search

XRPLF / xrpl.js

A JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser
https://xrpl.org/
1.21k stars 512 forks source link

Does RippleAPI send 'secret' or 'key pair' parameters over the network? #1015

Closed dmitriano closed 5 years ago

dmitriano commented 5 years ago

I wonder if anyone knows how RippleAPI sign method signs the transaction. Does it send 'secret' or 'key pair' parameters over the network (websocket)? How does 'secret' relate to 'key pair'? What is the derived 'key pair'?

movitto commented 5 years ago

TLDR: no it doesn't send the secret over the network

Call sequence:

ripple-lib sign: https://github.com/ripple/ripple-lib/blob/develop/src/api.ts#L45 https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L64

calls signWithKeypair: https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L75 https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L18

which calls computeSignature: https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L50 https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L11

which calls keypairs.sign (in the keypairs lib): https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L2 https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L15 https://github.com/ripple/ripple-keypairs/blob/master/src/index.js#L92

Which dispatches to the secp256k1 or ed25519 signing routines to locally sign the transaction: https://github.com/ripple/ripple-keypairs/blob/master/src/index.js#L94

You can see these methods here and continue following it down to see how the signing algorithms are implemented if you so wish.

movitto commented 5 years ago

Keypair is the pair of public / private keys that constitute the credentials behind your XRP ledger account. The public component gets encoded in a Base58 representation (for example rvYAfWj5gh67oV6fW32ZzP3Aw4Eubs59B) which you share with the world (so as to receive payments, etc). The private component is your secret, it's critical this information remains private else your funds will be stolen.

To make things easier, ripple-lib (as well as our client: XRBP, implemented purely in ruby!) incorporates a mechanism to derive a generated keypair from a representation known as the 'secret' (which again should remain private to you only). This is just a convenience mechnism, the first things any XRP client will do upon receiving a secret is extract the public/private key components out to subsequently use in encryption / verification.

dmitriano commented 5 years ago

@movitto Did I understand correctly that there is an algorithm that can locally (without communicating with a ripple node) make key pair from a given secret like "sa9MF8ep3bupHx1D2uSmG514BBtB8" (I got it from the test network)?

movitto commented 5 years ago

Yes, see deriveKeypairs: https://github.com/ripple/ripple-lib/blob/develop/src/transaction/sign.ts#L78 https://github.com/ripple/ripple-keypairs/blob/master/src/index.js#L73