.
A cryptocurrency wallet may be a device, a physical media, a program, or a web service which stores the public and/or private keys for cryptocurrency transactions. The cryptocurrency wallet can be an online wallet, an offline wallet, or a combination thereof. An offline cryptocurrency wallet is also called a ‘cold’ wallet (in contrast to ‘hot’ wallet, which refers to the online cryptocurrency wallet) . Sometimes, a cold wallet is provided as a program, a software, or an application. In addition, a cold wallet may be provided as hardware (or a physical device) , such as USB-Key, and other hardware based on Near-Field Communication (NFC) technology such as
Wallets provided as hardware or a physical device are often referred to as a hardware wallet (or ‘hard’ wallet) . Such hardware wallets tend to be suited for individual and personal use. Hardware wallets tend to be limited in the amount and frequency of transactions which can be processed. In this regard, hard wallets and cold wallets tend to be unable to handle corporate level cryptocurrency transaction volumes. In order to meet corporate level transaction volumes, existing cold wallet systems tend to compromise with regard to security as described below.
Furthermore, in existing online trading platforms (e.g. exchanges or exchange platforms) of digital assets, all of the users’ assets are separated by different types of cryptocurrencies and then stored in related cryptocurrency addresses of the exchange, so that a certain user’s asset does not have any substantive settlement in the exchange. Therefore, except the exchange, a third party (such as a government compliance agency or a securities regulatory commission) cannot monitor a specific user’s digital assets and asset details of different cryptocurrencies, nor can it review the entire trading history of the specific user’s assets on the chain, because the trading history of the specific user’s assets is mixed with other users’ assets trading history in the same wallet address.
To unlock (or authorize transaction of) the digital asset (or cryptocurrency) , the existing cold wallet system are physically connected with the online cryptocurrency networks (for example, via an exchange system) through wireless networks, near-field communication (e.g.,
) , or physical ports such as, for example USB. Therefore, current cold wallet systems are not completely offline, they still need to be connected with the internet at some point during the transaction.
Furthermore, in enterprise level settings, more than one employee may be assigned permissions to transact digital assets (e.g., cryptocurrency) in order to help manage the large transaction volume. Additionally, some cold wallets may be limited in storage capacity. For example, some cold wallets can only store keys for certain digital assets (e.g., a Bitcoin wallet may not be able to store Ethereum. An Ethereum wallet may not be able to store Dash) . Where multiple employees have access to a cold wallet security concerns arise, but where a single employee has access throughput issues arise.
As such, the present system may solve the problem of enabling enterprise scale transitions with cold wallet storage systems and providing enhanced transparency of transactions to regulators. The system may increase data reliability or accuracy by enabling data logging. The system may increase data security by enabling separation to between online and offline storage elements and by segregating permissions between differing sets of users. Benefits of the present disclosure may apply to any suitable trading environment. For example, the present disclosure may apply in equity trading, currencies trading, futures trading, and/or any other financial instrument, as well as in information analysis or fraud prevention contexts.
This process improves the functioning of the computer. For example, the systems and processes described herein may tend to accelerate secure storage operations of digital assets thereby reducing network processing overhead.
As used herein, “electronic communication” means communication of at least a portion of the electronic signals with physical coupling (e.g., “electrical communication” or “electrically coupled” ) and/or without physical coupling and via an electromagnetic field (e.g., “inductive communication” or “inductively coupled” or “inductive coupling” ) . As used herein, “transmit” may include sending at least a portion of the electronic data from one system component to another (e.g., over a network connection) . Additionally, as used herein, “data, ” “information, ” or the like may include encompassing information such as commands, queries, files, messages, data for storage, and the like in digital or any other form.
As used herein, “satisfy, ” “meet, ” “match, ” “associated with” , or similar phrases may include an identical match, a partial match, meeting certain criteria, matching a subset of data, a correlation, satisfying certain criteria, a correspondence, an association, an algorithmic relationship, and/or the like. Similarly, as used herein, “authenticate” or similar terms may include an exact authentication, a partial authentication, authenticating a subset of data, a correspondence, satisfying certain criteria, an association, an algorithmic relationship, and/or the like.
Systems, methods, and computer program products are provided. In the detailed description herein, references to “various embodiments, ” “one embodiment, ” “an embodiment, ” “an example embodiment, ” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. After reading the description, it will be apparent to one skilled in the relevant art (s) how to implement the disclosure in alternative embodiments.
With reference to FIGs. 1A through 1G, an exchange platform system 100 is depicted according to various embodiments. System 100 may include various computing devices, software modules, networks, and data structures in communication with one another. System 100 may also contemplate uses in association with web services, utility computing, pervasive and individualized computing, security and identity solutions, autonomic computing, cloud computing, commodity computing, mobility and wireless solutions, open source, biometrics, grid computing and/or mesh computing.
In various embodiments, system 100 may comprise a client service module 102, an asset custody module 104, a data center module 106, an exchange system module 108, a basic services module 110, and a web client interface module 112. In various embodiments, the system may include a settlement service 178 configured to provide settlement data 180 to the data center module 106. The system may include a risk management system 182 configured to communicate with the asset custody module 104, the exchange system module 108 and the client service module 102. The risk management module 182 may provide risk data 184 to the data center module 106. System 100 may be computer based, and may comprise a processor, a tangible non-transitory computer-readable memory, and/or a network interface, along with other suitable system software and hardware components. Instructions stored on the tangible non-transitory memory may allow system 100 to perform various functions, as described herein. In various embodiments, system 100 may be configured as a central network element or hub to access various systems, engines, and components of system 100. System 100 may comprise a network, computer-based system, and/or software components configured to provide an access point to various systems, engines, and components of the system.
In various embodiments, the client service module 102 may be configured to provide various client services such as, for example, client identity management. Client service module 102 may include user services 116 such as, for example, user interfaces to the exchange system, deposit and withdrawal services, transaction services and/or the like. Client service module 102 may be configured perform Know Your Customer (KYC) services 118 including background checking 120 and identity authentication 122 services.
In various embodiments, data center module 106 may include any number of database structures 124 or data elements such, for example, exchange data, client data, marketing data, and operation data. Data center module 106 may be configured to maintain exchange data such as, for example, data sets relating to exchange platform transactions such an exchange, a transaction type, a financial instrument, a currency, a price, a quantity, a date, a timestamp, risk management data, financial data, and/or the like. Any of the database structures 124 may include metadata and system 100 performance data and event logs and/or the like. Data center module 106 may be configured to maintain client data such as, for example, past orders, past transactions, bills, user information, client service module data, and/or the like. Data center module 106 may be configured to maintain marketing data such as, for example, event tracking statistics, external data, referral data, partner data, promotional data, and/or the like. Data center module 106 may be configured to maintain operations data such as, for example, monitoring statistics, devops statistics, performance data, and/or the like. In various embodiments, the data center module 106 may provide a historical data query service 126 and a reporting service 128.
Asset custody center module 104 may be configured to provide physical control over one or more virtual assets such as, for example, cryptocurrencies, tokens, and/or the like. In various embodiments, the virtual asset may comprise one of reward points such as, for example, those associated with a reward program, coupons, credit cards, hotels, frequent flyer program, online services, and/or the like. In various embodiments, the virtual asset may comprise a token of or representation of a fiat currency, or a relatively closed currency such as, for example, a currency of a game economy. In various embodiments, the virtual asset includes cryptocurrencies which may be supported by a distributed ledger and/or blockchain network such as, for example, Bitcoin,
Bitcoin Cash, EOS, Litecoin, Tron, Ripple, DASH
TM, Monero, and/or the like The asset custody center module 104 may be configured to provide various asset related services such as, for example, deposit and withdrawal service 130, Anti-Money Laundering (AML) service 132, whitelist service 134 and custody account service 136. Custody account service 136 may include one or more wallets such as a hot wallet or a cold wallet configured to communicate with an asset custody database 138.
In various embodiments, the exchange system module 108 may comprise hardware or software configured to process market transactions in a plurality of virtual assets. The exchange system module 108 may comprise or interact with an order service 140 and a clearing service 142 via an exchange mainline 144 to match orders and execute transactions based on the matching orders. In various embodiments, exchange mainline 144 may be configured to generate market data such as, for example, price data and volume associated with the order book and may provide the market data to a market data service 146. In various embodiments, the exchange mainline 144 may be supported by one or more mainline services 148 such as a main order service and a primary matching engine 150 and a standby matching engine 152. In this regard the exchange mainline 144 may be configured to match order book entries received form order service 140 and enable redundant operations tending thereby to enhance transaction reliability and system uptime. Exchange system module 108 may be accessible via a trading account service 154 configured to communicate with the various systems, engines, and components of the exchange system module 108. In various embodiments, the trading account service 154 may be configured to record data in an internal storage database 156 and communicate with a persistence service 158. In various embodiments, clearing service 142 may be configured to provide cleared transaction data 160.
In various embodiments, the basic services module 110 may be configured to provide operations staff with command and control functions of the system 100. The basic service module may include one or more web client interfaces 164 having features, processes, and architecture similar to the web client interface module 112. The web client interface 164 may be tailored to administration, command, and control functions of system 100. Basic services module 110 includes one or more administrative services such as product configuration service 166, exchange configuration service 168, review service 170, operator audit service 172, message center 174, and access control service 176. The web client interface 164 may be configured to provide the operations staff 162 access to each of the services 166, 168, 170, 172, 174, and 176.
Referring now to FIGs. 2-14, the process flows depicted are merely embodiments and are not intended to limit the scope of the disclosure. For example, the steps recited in any of the method or process descriptions may be executed in any order and are not limited to the order presented. It will be appreciated that the following description makes appropriate references not only to the steps depicted in FIGs. 2-15, but also to the various system components as described above with reference to FIG. 1A-1G.
In various embodiments, and with reference to FIG. 2 an access control system 200 may be established in system 100 by giving different permissions of the system (such as, for example, a wallet system) to various users. The access control system may have permission levels, including a super admin 210 and a user 212. The super admin 210 may have user management controls 236, including management of the user maintenance 240, the permission management 238, and the audit log 234. The user 212 may have the ability to conduct wallet management 224, address management 226, perform transactions 228, system setup 230, and conduct currency management 232. Each of these user permissions may include sets of associated actions which may be requested by the user and execute by the system such as wallet management actions 214, address management actions 216, transaction related actions 218, system management actions 220, and currency management actions 222.
In various embodiments, a user is created by the super admin. The super admin may have control of user management. Each user may be given relevant permissions by the super admin. Each user can only access the relevant sets of actions (or individual actions within the set) and the associated GUI that he or she has been assigned access to (i.e., permissioned for) , and cannot access the part that he or she does not have.
In various embodiments, when using a cold wallet in a transaction, the user records/initiates the transaction, the managers (e.g. five mangers or corporate executives) authorize/approves the transaction, respectively, using their keys. For example, as a preset condition, if at least any three of the five keys are provided, this transaction may complete.
In various embodiments, an audit log may be managed. For example, the system may create an audit log (or activity log) of events in the cold wallet, and trace what events happened, when the events occurred, and who caused the events, if necessary, auditors (e.g., the administrator of the exchange platform) can locate problems and accountability through the audit log afterwards. The activity log may include records of actions taken by the super admin. For example, the system may create an activity log associated with the cold wallet and the user. The system may record each of an action (e.g., delete a file, publish a transaction, create an address) , the user associated with the action, and a timestamp in the activity log. In various embodiments, the action may be an operation performed via the cold wallet application and in response to a user request. A benefit of the access control system is that the system tends to avoid the risks inherent to centralized control in which only one or a limited set of persons have the permission of approving the transaction.
In various embodiments and with reference to FIG. 3, a cold wallet process 300 of system 100 is illustrated. With combined reference to FIG. 14, the process 300 may start in response to receiving an access request comprising a login information from a first super admin at a cold wallet application 1400 (step 302) . The system may create a user account for a user in the cold wallet application in response to receiving a user creation request 1402 from the first super admin 1410 account (step 304) . The cold wallet application 1400 may return an account creation success message 1404 do the first super admin 1410. The system may set one or more permissions for the user account in response to receiving a permissions setting 1406 from the first super admin 1410 (step 306) . In various embodiments, the permissions include enabling a request to create a wallet. In various embodiments, the permissions may include assignments of address management. For example, for management of a cold wallet application, Employee A (as an operation role/user) may be assigned the responsibility of trading and Employee B may be assigned permissions for address management. In the event Employee B departs, the admin could assign a temporary permission to Employee A for address management until a permanent replacement for Employee B is found. Then, the temporary permission of Employee A for address management would be revoked. The cold wallet application 1400 may return a permission setting success message 1408 to the first super admin 1410. In this regard, after a super admin creates a user, and then assigns permissions for the user, the corresponding information and permissions of the user will be saved as a list in the cold wallet application. The cold wallet application may check the user's permission list after login, and may present only those functions that the user has received permission to use. Thus, the user can only see the operation interface and buttons according to the assigned permissions, and those not assigned are not presented to the user.
With additional reference to FIG. 10, the process 300 may continue in response to receiving an access request comprising a login information from the user at the cold wallet application (step 308) . The system may generate a wallet of the cold wallet application in response to receiving a request to create a wallet 1002 form the user 1000 (step 310) . In response, the system may start a wallet generation process 1004. The cold wallet application 1400 may send a key generation request message 1006 to a security proxy 1008. The security proxy 1008 may pass a forwarding message 1010 to a hardware security module 1012. In response to receiving the forwarding message 1010, the hardware security module may generate a wallet keyname 1014. The hardware security module may return the wallet keyname 1014 to the security proxy 1008. The security proxy 1008 may forward the wallet keyname via a forward message 1016 to the cold wallet application 1400. In response, the cold wallet application may return a wallet creation success message 1018 to the user 1000.
In various embodiments, process 300 may continue by generating a cold wallet cryptocurrency address of the cold wallet application (step 312) . Cold wallet application 1400 may receive a create address request 1020 from the user 1000 and start an address generation process 1030. In response the cold wallet application 1400 may pass a generate address message 1022 to the security proxy 1008. The security proxy 1008 may pass a forwarding message 1024 to the hardware security module 1012. In response to receiving the forwarding message 1024, the hardware security module 1012 may generate an address keyname 1026. The hardware security module 1012 may return the address keyname 1026 to the security proxy 1008. The security proxy 1008 may forward the address keyname 1026 via a forward message 1028 to the cold wallet application 1400. The cold wallet application may return an address creation success message 1032 to the user 1000.
The system may import a hot wallet cryptocurrency address to the cold wallet application (step 314) . For example, with renewed reference to FIG. 14, a user (e.g., user 100) or the super admin 1400 may send a hot wallet cryptocurrency address 1412 to the cold wallet application 1400. The cold wallet application 1400 may return an import success message 1414. In various embodiments the system may import transaction data of the exchange platform to the cold wallet application 1400 (step 316) . For example, the system may obtain transaction data from exchange system module 108 via the trading account service 154.
With additional reference to FIGs 8 and 11, steps 314 and 316 may include optical communication process 800. The system may generate a QR code 804 such as a first QR code 1104 comprising the hot wallet cryptocurrency address of the hot wallet 802 and the transaction data of the exchange system. The first QR code 1104 may be generated by comprising the data via a zstd algorithm (step 806) . The system may receive the hot wallet cryptocurrency address and the transaction data of the exchange system module at the cold wallet application 1400 in response to optical recognition of the first QR code 1104. For example, the cold wallet application may be native to a mobile device 1102 of the system which may recognize the displayed QR code via a camera of the mobile device and, in response, may decompress the first QR code 1104 via the zstd algorithm (step 808) . In various embodiments, prior to applying the zstd algorithm, the system may apply a binary message exchange protocol (e.g., protobuf) for message encoding. In this regard the zstd algorithm may be used to compress the binary data gain. In various embodiments, the system may employ a low binary loss encoding algorithm (e.g., base64) for transcoding. The optical communication process tends to ensure complete physical separation of any hot wallet of the exchange system module and any cold wallets of the asset custody module.
In various embodiments, the user 1000 may login to the cold wallet application 1400 (step 318) . It will be appreciated that the cold wallet application 1400 may be a micro-app as discussed below. The user 1000 may login via a mobile device (e.g., mobile device 1102) may sign a transaction (signature request 1106) of the imported transaction data via the cold wallet application to generate a signed transaction. For example, the signature request 1106 may be provided to the security proxy which may forward the request to the hardware security module and/or a keystore 1108. In various embodiments, the cold wallet application may generate a second QR code 1110 comprising the signed transaction. The cold wallet application may display the second QR code 1110. For example, the cold wallet application may be native to a mobile device (e.g., mobile device 1102) of the system and may display the second QR code 1110 via a display screen of mobile device. The system may scan the QR code via the cold wallet application 1400 (step 320) . In this regard the system may receive the signed transaction at the exchange system module in response to optical recognition of the second QR code. In various embodiments, the system may send the transaction to the blockchain 1112 (step 322) .
In various embodiments, each of platform A 1114 and platform B 1116 may receive the signed transaction from the mobile device 1102. Each of platform A 1114 and platform B 1116 needs to accept the signed transaction thereby tending to improve transaction security and fidelity. The system may provide a transaction confirmation to the mobile device. In response to each of platform A 1114 and platform B 1116 accepting the signed transaction, the system may send the transaction to the blockchain 1112. The cold wallet application 1400 may be configured to communicate with platform B 1116 to authenticate the transaction, only in response to receiving a transaction request from platform A 1114. In this regard, the system may tend to inhibit forged transactions in the event platform A 1114 is compromised. An attacker must compromise both platform A 1114 and platform B 11116 at the same time to forge a transaction. In various embodiments, platform A 1114 and platform B 11116 may be deployed in different networks, tending thereby to reduce the possibility of simultaneous attack. The transaction may be signed and encrypted in the transmission process, which tends to ensure that the transaction message cannot be intercepted or altered during the process.
With additional reference to FIG. 4, in various embodiments, the asset custody module includes a wallet system 400. System 400 may include temporary wallets 402, 418, 434 and cold wallets 410, 426, 442. A plurality of temporary wallets 402, 418, 434 may be associated with a plurality of cold wallets 410, 426, 442. The wallet system 400 may include a temporary wallet 402 associated with a cold wallet 410. Client A may own at least one wallet address. For example, Client A is associated with Address A 404, and Address B 406 of the temporary wallet 402. Address A 404 may be associated with a cryptocurrency, such as Bitcoin. Address B 406 may be associated with a cryptocurrency, such as Ethereum. The temporary wallet 402 may have a plurality of digital assets stored at locations accessible to the temporary wallet 402. The wallet system 400 may contain a temporary wallet 418 associated with a cold wallet 426.
In various embodiments, the exchange platform system 100 may, via wallet system 400, support three types of cold wallets, namely Hardware Security Module (HSM) -Hierarchical Deterministic (HD) wallets, HSM-random wallets, and software wallets. Key management and signatures of the software wallets may be based on a software keystore, while HSM-HD wallets and HSM-random wallets may be based on HSM. Among them, all addresses under HSM-HD wallet are derived from one seed; however, all addresses of HSM-random wallet are randomly generated without seeds. Assets in the cold wallet application may only be transferred to the hot address (i.e., the address generated by the hot wallet, which contains the private key and can be connected to the Internet) registered in the cold wallet application. In this regard the wallet system 400 may ensure that the transfer destination of the assets is controllable. Such hot addresses are listed in a whitelist of the cold wallet.
With additional reference to FIGs. 9, 10, and 14, a key security process 900 of the wallet system 400 is illustrated in accordance with various embodiments. Process 900 includes a multi-component key generation process 902 and a key recovery process 904. A plurality of users 906 may each enter an independent key component associated on a one to one basis with each of the plurality of users. The system may receive five key components 908 at the cold wallet application 1400. The cold wallet application 1400 may start process 902 and pass a key generation request 910 to the security proxy 1008. Security proxy 1008 may pass a forward message 912 to the keystore 1108. In response to receiving the forward message 912 the keystore 1108 returns a keyname 914 to the security proxy 1008. In response to receiving the keyname 914, security proxy 1008 passes a forward message 916 including the keyname to the cold wallet application 1400. In response, the cold wallet application 1400 returns a create success massage 918 to the users 906.
With additional reference to FIG. 12, an encryption process 1200 of system 100 is illustrated in accordance with various embodiments. Keys generated by wallet system 400 may be protected via process 1200. Process 1200 may be described by the following pseudocode:
keys=<key1, key2, …keym>
saults=<sault1, sault2, …saultm>
keys’ = keys + saults = <key1’ , key2’ , …keym’>
keymatrix = keys’ nm = [ {key1’ , key2’ , …, keyn’ } , …, {key2’ , key3’ , …, keym’ } ]
finalkeys= [ {key1’ XOR key2’ XOR …keyn’ } , …, {key2’ XOR key3’ XOR …keym’ } ] = <finalkey1, finalkey2, finalkeyk) , k= C nm
encrypteddatas = finalkeys encrypt data = {encrypteddata1, encrypteddata2…, encrypteddatak}
The system may add salt values 1202 to the keys 1204 and then hash them via a hashing algorithm 1206 to generate a corresponding hash 1208. The purpose of hash is to make the passwords of different lengths entered by the user get the same length of AES keys, The purpose of adding salt values is to make the key deviate from the original track to prevent the person who entered the key from using the vulnerability of XOR to control the result of the final merged key. They system XOR every two keys among three keys is to generate three final keys 1210 for encrypting data 1212 (the same as the number of keys used for decryption) . The system may apply an encryption algorithm 1214 to encrypt the seeds with the three keys which are merged to obtain the seeds of the final ciphertext. The hash of the seed may be calculated by the system to ensure the integrity of the seed, that is, the hash calculated from the decrypted data must be consistent with this hash to prove that the seed has been decrypted normally.
With additional reference to FIG. 13, a decryption process 1300 of system 100 is illustrated in accordance with various embodiments. Process 1300 may be used to recover the keys and corresponding key seeds of the wallet system 400. Process 1300 may be described by the following pseudocode:
keys=<key1, key2, …keyn>
saults=<sault1, sault2, …saultn>
keys1=keys+ saults = <key1’ , key2’ , keyn’ >
finalkey=key1’ XOR key2’ …XOR keyn’
finalkey decrypt encrypteddatas = data
The system may add salt values 1302 to two keys 1304 and hash them via hashing algorithm 1306 to generate hashes 1308. The hashes 1308 may be combined in order to recover one of the final keys 1310 used in encryption of process 1200. The system may use the recovered keys 1310 to decrypt the encrypted data (such as, for example, key seeds) one by one in order to parse out a match (e.g., a key seed matching the reconstructed final key) . The process may generate decryption errors 1312 where there is no match. After the decryption is successful, the system may to calculate whether the hash of the seed is consistent with the previously saved hash. Where they are consistent, the system may determine decryption is successful, and that the two keys are correct.
In various embodiments, the system may enable an M-of-N protection mechanism. N number of people, each input a part of the key. The system may then discretize the N key components (e.g., via SHA256) , and then combine the key components of each of the N parts to obtain a total of X different keys. In various embodiments, the system may then separate the X keys. The system may encrypt the seed (e.g., via AES256) to get X different key seeds and may save the X key seeds. In this regard, for use of the seed the system need only receive M (M<X, M<N) keys. For components, the system may combine the M keys into one key and try to decrypt X key seeds. The system may then compare them with the key component of the seeds. Where they are consistent, the system may determine that the input components are correct.
In various embodiments, for software wallets of system 400, the key component may be entered when the seed is created and used, and the key may be deleted after use by the system. The data layer may only save its security seed and corresponding discrete value. For a software wallet, the key is entered when the seed is created and used, and then destroyed (the key plaintext will be covered) . Under this condition, only the seed and its discrete values of the ciphertext are saved. Therefore, the seed can be unlocked only when the physical device, the keys controlled by external personnel (i.e., multiple keys) , and the key algorithm are mastered at the same time. In this regard, security of the seed is enhanced by the methods and process of system 400. For example, when the software wallet is backed up by the system, a number of key seeds (e.g., 10) protected by N key components (e.g. 10) in the KeyStore will be backed up. The completeness/integrity of the ten key seeds may be verified through checking any three of the ten key components. The system may, record the backed up data to at least three non-rewritable ROMs and store the ROMs in three different locations. In this regard, physical security of the backed up data is enhanced. For example, once one or two of the ROMs in somewhere are destroyed by natural disasters, the left copy or copies of ROM (s) may still work and the stored data (key seeds) of the ROM (s) could be obtained to back up and recovery the keys. If the current wallet is damaged (e.g. data is manually deleted and not recoverable, the hard drive for storing data is damaged, and other situations that data is not recoverable) , it may be restored through the backup seed combined with the cold wallet application.
In various embodiments, wallet system 400 may maintain information such as, for example, audit logs which may be stored in local data files of the wallet (for example, the cold wallet application) . In various embodiments, the cold wallet application may be able to access the data files only when it is running. In this regard, users of the Cold Wallet Application are inhibited from altering or destroying the data file. For example, a user who has performed an improper operation may want to delete the audit log and destroy the record of the improper operation.
The system may enable enhanced data quality and security by allowing only a root user to set permissions for data files to be ‘accessible during runtime’ . In various embodiments, the system may receive and access request form each of a first super admin, a second super admin, and a third super admin at the cold wallet application. The system may assign a root user in response to receiving each of the access requests from the super users. having assigned the root user, the system may enable an accessible during runtime status of the data file in response to a request from the root user.
In various embodiments, the cold wallet application may receive three key components 920 at the cold wallet application 1400. In response the cold wallet application may start process 904 and pass a generate address request message 922 to the security proxy 1008. In response, security proxy 1008 may send forward message 924 to keystore 1008. The key store 1008 may unlock the key (e.g., generated in by process 902) and provide a return address 926 to the security proxy 1008. In response to receiving the return address, security proxy 1008 may send a forward message 928 comprising the return address to the cold wallet application 1400. In response, the cold wallet application 1400 may return a create success message 930 to the users 906. In various embodiments, the logical processing functions may be centralized in the cold wallet application, while sensitive information is stored in the HSM or keystore. In various embodiments, the HSM and the keystore may be both physically and logically separated.
With renewed reference to FIG. 4, in various embodiments, a review of the digital asset may be performed to transfer the digital asset from a temporary wallet 402, 418, 434 to the associated cold wallet 410, 426, 442. In various embodiments, the review of the digital asset may be an Anti-Money Laundering review (AML) . In various embodiments, if the digital asset passes the review the digital asset may be transferred to a cold wallet (See FIGs 5 and 6) . The cold wallet 410, 426, 442 may be a be a client wallet. The cold wallet 410, 426, 442 may be an offline wallet. In various embodiments, the cold wallet 410, 426, 442 may be connected to a network or the internet. In various embodiments, a benefit of using temporary wallet may be to separate client’s asset to be transferred and reviewed from the other assets. The temporary wallet may be used for anti-money laundering review or audit when the client deposit new funds. The temporary wallet may be arranged in the asset custody module 104 as an online or hot wallet.
In various embodiments, the exchange platform system may verify the digital asset by checking the hash (or other features related to the source of the funds) to determine that it meets certain standards. For example, the system may check the addresses of the incoming funds against a whitelist of addresses. In another example, the system may mark or report source features such as large inflows or outflows of assets from a client account. In another example, the system may check behavioral features such as an increase in the number of withdrawals from a previously low activity account. For example, the system may calculate an average rate variance for an account over a selectable time horizon (e.g., transactions per minute per week) and may generate an alert where the rate variance exceeds a rate variance threshold value. The exchange platform system may store the hash of digital asset associated with the temporary wallet. The exchange platform may then submit the hash to a third-party administration agency (e.g., risk management system 182) . The third party administration agency may be a secondary review system. The third-party administration agency may run AML review using the hash of the wallet. The third-party administration agency may return a YES or NO result to the exchange platform based on the AML review. The third-party administration agency may use the hash as a key. The hash may enable the third-party review system to review AML required information, such as transactional records without having to receive the associated private keys. If the review result is YES, the system tags the digital asset as passed AML review, and enables transfer to the cold wallet. If the review result is NO, it fails AML review, and the digital asset does not transfer to the cold wallet. If the asset meets the AML requirement, the asset may be transferred to a wallet address of the system.
In various embodiments, the temporary wallet is associated with a user, and a cold wallet is associated with a user. The temporary wallet may comprise many addresses where data can be stored. For example, a digital asset may be stored at an address in the temporary wallet. In various embodiments, the digital asset is stored at an address using an identifier or key that is used to assess the digital asset. As discussed above, the digital asset may be a cryptocurrency.
With reference to FIG. 5, in various embodiments, a deposit process 500 of the exchange platform system 100 is illustrated. In various embodiments, steps marked in the ‘exchange’ lane may be performed by the exchange system module 108 and steps marked in the ‘asset custody system lane’ may be performed by asset custody module 104. In various embodiments, the exchange system module 108 and asset custody module 104 are separate servers connected to the exchange system platform 100 via a network.
In various embodiments, a client may start process 500 and by initiating a deposit (step 502) . The system may receive the digital asset or data related to the digital asset. The system may complete a KYC process (step 504) (i.e. know your client/customer, a form of system-client authentication) . The system may deposit the cryptocurrency or digital asset to the temporary wallet allocated by the exchange for the client. The asset custody system may detect the transfer of digital assets (step 506) and subsequently notify the exchange of the transfer (step 508) .
In various embodiments, the system conducts an Anti-Money Laundering (AML) review process on the digital asset in the temporary wallet (step 510) . The system will determine whether the digital asset passes the review (step 512) . If the digital asset does not pass the AML review, the system may freeze the assets and accounts under the client’s name and notify the operation specialist to deal with it (step 514) . If the digital asset does pass the AML review, then the review of the digital asset may also comprise determining whether the incoming fund is accepted by the system (step 516) . The acceptance by the system may be based on whether the assets are supported by the exchange system module 108. If the assets are not supported by the exchange system module 108, the assets may not be included in the account and the system may notify the operations specialist to deal with it (step 518) . If the assets are supported by the exchange system module 108, the digital asset may then pass to an additional review process. The system may determine whether the amount of incoming digital assets is less than the minimum deposit amount required (step 520) . If the amount of incoming digital assets is less than a minimum deposit amount, the digital assets may not be included in the account and the system may notify the operations specialist to address the issue (step 522) .
In various embodiments, if the digital asset passes each part of the review, the system may notify the asset custody system to transfer the assets to a corresponding cold wallet (step 524) . The system may then transfer the digital assets to the cold wallet pre-configured for the client (step 526) . The system may display that the clients’ assets have increase correspondingly on (step 528) , the system may then send a notification message to the client regarding the increase (step 530) , and the client may receive the notification of the increase (step 532) . If the digital asset does not pass the review, the corresponding account and digital assets may be frozen by the system so that it temporarily stays at the buffer address and may not be collected or merged to permanent wallet address of the asset custody module such as, for example, a cold wallet address. A notification may be triggered by the system and forwarded to a regulatory agency such as, for example, the Securities and Financial Commission (SFC) or other government agencies functioned similarly as the SFC in response to a digital asset not passing review.
With reference to FIG. 6, in various embodiments, a transaction process 600 may be performed by an independent wallet of the system 100. Process 600 may be started where a buyer conducts an entrusted transaction at the exchange system module 108 (step 602) and/or a seller conducts an entrusted transaction at the exchange system module 108 (step 604) . The buyer and seller may both engage in a transaction, and entrust the exchange system module 108 to perform the transaction. The system may check whether both parties have sufficient underlying assets to cover the transaction value and the transaction fees. If there are insufficient underlying assets and fees the exchange system module 108 may freeze the buyer’s corresponding underlying assets and transaction fees of the transaction (step 606) . Similarly, where the seller conducts an entrusted transaction, the exchange system module 108 may freeze the corresponding target assets and transaction fees of the transaction (step 608) . Where both the buyer and seller have sufficient assets to cover the transaction and the transaction fees, the exchange system module 108 may perform a transaction matchmaking process (step 610) . In response, the exchange system module 108 may generate an order ID associated with desired transaction (step 611) .
In various embodiments, the exchange system module 108 may conduct transaction clearing process whereby, after the clearing, the asset may be kept in a frozen state until the settlement is completed (step 612) . Exchange system module 108 may notify the asset custody module 104 of the settlement completion (step 614) . In response, the asset custody module 104 may then transfer the underlying assets from the buyer’s wallet to the sellers wallet (step 616) and/or transfer the target assets from the seller’s wallet to the buyer’s wallet (step 618) . The system may transfer the underlying assets from the buyer's wallet address to the seller's address and transfers the target assets from the seller's wallet to the buyer's wallet, simultaneously, or in an order, or step-by-step. The asset custody module 104 may then notify the exchange system module 108 of the settlement success, the corresponding results, and the on-chain transaction hash (step 620) . The exchange system module 108 then may bind the on-chain transaction hash to the order ID associated with the transaction (step 622) . After the settlement, the exchange system module 108 may update the asset accounts, transaction fee accounts, and miner fee accounts of the clients (step 624) . The exchange system module 108 may then notify the clients that the transaction is complete (step 626) .
With reference to FIGs. 7A-7C, in various embodiments, a withdrawal process 700 of system 100 is illustrated. The withdraw process 700 includes a plurality of withdrawal steps, the of the withdrawal process 700 may be conducted in any order.
The client may initiate a withdraw via the web client interface 112 (step 702) . The client might also select a withdrawal address from a saved withdrawal address whitelist. The client may enter a cryptocurrency type and amount (step 704) and chose a withdraw address from the whitelist (step 706) . The client may add an address for withdrawal. Specifically, if it is the first time for a client to initiate a withdrawal, the client may input the withdrawal address manually. The client may then confirm the withdrawal (step 708) .
In various embodiments, the exchange system module 108 may then conduct a review process. The review process may include, determining by the exchange system module 108 whether the market is closed (step 710) . The review process may include, determining by the exchange system module 104 whether the client account is frozen (step 714) . The review process may include, determining by the exchange system module 104 whether withdrawals are disabled (step 718) . If the market is closed, the exchange system module 108 will notify the client (via the web client interface 112) that the market is closed (step 712) . If the account is frozen the exchange system module 108 may notify the client via the web client interface 112) , the account is frozen (step 716) . Similarly, where withdrawals are disabled, the exchange system module 108 may notify the client via the web client interface 112 that withdrawals are disabled (step 720) . The exchange system module 108 may determine if a password free period is used (step 722) . If a password free period is not used the exchange system module 108 may be configured to wait for entry of the withdrawal password (step 724) . The exchange system module 108 may further determine if the type of currency is restricted to be withdrawn (step 728) . If so, the exchange system module 108 may notify the client this type of currency is restricted (step 726) .
If not, the exchange system module 108 may then determine if there are sufficient assets to enable the withdrawal (step 730) . If the assets are not sufficient, the system may notify the client of insufficient assets (step 732) . The exchange system module 108 may determine if the assets exceed daily withdrawal maximum (e.g., an asset outflow threshold) (step 733) . If the assets exceed a daily withdrawal maximum then the exchange system module 108 will notify the client that he/she exceeds the daily withdrawal maximum (step 734) . The exchange may determine if the digital asset exceeds the face ID-free limit for daily use or single use withdrawal (step 736) . If so, the system proceeds to perform facial authentication (step 738) . The system may then freeze the relevant assets in the account pending withdrawal (step 740) . The system may also be configured to conduct an AML review process on the pending withdrawal (step 742) . If the withdrawal does not pass the AML review 742, the system will unfreeze the corresponding assets in real time (step 744) , update the status: to withdraw failed (step 748) and notify the client that withdrawal failed (step 750) . If the withdrawal passes AML Review, exchange system module 108 may to notify the asset custody module 104 to transfer the assets (step 746) .
In various embodiments, if the withdrawal process passes each step of the review passes, the address may be added to the systems withdrawal whitelist which may be maintained by the asset custody module 104. The asset custody module 104 may notify the operations specialist to initiate withdrawal in the cold wallet (step 760) . The ops specialist may perform the optical communications process described above herein to conduct a manual withdrawal from the cold wallet (step 758) . The asset custody module 104 may notify the result to the exchange system module 108 (step 756) . The exchange system module 108 may then deduct the amount frozen in assets (step 754) , and notify the client of the transaction result (step 752) .
Benefits, other advantages, and solutions to problems have been described herein with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any elements that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as critical, required, or essential features or elements of the disclosure. The scope of the disclosure is accordingly limited by nothing other than the appended claims, in which reference to an element in the singular is not intended to mean "one and only one" unless explicitly so stated, but rather “one or more. ” Moreover, where a phrase similar to 'at least one of A, B, and C' or 'at least one of A, B, or C' is used in the claims or specification, it is intended that the phrase be interpreted to mean that A alone may be present in an embodiment, B alone may be present in an embodiment, C alone may be present in an embodiment, or that any combination of the elements A, B and C may be present in a single embodiment; for example, A and B, A and C, B and C, or A and B and C. Although the disclosure includes a method, it is contemplated that it may be embodied as computer program instructions on a tangible computer-readable carrier, such as a magnetic or optical memory or a magnetic or optical disk. All structural, chemical, and functional equivalents to the elements of the above-described various embodiments that are known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the present claims. Moreover, it is not necessary for a device or method to address each and every problem sought to be solved by the present disclosure for it to be encompassed by the present claims. Furthermore, no element, component, or method step in the present disclosure is intended to be dedicated to the public regardless of whether the element, component, or method step is explicitly recited in the claims. No claim element is intended to invoke 35 U.S.C. § 112 (f) unless the element is expressly recited using the phrase “means for” or “step for” . As used herein, the terms “comprises, ” “comprising, ” or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Terms and phrases similar to “associate” and/or “associating” may include tagging, flagging, correlating, using a look-up table or any other method or system for indicating or creating a relationship between elements, such as, for example, (i) a transaction account and (ii) an item (e.g., offer, reward, discount) and/or digital channel. Moreover, the associating may occur at any point, in response to any suitable action, event, or period of time. The associating may occur at pre-determined intervals, periodically, randomly, once, more than once, or in response to a suitable request or action. Any of the information may be distributed and/or accessed via a software enabled link, wherein the link may be sent via an email, text, post, social network input, and/or any other method known in the art.
The term “non-transitory” is to be understood to remove only propagating transitory signals per se from the claim scope and does not relinquish rights to all standard computer-readable media that are not only propagating transitory signals per se. Stated another way, the meaning of the term “non-transitory computer-readable medium” and “non-transitory computer-readable storage medium” should be construed to exclude only those types of transitory computer-readable media which were found in In re Nuijten to fall outside the scope of patentable subject matter under 35 U.S.C. § 101.
In various embodiments, components, modules, and/or engines of system 100 may be implemented as micro-applications or micro-apps. Micro-apps are typically deployed in the context of a mobile operating system, including for example, a
mobile operating system, an
operating system, an
iOS operating system, a
company’s operating system, and the like. The micro-app may be configured to leverage the resources of the larger operating system and associated hardware via a set of predetermined rules which govern the operations of various operating systems and hardware resources. For example, where a micro-app desires to communicate with a device or network other than the mobile device or mobile operating system, the micro-app may leverage the communication protocol of the operating system and associated device hardware under the predetermined rules of the mobile operating system. Moreover, where the micro-app desires an input from a user, the micro-app may be configured to request a response from the operating system which monitors various hardware components and then communicates a detected input from the hardware to the micro-app.
The system and method may be described herein in terms of functional block components, screen shots, optional selections, and various processing steps. It should be appreciated that such functional blocks may be realized by any number of hardware and/or software components configured to perform the specified functions. For example, the system may employ various integrated circuit components, e.g., memory elements, processing elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. Similarly, the software elements of the system may be implemented with any programming or scripting language such as C, C++, C#,
Object Notation (JSON) , VBScript, Macromedia COLD FUSION, COBOL,
company’s Active Server Pages, assembly,
PHP, awk,
Visual Basic, SQL Stored Procedures, PL/SQL, any
shell script, and extensible markup language (XML) with the various algorithms being implemented with any combination of data structures, objects, processes, routines or other programming elements. Further, it should be noted that the system may employ any number of conventional techniques for data transmission, signaling, data processing, network control, and the like. Still further, the system could be used to detect or prevent security issues with a client-side scripting language, such as
VBScript, or the like.
The system and method are described herein with reference to screen shots, block diagrams and flowchart illustrations of methods, apparatus, and computer program products according to various embodiments. It will be understood that each functional block of the block diagrams and the flowchart illustrations, and combinations of functional blocks in the block diagrams and flowchart illustrations, respectively, can be implemented by computer program instructions
Accordingly, functional blocks of the block diagrams and flowchart illustrations support combinations of means for performing the specified functions, combinations of steps for performing the specified functions, and program instruction means for performing the specified functions. It will also be understood that each functional block of the block diagrams and flowchart illustrations, and combinations of functional blocks in the block diagrams and flowchart illustrations, can be implemented by either special purpose hardware-based computer systems which perform the specified functions or steps, or suitable combinations of special purpose hardware and computer instructions. Further, illustrations of the process flows and the descriptions thereof may make reference to user
applications, webpages, websites, web forms, prompts, etc. Practitioners will appreciate that the illustrated steps described herein may comprise, in any number of configurations, including the use of
applications, webpages, web forms, popup
applications, prompts, and the like. It should be further appreciated that the multiple steps as illustrated and described may be combined into single webpages and/or
applications but have been expanded for the sake of simplicity. In other cases, steps illustrated and described as single process steps may be separated into multiple webpages and/or
applications but have been combined for simplicity.
In various embodiments, the software elements of the system may also be implemented using a
run-time environment configured to execute
code outside of a web browser. For example, the software elements of the system may also be implemented using
components.
programs may implement several modules to handle various core functionalities. For example, a package management module, such as
may be implemented as an open source library to aid in organizing the installation and management of third-party
programs.
programs may also implement a process manager, such as, for example, Parallel Multithreaded Machine ( “PM2” ) ; a resource and performance monitoring tool, such as, for example, Node Application Metrics ( “appmetrics” ) ; a library module for building user interfaces, and/or any other suitable and/or desired module.
Middleware may include any hardware and/or software suitably configured to facilitate communications and/or process transactions between disparate computing systems. Middleware components are commercially available and known in the art. Middleware may be implemented through commercially available hardware and/or software, through custom hardware and/or software components, or through a combination thereof. Middleware may reside in a variety of configurations and may exist as a standalone system or may be a software component residing on the internet server. Middleware may be configured to process transactions between the various components of an application server and any number of internal or external systems for any of the purposes disclosed herein.
MQTM (formerly MQSeries) by
Inc. (Armonk, NY) is an example of a commercially available middleware product. An Enterprise Service Bus ( “ESB” ) application is another example of middleware
The computers discussed herein may provide a suitable website or other internet-based graphical user interface which is accessible by users. In one embodiment,
company’s Internet Information Services (IIS) , Transaction Server (MTS) service, and an SQL
database, are used in conjunction with
operating systems, WINDOWS
web server software, SQL
database, and
Commerce Server. Additionally, components such as
software, SQL
database,
software,
software,
software,
software,
software, etc., may be used to provide an Active Data Object (ADO) compliant database management system. In one embodiment, the
web server is used in conjunction with a
operating system, a
database, and
PHP, Ruby, and/or
programming languages.
For the sake of brevity, conventional data networking, application development, and other functional aspects of the systems (and components of the individual operating components of the systems) may not be described in detail herein. Furthermore, the connecting lines shown in the various figures contained herein are intended to represent exemplary functional relationships and/or physical couplings between the various elements. It should be noted that many alternative or additional functional relationships or physical connections may be present in a practical system.
In various embodiments, the methods described herein are implemented using the various particular machines described herein. The methods described herein may be implemented using the below particular machines, and those hereinafter developed, in any suitable combination, as would be appreciated immediately by one skilled in the art. Further, as is unambiguous from this disclosure, the methods described herein may result in various transformations of certain articles.
In various embodiments, the system and various components may integrate with one or more smart digital assistant technologies. For example, exemplary smart digital assistant technologies may include the
system developed by the
company, the GOOGLE
system developed by Alphabet, Inc., the
system of the
company, and/or similar digital assistant technologies. The
system, GOOGLE
system, and
system, may each provide cloud-based voice activation services that can assist with tasks, entertainment, general information, and more. All the
devices, such as the AMAZON
AMAZON ECHO
AMAZON
and AMAZON
TV, have access to the
system. The
system, GOOGLE
system, and
system may receive voice commands via its voice activation technology, activate other functions, control smart devices, and/or gather information. For example, the smart digital assistant technologies may be used to interact with music, emails, texts, phone calls, question answering, home improvement information, smart home communication/activation, games, shopping, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and providing weather, traffic, and other real time information, such as news. The
GOOGLE
and
systems may also allow the user to access information about eligible transaction accounts linked to an online account across all digital assistant-enabled devices.
The various system components discussed herein may include one or more of the following: a host server or other computing systems including a processor for processing digital data; a memory coupled to the processor for storing digital data; an input digitizer coupled to the processor for inputting digital data; an application program stored in the memory and accessible by the processor for directing processing of digital data by the processor; a display device coupled to the processor and memory for displaying information derived from digital data processed by the processor; and a plurality of databases. Various databases used herein may include: client data; merchant data; financial institution data; and/or like data useful in the operation of the system. As those skilled in the art will appreciate, user computer may include an operating system (e.g.,
etc. ) as well as various conventional support software and drivers typically associated with computers.
The present system or any part (s) or function (s) thereof may be implemented using hardware, software, or a combination thereof and may be implemented in one or more computer systems or other processing systems. However, the manipulations performed by embodiments may be referred to in terms, such as matching or selecting, which are commonly associated with mental operations performed by a human operator. No such capability of a human operator is necessary, or desirable, in most cases, in any of the operations described herein. Rather, the operations may be machine operations or any of the operations may be conducted or enhanced by artificial intelligence (AI) or machine learning. AI may refer generally to the study of agents (e.g., machines, computer-based systems, etc. ) that perceive the world around them, form plans, and make decisions to achieve their goals. Foundations of AI include mathematics, logic, philosophy, probability, linguistics, neuroscience, and decision theory. Many fields fall under the umbrella of AI, such as computer vision, robotics, machine learning, and natural language processing. Useful machines for performing the various embodiments include general purpose digital computers or similar devices.
In various embodiments, the embodiments are directed toward one or more computer systems capable of carrying out the functionalities described herein. The computer system includes one or more processors. The processor is connected to a communication infrastructure (e.g., a communications bus, cross-over bar, network, etc. ) . Various software embodiments are described in terms of this exemplary computer system. After reading this description, it will become apparent to a person skilled in the relevant art (s) how to implement various embodiments using other computer systems and/or architectures. The computer system can include a display interface that forwards graphics, text, and other data from the communication infrastructure (or from a frame buffer not shown) for display on a display unit.
The computer system also includes a main memory, such as random access memory (RAM) , and may also include a secondary memory. The secondary memory may include, for example, a hard disk drive, a solid-state drive, and/or a removable storage drive. The removable storage drive reads from and/or writes to a removable storage unit in a well-known manner. As will be appreciated, the removable storage unit includes a computer usable storage medium having stored therein computer software and/or data.
In various embodiments, secondary memory may include other similar devices for allowing computer programs or other instructions to be loaded into a computer system. Such devices may include, for example, a removable storage unit and an interface. Examples of such may include a program cartridge and cartridge interface (such as that found in video game devices) , a removable memory chip (such as an erasable programmable read only memory (EPROM) , programmable read only memory (PROM) ) and associated socket, or other removable storage units and interfaces, which allow software and data to be transferred from the removable storage unit to a computer system.
The terms “computer program medium, ” “computer usable medium, ” and “computer readable medium” are used to generally refer to media such as removable storage drive and a hard disk installed in hard disk drive. These computer program products provide software to a computer system.
The computer system may also include a communications interface. A communications interface allows software and data to be transferred between the computer system and external devices. Examples of such a communications interface may include a modem, a network interface (such as an Ethernet card) , a communications port, etc. Software and data transferred via the communications interface are in the form of signals which may be electronic, electromagnetic, optical, or other signals capable of being received by communications interface. These signals are provided to communications interface via a communications path (e.g., channel) . This channel carries signals and may be implemented using wire, cable, fiber optics, a telephone line, a cellular link, a radio frequency (RF) link, wireless and other communications channels.
In various embodiments, the server may include application servers (e.g.,
POSTGRES PLUS ADVANCED
etc. ) . In various embodiments, the server may include web servers (e.g., Apache, IIS,
Web Server, SUN
System Web Server,
Virtual Machine running on
or
operating systems) .
A web client includes any device or software which communicates via any network, such as, for example any device or software discussed herein. The web client may include internet browsing software installed within a computing unit or system to conduct online transactions and/or communications. These computing units or systems may take the form of a computer or set of computers, although other types of computing units or systems may be used, including personal computers, laptops, notebooks, tablets, smart phones, cellular phones, personal digital assistants, servers, pooled servers, mainframe computers, distributed computing clusters, kiosks, terminals, point of sale (POS) devices or terminals, televisions, or any other device capable of receiving data over a network. The web client may include an operating system (e.g.,
WINDOWS
operating systems,
operating system,
operating systems,
operating systems, etc. ) as well as various conventional support software and drivers typically associated with computers. The web-client may also run
INTERNET
software,
software, GOOGLE CHROME
TM software,
software, or any other of the myriad software packages available for browsing the internet.
As those skilled in the art will appreciate, the web client may or may not be in direct contact with the server (e.g., application server, web server, etc., as discussed herein) . For example, the web client may access the services of the server through another server and/or hardware component, which may have a direct or indirect connection to an internet server. For example, the web client may communicate with the server via a load balancer. In various embodiments, web client access is through a network or the internet through a commercially-available web-browser software package. In that regard, the web client may be in a home or business environment with access to the network or the internet. The web client may implement security protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) . A web client may implement several application layer protocols including HTTP, HTTPS, FTP, and SFTP.
The various system components may be independently, separately, or collectively suitably coupled to the network via data links which includes, for example, a connection to an Internet Service Provider (ISP) over the local loop as is typically used in connection with standard modem communication, cable modem, DISH
ISDN, Digital Subscriber Line (DSL) , or various wireless communication methods. It is noted that the network may be implemented as other types of networks, such as an interactive television (ITV) network. Moreover, the system contemplates the use, sale, or distribution of any goods, services, or information over any network having similar functionality described herein.
The system contemplates uses in association with web services, utility computing, pervasive and individualized computing, security and identity solutions, autonomic computing, cloud computing, commodity computing, mobility and wireless solutions, open source, biometrics, grid computing, and/or mesh computing.
Any of the communications, inputs, storage, databases or displays discussed herein may be facilitated through a website having web pages. The term “web page” as it is used herein is not meant to limit the type of documents and applications that might be used to interact with the user. For example, a typical website might include, in addition to standard HTML documents, various forms,
applets,
programs, active server pages (ASP) , common gateway interface scripts (CGI) , extensible markup language (XML) , dynamic HTML, cascading style sheets (CSS) , AJAX (Asynchronous JAVASCRIPT And XML) programs, helper applications, plug-ins, and the like. A server may include a web service that receives a request from a web server, the request including a URL and an IP address (192.168.1.1) . The web server retrieves the appropriate web pages and sends the data or applications for the web pages to the IP address. Web services are applications that are capable of interacting with other applications over a communications means, such as the internet. Web services are typically based on standards or protocols such as XML, SOAP, AJAX, WSDL and UDDI. Web services methods are well known in the art, and are covered in many standard texts. For example, representational state transfer (REST) , or RESTful, web services may provide one way of enabling interoperability between applications.
The computing unit of the web client may be further equipped with an internet browser connected to the internet or an intranet using standard dial-up, cable, DSL, or any other internet protocol known in the art. Transactions originating at a web client may pass through a firewall in order to prevent unauthorized access from users of other networks. Further, additional firewalls may be deployed between the varying components of CMS to further enhance security.
Encryption may be performed by way of any of the techniques now available in the art or which may become available-e.g., Twofish, RSA, El Gamal, Schorr signature, DSA, PGP, PKI, GPG (GnuPG) , HPE Format-Preserving Encryption (FPE) , Voltage, Triple DES, Blowfish, AES, MD5, HMAC, IDEA, RC6, and symmetric and asymmetric cryptosystems. The systems and methods may also incorporate SHA series cryptographic methods, elliptic curve cryptography (e.g., ECC, ECDH, ECDSA, etc. ) , and/or other post-quantum cryptography algorithms under development.
The firewall may include any hardware and/or software suitably configured to protect CMS components and/or enterprise computing resources from users of other networks. Further, a firewall may be configured to limit or restrict access to various systems and components behind the firewall for web clients connecting through a web server. Firewall may reside in varying configurations including Stateful Inspection, Proxy based, access control lists, and Packet Filtering among others. Firewall may be integrated within a web server or any other CMS components or may further reside as a separate entity. A firewall may implement network address translation ( “NAT” ) and/or network address port translation ( “NAPT” ) . A firewall may accommodate various tunneling protocols to facilitate secure communications, such as those used in virtual private networking. A firewall may implement a demilitarized zone ( “DMZ” ) to facilitate communications with a public network such as the internet. A firewall may be integrated as software within an internet server or any other application server components, reside within another computing device, or take the form of a standalone hardware component.
Any databases discussed herein may include relational, hierarchical, graphical, blockchain, object-oriented structure, and/or any other database configurations. Any database may also include a flat file structure wherein data may be stored in a single file in the form of rows and columns, with no structure for indexing and no structural relationships between records. For example, a flat file structure may include a delimited text file, a CSV (comma-separated values) file, and/or any other suitable flat file structure. Common database products that may be used to implement the databases include
by
(Armonk, NY) , various database products available from
Corporation (Redwood Shores, CA) , MICROSOFT
or MICROSOFT SQL
by
Corporation (Redmond, Washington) ,
by MySQL AB (Uppsala, Sweden) ,
Redis, APACHE
by
MapR-DB by the
corporation, or any other suitable database product. Moreover, any database may be organized in any suitable manner, for example, as data tables or lookup tables. Each record may be a single file, a series of files, a linked series of data fields, or any other data structure.
As used herein, big data may refer to partially or fully structured, semi-structured, or unstructured data sets including millions of rows and hundreds of thousands of columns. A big data set may be compiled, for example, from a history of purchase transactions over time, from web registrations, from social media, from records of charge (ROC) , from summaries of charges (SOC) , from internal data, or from other suitable sources. Big data sets may be compiled without descriptive metadata such as column types, counts, percentiles, or other interpretive-aid data points.
Association of certain data may be accomplished through any desired data association technique such as those known or practiced in the art. For example, the association may be accomplished either manually or automatically. Automatic association techniques may include, for example, a database search, a database merge, GREP, AGREP, SQL, using a key field in the tables to speed searches, sequential searches through all the tables and files, sorting records in the file according to a known order to simplify lookup, and/or the like. The association step may be accomplished by a database merge function, for example, using a “key field” in pre-selected databases or data sectors. Various database tuning steps are contemplated to optimize database performance. For example, frequently used files such as indexes may be placed on separate file systems to reduce In/Out ( “I/O” ) bottlenecks.
More particularly, a “key field” partitions the database according to the high-level class of objects defined by the key field. For example, certain types of data may be designated as a key field in a plurality of related data tables and the data tables may then be linked on the basis of the type of data in the key field. The data corresponding to the key field in each of the linked data tables is preferably the same or of the same type. However, data tables having similar, though not identical, data in the key fields may also be linked by using AGREP, for example. In accordance with one embodiment, any suitable data storage technique may be utilized to store data without a standard format. Data sets may be stored using any suitable technique, including, for example, storing individual files using an ISO/IEC 7816-4 file structure; implementing a domain whereby a dedicated file is selected that exposes one or more elementary files containing one or more data sets; using data sets stored in individual files using a hierarchical filing system; data sets stored as records in a single file (including compression, SQL accessible, hashed via one or more keys, numeric, alphabetical by first tuple, etc. ) ; data stored as Binary Large Object (BLOB) ; data stored as ungrouped data elements encoded using ISO/IEC 7816-6 data elements; data stored as ungrouped data elements encoded using ISO/IEC Abstract Syntax Notation (ASN. 1) as in ISO/IEC 8824 and 8825; other proprietary techniques that may include fractal compression methods, image compression methods, etc.
In various embodiments, the ability to store a wide variety of information in different formats is facilitated by storing the information as a BLOB. Thus, any binary information can be stored in a storage space associated with a data set. As discussed above, the binary information may be stored in association with the system or external to but affiliated with the system. The BLOB method may store data sets as ungrouped data elements formatted as a block of binary via a fixed memory offset using either fixed storage allocation, circular queue techniques, or best practices with respect to memory management (e.g., paged memory, least recently used, etc. ) . By using BLOB methods, the ability to store various data sets that have different formats facilitates the storage of data, in the database or associated with the system, by multiple and unrelated owners of the data sets. For example, a first data set which may be stored may be provided by a first party, a second data set which may be stored may be provided by an unrelated second party, and yet a third data set which may be stored may be provided by a third party unrelated to the first and second party. Each of these three exemplary data sets may contain different information that is stored using different data storage formats and/or techniques. Further, each data set may contain subsets of data that also may be distinct from other subsets.
As stated above, in various embodiments, the data can be stored without regard to a common format. However, the data set (e.g., BLOB) may be annotated in a standard manner when provided for manipulating the data in the database or system. The annotation may comprise a short header, trailer, or other appropriate indicator related to each data set that is configured to convey information useful in managing the various data sets. For example, the annotation may be called a “condition header, ” “header, ” “trailer, ” or “status, ” herein, and may comprise an indication of the status of the data set or may include an identifier correlated to a specific issuer or owner of the data. In one example, the first three bytes of each data set BLOB may be configured or configurable to indicate the status of that particular data set; e.g., LOADED, INITIALIZED, READY, BLOCKED, REMOVABLE, or DELETED. Subsequent bytes of data may be used to indicate for example, the identity of the issuer, user, transaction/membership account identifier or the like. Each of these condition annotations are further discussed herein.
The data set annotation may also be used for other types of status information as well as various other purposes. For example, the data set annotation may include security information establishing access levels. The access levels may, for example, be configured to permit only certain individuals, levels of employees, companies, or other entities to access data sets, or to permit access to specific data sets based on the transaction, merchant, issuer, user, or the like. Furthermore, the security information may restrict/permit only certain actions, such as accessing, modifying, and/or deleting data sets. In one example, the data set annotation indicates that only the data set owner or the user are permitted to delete a data set, various identified users may be permitted to access the data set for reading, and others are altogether excluded from accessing the data set. However, other access restriction parameters may also be used allowing various entities to access a data set with various permission levels as appropriate.
The data, including the header or trailer, may be received by a standalone interaction device configured to add, delete, modify, or augment the data in accordance with the header or trailer. As such, in one embodiment, the header or trailer is not stored on the transaction device along with the associated issuer-owned data, but instead the appropriate action may be taken by providing to the user, at the standalone device, the appropriate option for the action to be taken. The system may contemplate a data storage arrangement wherein the header or trailer, or header or trailer history, of the data is stored on the system, device or transaction instrument in relation to the appropriate data.
One skilled in the art will also appreciate that, for security reasons, any databases, systems, devices, servers, or other components of the system may consist of any combination thereof at a single location or at multiple locations, wherein each database or system includes any of various suitable security features, such as firewalls, access codes, encryption, decryption, compression, decompression, and/or the like.
Practitioners will also appreciate that there are a number of methods for displaying data within a browser-based document. Data may be represented as standard text or within a fixed list, scrollable list, drop-down list, editable text field, fixed text field, pop-up window, and the like. Likewise, there are a number of methods available for modifying data in a web page such as, for example, free text entry using a keyboard, selection of menu items, check boxes, option boxes, and the like.
The data may be big data that is processed by a distributed computing cluster. The distributed computing cluster may be, for example, a
software cluster configured to process and store big data sets with some of nodes comprising a distributed storage system and some of nodes comprising a distributed processing system. In that regard, distributed computing cluster may be configured to support a
software distributed file system (HDFS) as specified by the Apache Software Foundation at www. hadoop. apache. org/docs.
Any database discussed herein may comprise a distributed ledger maintained by a plurality of computing devices (e.g., nodes) over a peer-to-peer network. Each computing device maintains a copy and/or partial copy of the distributed ledger and communicates with one or more other computing devices in the network to validate and write data to the distributed ledger. The distributed ledger may use features and functionality of blockchain technology, including, for example, consensus-based validation, immutability, and cryptographically chained blocks of data. The blockchain may comprise a ledger of interconnected blocks containing data. The blockchain may provide enhanced security because each block may hold individual transactions and the results of any blockchain executables. Each block may link to the previous block and may include a timestamp. Blocks may be linked because each block may include the hash of the prior block in the blockchain. The linked blocks form a chain, with only one successor block allowed to link to one other predecessor block for a single chain. Forks may be possible where divergent chains are established from a previously uniform blockchain, though typically only one of the divergent chains will be maintained as the consensus chain. In various embodiments, the blockchain may implement smart contracts that enforce data workflows in a decentralized manner. The system may also include applications deployed on user devices such as, for example, computers, tablets, smartphones, Internet of Things devices ( “IoT” devices) , etc. The applications may communicate with the blockchain (e.g., directly or via a blockchain node) to transmit and retrieve data. In various embodiments, a governing organization or consortium may control access to data stored on the blockchain. Registration with the managing organization (s) may enable participation in the blockchain network.
Data transfers performed through the blockchain-based system may propagate to the connected peers within the blockchain network within a duration that may be determined by the block creation time of the specific blockchain technology implemented. For example, on an
based network, a new data entry may become available within about 13-20 seconds as of the writing. On a
Fabric 1.0 based platform, the duration is driven by the specific consensus algorithm that is chosen, and may be performed within seconds. In that respect, propagation times in the system may be improved compared to existing systems, and implementation costs and time to market may also be drastically reduced. The system also offers increased security at least partially due to the immutable nature of data that is stored in the blockchain, reducing the probability of tampering with various data inputs and outputs. Moreover, the system may also offer increased security of data by performing cryptographic processes on the data prior to storing the data on the blockchain. Therefore, by transmitting, storing, and accessing data using the system described herein, the security of the data is improved, which decreases the risk of the computer or network from being compromised.
The particular blockchain implementation described herein provides improvements over conventional technology by using a decentralized database and improved processing environments. In particular, the blockchain implementation improves computer performance by, for example, leveraging decentralized resources (e.g., lower latency) . The distributed computational resources improves computer performance by, for example, reducing processing times. Furthermore, the distributed computational resources improves computer performance by improving security using, for example, cryptographic protocols.
In various embodiments, the system may also reduce database synchronization errors by providing a common data structure, thus at least partially improving the integrity of stored data. The system also offers increased reliability and fault tolerance over traditional databases (e.g., relational databases, distributed databases, etc. ) as each node operates with a full copy of the stored data, thus at least partially reducing downtime due to localized network outages and hardware failures. The system may also increase the reliability of data transfers in a network environment having reliable and unreliable peers, as each node broadcasts messages to all connected peers, and, as each block comprises a link to a previous block, a node may quickly detect a missing block and propagate a request for the missing block to the other nodes in the blockchain network.
As used herein, the term “network” includes any cloud, cloud computing system, or electronic communications system or method which incorporates hardware and/or software components. Communication among the parties may be accomplished through any suitable communication channels, such as, for example, a telephone network, an extranet, an intranet, internet, point of interaction device (point of sale device, personal digital assistant (e.g., an
device, a
device) , cellular phone, kiosk, etc. ) , online communications, satellite communications, off-line communications, wireless communications, transponder communications, local area network (LAN) , wide area network (WAN) , virtual private network (VPN) , networked or linked devices, keyboard, mouse, and/or any suitable communication or data input modality. Moreover, although the system is frequently described herein as being implemented with TCP/IP communications protocols, the system may also be implemented using IPX,
program, IP-6, NetBIOS, OSI, any tunneling protocol (e.g. IPsec, SSH, etc. ) , or any number of existing or future protocols. If the network is in the nature of a public network, such as the internet, it may be advantageous to presume the network to be insecure and open to eavesdroppers. Specific information related to the protocols, standards, and application software utilized in connection with the internet is generally known to those skilled in the art and, as such, need not be detailed herein.
Cloud” or “Cloud computing” includes a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing may include location-independent computing, whereby shared servers provide resources, software, and data to computers and other devices on demand.
As used herein, “transmit” may include sending electronic data from one system component to another over a network connection. Additionally, as used herein, “data” may include encompassing information such as commands, queries, files, data for storage, and the like in digital or any other form.
Any communication, transmission, and/or channel discussed herein may include any system or method for delivering content (e.g. data, information, metadata, etc. ) , and/or the content itself. The content may be presented in any form or medium, and in various embodiments, the content may be delivered electronically and/or capable of being presented electronically. For example, a channel may comprise a website, mobile application, or device (e.g.,
APPLE
AMAZON
GOOGLE CHROMECAST
TM,
etc. ) a uniform resource locator ( “URL” ) , a document (e.g., a
Word or EXCEL
TM, an
Portable Document Format (PDF) document, etc. ) , an “ebook, ” an “emagazine, ” an application or microapplication (as described herein) , an short message service (SMS) or other type of text message, an email, a
message, a
tweet, multimedia messaging services (MMS) , and/or other type of communication technology. In various embodiments, a channel may be hosted or provided by a data partner. In various embodiments, the distribution channel may comprise at least one of a merchant website, a social media website, affiliate or partner websites, an external vendor, a mobile device communication, social media network, and/or location based service. Distribution channels may include at least one of a merchant website, a social media site, affiliate or partner websites, an external vendor, and a mobile device communication. Examples of social media sites include
and the like. Examples of affiliate or partner websites include AMERICAN
and the like. Moreover, examples of mobile device communications include texting, email, and mobile applications for smartphones.
Phrases and terms similar to an “item” may include any good, service, information, experience, entertainment, data, offer, discount, rebate, points, virtual currency, content, access, rental, lease, contribution, account, credit, debit, benefit, right, reward, points, coupons, credits, monetary equivalent, anything of value, something of minimal or no value, monetary value, non-monetary value and/or the like. Moreover, the “transactions” or “purchases” discussed herein may be associated with an item. Furthermore, a “reward” may be an item.
A “consumer profile” or “consumer profile data” may comprise any information or data about a consumer that describes an attribute associated with the consumer (e.g., a preference, an interest, demographic information, personally identifying information, and the like) .
In various embodiments, an account number may identify a consumer. In addition, in various embodiments, a consumer may be identified by a variety of identifiers, including, for example, an email address, a telephone number, a cookie id, a radio frequency identifier (RFID) , a biometric, and the like.
Phrases and terms similar to a “party” may include any individual, consumer, customer, group, business, organization, government entity, transaction account issuer or processor (e.g., credit, charge, etc. ) , merchant, consortium of merchants, account holder, charitable organization, software, hardware, and/or any other type of entity. The terms “user, ” “consumer, ” “purchaser, ” and/or the plural form of these terms are used interchangeably throughout herein to refer to those persons or entities that are alleged to be authorized to use a transaction account.
As used herein, the term “end user, ” “consumer, ” “customer, ” “user, ” “business, ” or “merchant” may be used interchangeably with each other, and each shall mean any person, entity, government organization, business, machine, hardware, and/or software. A bank may be part of the system, but the bank may represent other types of card issuing institutions, such as credit card companies, card sponsoring companies, or third party issuers under contract with financial institutions. It is further noted that other participants may be involved in some phases of the transaction, such as an intermediary settlement institution, but these participants are not shown.
The customer may be identified as a customer of interest to a merchant based on the customer’s transaction history at the merchant, types of transactions, type of transaction account, frequency of transactions, number of transactions, lack of transactions, timing of transactions, transaction history at other merchants, demographic information, personal information (e.g., gender, race, religion) , social media or any other online information, potential for transacting with the merchant, and/or any other factors.
Phrases and terms similar to “business” or “merchant” may be used interchangeably with each other and shall mean any person, entity, distributor system, software, and/or hardware that is a provider, broker, and/or any other entity in the distribution chain of goods or services. For example, a merchant may be a grocery store, a retail store, a travel agency, a service provider, an on-line merchant, or the like.
The disclosure and claims do not describe only a particular outcome of a system for cold wallets, but the disclosure and claims include specific rules for implementing the outcome of a cold wallets and that render information into a specific format that is then used and applied to create the desired results of a system for cold wallets, as set forth in McRO, Inc. v.Bandai Namco Games America Inc. (Fed. Cir. case number 15-1080, Sept 13, 2016) . In other words, the outcome of a system for cold wallets can be performed by many different types of rules and combinations of rules, and this disclosure includes various embodiments with specific rules. While the absence of complete preemption may not guarantee that a claim is eligible, the disclosure does not sufficiently preempt the field of a system for cold wallets at all. The disclosure acts to narrow, confine, and otherwise tie down the disclosure so as not to cover the general abstract idea of just a system for cold wallets. Significantly, other systems and methods exist for a system for cold wallets, so it would be inappropriate to assert that the claimed invention preempts the field or monopolizes the basic tools of a system for cold wallets. In other words, the disclosure will not prevent others from a system for cold wallets, because other systems are already performing the functionality in different ways than the claimed invention. Moreover, the claimed invention includes an inventive concept that may be found in the non-conventional and non-generic arrangement of known, conventional pieces, in conformance with Bascom v. AT&T Mobility, 2015-1763 (Fed. Cir. 2016) . The disclosure and claims go way beyond any conventionality of any one of the systems in that the interaction and synergy of the systems leads to additional functionality that is not provided by any one of the systems operating independently. The disclosure and claims may also include the interaction between multiple different systems, so the disclosure cannot be considered an implementation of a generic computer, or just “apply it” to an abstract process. The disclosure and claims may also be directed to improvements to software with a specific implementation of a solution to a problem in the software arts.
Claims (20)
- A method comprising:creating, by a computer based system, a wallet of a cold wallet application in response to a request to create a wallet from a user;generating, by the computer based system, a cold wallet cryptocurrency address of the cold wallet application;importing, by the computer based system, a hot wallet cryptocurrency address to the cold wallet application;importing, by the computer based system, a transaction data of an exchange system module to the cold wallet application;signing, by the computer based system, the transaction via the cold wallet application to generate a signed transaction; andexporting, by the computer based system, the signed transaction from the cold wallet application to the exchange system module.
- The method of claim 1, further comprising:generating, by the computer based system, a first QR code comprising the hot wallet cryptocurrency address and the transaction data of the exchange system module; andreceiving, by the computer based system, the hot wallet cryptocurrency address and the transaction data of the exchange system module at the cold wallet application in response to optical recognition of the first QR code.
- The method of claim 1, further comprising:generating, by the computer based system and via the cold wallet application, a second QR code comprising the signed transaction;receiving, by the computer based system, the signed transaction at the exchange system module in response to optical recognition of the second QR code.
- The method of claim 1, further comprising:receiving, by the computer based system, an access request from a first super admin at the cold wallet application;creating, by the computer based system, a user account for the user in the cold wallet application in response to a user creation request from the first super admin;setting, by the computer based system, permissions for the user account in response to a permissions setting from the first super admin, wherein the permissions include enabling the request to create a wallet.
- The method of claim 1, further comprising:creating, by the computer based system, an activity log associated with the cold wallet application and the user; andrecording, by the computer based system, each of an action, the user associated with the action, and a timestamp in the activity log, wherein the action is an operation performed via the cold wallet application in response to a user request.
- The method of claim 4, further comprising:receiving, by the computer based system, each of the access request from the first super admin, an access request from a second super admin, and an access request from a third super admin at the cold wallet application;assigning, by the computer based system, a root user in response to receiving each of the access requests at the cold wallet application;enabling, by the computer based system, an accessible during runtime status for a data file in response to a request from the root user.
- The method of claim 1, further comprisingcomparing, by the computer based system, the signed transaction with an asset outflow threshold;comparing, by the computer based system, the signed transaction with a time horizon threshold;inhibiting, by the computer based system, processing of the signed transaction in response to the signed transaction exceeding the asset outflow threshold; andinhibiting, by the computer based system, processing of the signed transaction in response to the signed transaction exceeding the time horizon threshold.
- The method of claim 1, further comprising:receiving, by the computer based system, N key components;discretizing, by the computer based system, the N key components via a hashing algorithm into a plurality of N key component parts;combining, by the computer based system, the plurality of N key component parts to generate X keys; andencrypting, by the computer based system, the X keys to generate X key seeds.
- The method of claim 8, further comprising:performing, by the computer based system, an encryption process, wherein the encryption process comprises:keys= <key1, key2, …keym>saults= <sault1, sault2, …saultm>keys’ = keys + saults = <key1’, key2’, …keym’>keymatrix = keys’nm = [ {key1’, key2’, …, keyn’} , …, {key2’, key3’, …, keym’} ]finalkeys= [ {key1’ XOR key2’ XOR …keyn’} , …, {key2’ XOR key3’ XOR …keym’} ] = <finalkey1, finalkey2, finalkeyk) , k= C nmencrypteddatas = finalkeys encrypt data = {encrypteddata1, encrypteddata2…, encrypteddatak} .
- The method of claim 8, further comprising:performing, by the computer based system, a decryption process, wherein the decryption process comprises:keys= <key1, key2, …keyn>saults= <sault1, sault2, …saultn>keys1=keys+ saults = <key1’, key2’, keyn’>finalkey=key1’ XOR key2’ …XOR keyn’finalkey decrypt encrypteddatas = data.
- A computer-based system, comprising:a processor; anda tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause the processor to perform operations comprising:creating, by the processor, a wallet of a cold wallet application in response to a request to create a wallet from a user;generating, by the processor, a cold wallet cryptocurrency address of the cold wallet application;importing, by the processor, a hot wallet cryptocurrency address to the cold wallet application;importing, by the processor, a transaction data of an exchange system module to the cold wallet application;signing, by the processor, the transaction via the cold wallet application to generate a signed transaction; andexporting, by the processor, the signed transaction from the cold wallet application to the exchange system module.
- The computer based system of claim 11, wherein the operations further comprise:generating, by the processor, a first QR code comprising the hot wallet cryptocurrency address and the transaction data of the exchange system module; andreceiving, by the processor, the hot wallet cryptocurrency address and the transaction data of the exchange system module at the cold wallet application in response to optical recognition of the first QR code.
- The computer based system of claim 11, wherein the operations further comprise:generating, by the processor and via the cold wallet application, a second QR code comprising the signed transaction;receiving, by the processor, the signed transaction at the exchange system module in response to optical recognition of the second QR code.
- The computer based system of claim 11, wherein the operations further comprise:receiving, by the processor, an access request from a first super admin at the cold wallet application;creating, by the processor, a user account for the user in the cold wallet application in response to a user creation request from the first super admin;setting, by the processor, permissions for the user account in response to a permissions setting from the first super admin, wherein the permissions include enabling the request to create a wallet.
- The computer based system of claim 11, wherein the operations further comprise:creating, by the processor, an activity log associated with the cold wallet application and the user; andrecording, by the processor, each of an action, the user associated with the action, and a timestamp in the activity log, wherein the action is an operation performed via the cold wallet application in response to a user request.
- The computer based system of claim 14, wherein the operations further comprise:receiving, by the processor, each of the access request from the first super admin, an access request from a second super admin, and an access request from a third super admin at the cold wallet application;assigning, by the processor, a root user in response to receiving each of the access requests at the cold wallet application;enabling, by the processor, an accessible during runtime status for a data file in response to a request from the root user.
- The computer based system of claim 11, wherein the operations further comprise:comparing, by the processor, the signed transaction with an asset outflow threshold;comparing, by the processor, the signed transaction with a time horizon threshold;inhibiting, by the processor, processing of the signed transaction in response to the signed transaction exceeding the asset outflow threshold; andinhibiting, by the processor, processing of the signed transaction in response to the signed transaction exceeding the time horizon threshold.
- The computer based system of claim 11, further comprising:receiving, by the processor, N key components;discretizing, by the processor, the N key components via a hashing algorithm into a plurality of N key component parts;combining, by the processor, the plurality of N key component parts to generate X keys; andencrypting, by the processor, the X keys to generate X key seeds.
- The computer based system of claim 18, further comprising:performing, by the processor, an encryption process, wherein the encryption process comprises:keys= <key1, key2, …keym>saults= <sault1, sault2, …saultm>keys’ = keys + saults = <key1’, key2’, …keym’>keymatrix = keys’nm = [ {key1’, key2’, …, keyn’} , …, {key2’, key3’, …, keym’} ]finalkeys= [ {key1’ XOR key2’ XOR …keyn’} , …, {key2’ XOR key3’ XOR …keym’} ] = <finalkey1, finalkey2, finalkeyk) , k= C nmencrypteddatas = finalkeys encrypt data = {encrypteddata1, encrypteddata2…, encrypteddatak} ;and performing, by the processor, a decryption process, wherein the decryption process comprises:keys= <key1, key2, …keyn>saults= <sault1, sault2, …saultn>keys1=keys+ saults = <key1’, key2’, keyn’>finalkey=key1’ XOR key2’ …XOR keyn’finalkey decrypt encrypteddatas = data.
- An article of manufacture including a non-transitory, tangible computer readable storage medium having instructions stored thereon that, in response to execution by a computer based system, cause the computer based system to perform operations comprising:creating, by the computer based system, a wallet of a cold wallet application in response to a request to create a wallet from a user;generating, by the computer based system, a cold wallet cryptocurrency address of the cold wallet application;importing, by the computer based system, a hot wallet cryptocurrency address to the cold wallet application;importing, by the computer based system, a transaction data of an exchange platform to the cold wallet application;signing, by the computer based system, the transaction via the cold wallet application to generate a signed transaction; andexporting, by the computer based system, the signed transaction from the cold wallet application to the exchange platform.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/142825 WO2023123151A1 (en) | 2021-12-30 | 2021-12-30 | Systems and methods for cold wallets |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/142825 WO2023123151A1 (en) | 2021-12-30 | 2021-12-30 | Systems and methods for cold wallets |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023123151A1 true WO2023123151A1 (en) | 2023-07-06 |
Family
ID=86996980
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/142825 WO2023123151A1 (en) | 2021-12-30 | 2021-12-30 | Systems and methods for cold wallets |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2023123151A1 (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109801068A (en) * | 2019-01-04 | 2019-05-24 | 深圳银链科技有限公司 | Digital cash management system, method, cold wallet and the hot money packet of wallet is isolated |
US20190378119A1 (en) * | 2018-06-12 | 2019-12-12 | Fressets Inc. | Wallet device for cryptocurrency and method of signature for the use thereof |
CN110674516A (en) * | 2019-09-18 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Permission configuration method and device of electronic bill management system and computer equipment |
CN111260363A (en) * | 2020-01-14 | 2020-06-09 | 上海和数软件有限公司 | Public benefit fund supervision method, device, equipment and medium based on block chain |
CN111526021A (en) * | 2020-04-10 | 2020-08-11 | 厦门慢雾科技有限公司 | Block chain private key security management method |
CN112615864A (en) * | 2020-12-18 | 2021-04-06 | 上海万向区块链股份公司 | Role-based access control management system and method implemented by block chain |
CN113132088A (en) * | 2019-12-30 | 2021-07-16 | 中移(上海)信息通信科技有限公司 | Digital currency management system |
-
2021
- 2021-12-30 WO PCT/CN2021/142825 patent/WO2023123151A1/en unknown
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190378119A1 (en) * | 2018-06-12 | 2019-12-12 | Fressets Inc. | Wallet device for cryptocurrency and method of signature for the use thereof |
CN109801068A (en) * | 2019-01-04 | 2019-05-24 | 深圳银链科技有限公司 | Digital cash management system, method, cold wallet and the hot money packet of wallet is isolated |
CN110674516A (en) * | 2019-09-18 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Permission configuration method and device of electronic bill management system and computer equipment |
CN113132088A (en) * | 2019-12-30 | 2021-07-16 | 中移(上海)信息通信科技有限公司 | Digital currency management system |
CN111260363A (en) * | 2020-01-14 | 2020-06-09 | 上海和数软件有限公司 | Public benefit fund supervision method, device, equipment and medium based on block chain |
CN111526021A (en) * | 2020-04-10 | 2020-08-11 | 厦门慢雾科技有限公司 | Block chain private key security management method |
CN112615864A (en) * | 2020-12-18 | 2021-04-06 | 上海万向区块链股份公司 | Role-based access control management system and method implemented by block chain |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11941627B2 (en) | Transaction authorization process using blockchain | |
US20230353375A1 (en) | Reward point transfers using blockchain | |
US12093948B2 (en) | Zero-knowledge proof payments using blockchain | |
US11762974B2 (en) | Single sign-on solution using blockchain | |
US11410136B2 (en) | Procurement system using blockchain | |
US20220270089A1 (en) | Transaction account data maintenance using blockchain | |
US20190303920A1 (en) | Transaction process using blockchain token smart contracts | |
US20190303942A1 (en) | Fraud management using a distributed database | |
US11687907B2 (en) | Secure mobile checkout system | |
US11321718B1 (en) | Systems and methods for blockchain based identity assurance and risk management | |
CN113168637A (en) | Secondary fraud detection during transaction verification | |
US10812275B2 (en) | Decoupling and updating pinned certificates on a mobile device | |
CN113678155A (en) | Payment transfer processing system | |
US20210358035A1 (en) | Systems and methods for automated manipulation resistant indexing | |
US20220148053A1 (en) | Systems and methods for persistent on demand payments | |
WO2023123151A1 (en) | Systems and methods for cold wallets | |
WO2023123152A1 (en) | Systems and methods for independent wallets | |
WO2023123153A1 (en) | Systems and methods for miner fee settlement between wallets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21969518 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |