Secure keyring storage

[poka-IT]

Do you provide a way to store an encrypted keyring with a password?
If not, do you recommend a way to do this?

I was using Hive with PointyCastle encryption to store the seed, but I think there is a better solution to avoid having to regenerate the keyring based on the seed at each startup.

[leonardocustodio]

Encryption is the way to do but you should not store the whole cipher in the database. That means if anyone could get access to the mobile and access the database somehow it would be able to get the user seed. What usually everybody does is to add the user password (that he will have to add to unlock the wallet) to the cipher itself. This way the only way to regenerate the seed is with the user input and even if his phone got hacked it would still be secured.

This also means don't regenerate the key on startup, there is no reason to, you should keep the seed in memory the least amount of time as possible and delete it as soon as possible. What I mean is, only regenerate the key when you are going to sign a transaction, when you are done signing and sent to the chain. Delete it again.

You don't need the seed to show information in the UI / history or all other things, to fetch info you have the publicKey (that can be stored normally) and you should use the public key for everything unless you are going to sign the tx and in that way you would do what we said.

[poka-IT]

Yes I understand password encryption should not be store with encrypted data =)
It's a user input for sure.

I mean I'm thinking about the easiest and more secure way to do with Dart.

This is an example of what I could do with pointycastle package:

String encrypt(String seedHex, String password) {
  final keyDerivator = _createKeyDerivator(password);
  final key = keyDerivator.process(utf8.encode(password));

  final iv = _createRandomIV();
  final params = crypto.ParametersWithIV(crypto.KeyParameter(key), iv);

  final cipher = AESFastEngine();
  cipher.init(true, params); // true for encryption

  final input = _pad(utf8.encode(seedHex), cipher.blockSize);
  final output = cipher.process(input);

  return base64.encode(iv + output); // IV is stored with the encrypted text
}

String decrypt(String cipherText, String password) {
  final keyDerivator = _createKeyDerivator(password);
  final key = keyDerivator.process(utf8.encode(password));

  final cipherData = base64.decode(cipherText);
  final iv = cipherData.sublist(0, 16); // IV is the first 16 bytes
  final data = cipherData.sublist(16);

  final params = crypto.ParametersWithIV(crypto.KeyParameter(key), iv);
  final cipher = AESFastEngine();
  cipher.init(false, params); // false for decryption

  final output = cipher.process(data);
  return utf8.decode(_unpad(output));
}

PKCS5PBKDF2 _createKeyDerivator(String password) {
  final gen = PBKDF2KeyDerivator(HMac(SHA256Digest(), 64));
  gen.init(Pbkdf2Parameters(utf8.encode(password), _createRandomSalt(), 1000, 32));
  return gen;
}

Uint8List _createRandomIV() => secureRandom(16);

Uint8List _createRandomSalt() => secureRandom(8);

Uint8List _pad(Uint8List src, int blockSize) {
  final pad = blockSize - (src.length % blockSize);
  final out = Uint8List(src.length + pad)..setAll(0, src);
  out.fillRange(src.length, out.length, pad);
  return out;
}

Uint8List _unpad(Uint8List src) {
  final pad = src.last;
  return Uint8List.view(src.buffer, 0, src.length - pad);
}

// Secure random generator
Uint8List secureRandom(int length) {
  final rnd = crypto.FortunaRandom();
  final key = secureRandom(32);
  final iv = secureRandom(16);
  rnd.seed(crypto.KeyParameter(key));
  rnd.addEntropySource(crypto.IVParameter(iv));

  final random = Uint8List(length);
  for (int i = 0; i < length; i++) {
    random[i] = rnd.nextUint8();
  }
  return random;
}

Where seedHex is the hexadecimal representation of the seed, and password a user input.
Then I would store the result of encrypt(seedHex, password) in Hive box, or whatever.

would you have chosen another solution?

And I want the user to be able to display their mnemonic whenever they want, just by entering their password. So, I'm thinking of storing the mnemonic in text form instead of the seedHex.

[leonardocustodio]

@poka-IT, sorry for the late reply. You are using Hive with secure storage, right? Even with secure storage is there no possibility of using Keychain and KeyStore for you to store the encrypted seed? That would be way safer as the data would not be available in the app for download.

[poka-IT]

i'm sorry but I don't understand what you mean.
I can use Hive with openEncryptedBox function to store encrypted mnemonic with the encrypt((String mnemonicHex, String password)) I shown you, using AESFastEngine of pointycastle package.

It's just a suggestion, I can do whatever I want. I was asking what are you doing you for instance ?

I dont understand what you mean by "data would not be available in the app for download".

[leonardocustodio]

So what I was trying to say is that if you were just encrypting the key and saving it on Hive at the app dir we would have the following issues:

1. On iPhone, you cannot access the app storage (and thus the hive db, which is basically a file saved under the app dir) unless you saved in the public app dir, or you have a jailbreak, or the device is compromised somehow
2. On Android, it is way easier to access that file.

So if a person has access to one device, the device has malware, or it is compromised, someone can download this "hive" file.
To figure out the "hive key," this can be easily done using reverse-engineering if you use the same key for every single device.

But it seems you are already saving the whole database on KeyStore/Keychain, so that is not possible unless malware is able to fetch it from memory.

Personally, I think it would be best for you to separate both. When you load the database, it stays in memory for all the time. But you should have access to the private key only when you are going to sign a transaction, and as soon as you sign it, you should delete it from memory. So, basically, you would need to fetch it on every single transaction.

Obviously, this kind of attack needs the device to be compromised. But since we are talking about money and blockchain always better to be extra-safe.

[poka-IT]

So this is what I made:

https://git.duniter.org/clients/polkadart-demo/-/blob/master/lib/encrypt_storage.dart

If it can help others.
Do you think this could be in the scope of polkadart lib?

[leonardocustodio]

Totally agree an approach to do that automatically must be added to the roadmap.