docs(wallet): document AES-GCM key-derived nonce vulnerability#3
Open
amathxbt wants to merge 1 commit into
Open
docs(wallet): document AES-GCM key-derived nonce vulnerability#3amathxbt wants to merge 1 commit into
amathxbt wants to merge 1 commit into
Conversation
The decrypt path derives the AES-GCM IV from the first 12 bytes of the Argon2-derived key (derivedKey.slice(0, NONCE_LENGTH)). Because every password+salt pair deterministically produces the same (key, nonce) tuple, any two keystores encrypted with the same password are vulnerable to a ciphertext XOR attack that recovers plaintext without knowing the password. This is a protocol-level issue shared with the Go node; a unilateral change here would break decryption of all existing keystores. Add a prominent code comment so the risk is visible to future contributors, and open a coordinated issue to update both sides to prepend a random nonce.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Issue
decryptPrivateKey()constructs the AES-GCM IV as the first 12 bytes of the Argon2-derived key:Because AES-GCM security requires that
(key, nonce)pairs are never reused, and here the nonce is fully determined by the key, every encryption with the same password produces the same key and the same nonce. An attacker who obtains two ciphertexts encrypted under the same password can XOR them to recover the XOR of their plaintexts without ever knowing the password—a standard GCM nonce-reuse attack.Why not fixed here
This is a protocol-level decision shared with the Go node, which generates keystores with the same scheme. Unilaterally changing the nonce on the TypeScript side would break decryption of all existing keystores. A coordinated fix is needed on both sides: prepend a random 12-byte nonce to the ciphertext on encrypt, and read it back on decrypt.
What this PR does
Adds a prominent code comment so the risk is visible to future contributors and reviewers, and provides a clear description of the correct fix to guide that follow-up work.