aepp-sdk-js icon indicating copy to clipboard operation
aepp-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon aeternity

Expose secret key of `MemoryAccount`

Open davidyuk opened this issue 3 years ago • 2 comments

For security reasons (as I understand), secret keys of MemoryAccounts stored separately and inaccessible from outside of memory account module. https://github.com/aeternity/aepp-sdk-js/blob/66568bebba9a3bdc3344e13fdcd4da867da11404/src/account/Memory.ts#L29

sign method is not protected anyhow, so if malicious actor have direct access to MemoryAccount instance, then he can sign arbitrary data (like SpendTx). Also he can stole the account by making it generalized (similar to knowing the private key).

Protecting the private key doesn't make significant benifits because of the above, but it decreases usability of recently entroduced generate method. Currently generate can't be used if needed to persist the generated account because of no access to secret key. I propose to add secretKey getter to allow using MemoryAccount instead of generateKeyPair, and to deprecate the last.

If necessary, the secret key hidding can be implemented on user side by inheriting from MemoryAccount, like

class MemoryAccountProtected extends MemoryAccount {
  get secretKey() {
    throw new Error('Access to private key is forbidden.');
  }
}

davidyuk avatar Sep 04 '22 20:09 davidyuk

Shouldn't we rather protect sign also? making basically everything unprotected by default would open up risks when using ae in the backend, and we would have to tell people that the safe way of doing things is not the default MemoryAccount, but you need to use something different.

Why would we need a getter for the secret key in memory account, as it should be known to the dev anyway? It's used for generating the memory account after all.

nikita-fuchs avatar Sep 08 '22 12:09 nikita-fuchs

Shouldn't we rather protect sign also?

the idea is that developer should build something on the top of MemoryAccount, like an UI that ask user to confirm signing, or a route hook that ensures that request is legitimate

Why would we need a getter for the secret key in memory account

As I wrote above, otherwise the account generated by MemoryAccount.generate() can't be persisted, it reduces usability of generate method.

davidyuk avatar Sep 10 '22 20:09 davidyuk