search

ethereum / staking-deposit-cli

Secure key generation for deposits
Creative Commons Zero v1.0 Universal
542 stars 346 forks source link

[ToB Audit] #3: Deposit does not provide entropy validation on passwords #99

Closed CarlBeek closed 3 years ago

CarlBeek commented 4 years ago

Description

The deposit cli tool allows users to use weak or even empty passwords, during the generation of keys. The tool is responsible for generating a BLS key pair. In order to protect the secret keys, the tool uses password-based key derivation functions to securely store the secrets. Therefore, when using the tool, a user should provide a password that will be used to protect these secrets:

@click.password_option(prompt='Type the password that secures your validator keystore(s)')
def main(num_validators: int, mnemonic_language: str, folder: str, chain: str, password: str) -> None:
...
click.echo('Saving your keystore(s).')
keystore_filefolders = credentials.export_keystores(password=password, folder=folder) click.echo('Creating your deposit(s).')
deposits_file = credentials.export_deposit_data_json(folder=folder) click.echo('Verifying your keystore(s).')
assert credentials.verify_keystores(keystore_filefolders=keystore_filefolders,
password=password) ...

However, the Deposit CLI lacks user password validation while generating the mnemonic, which allows weak passwords to be used. This could make an offline dictionary attack possible. Moreover, when calling the CLI with an optional argument --password='', users are able to generate a mnemonic with a null password. This command line argument is undocumented in the ef-deposit-cli documentation.

Exploit Scenario

Alice uses Deposit-CLI to generate secret keys on her machine using a simple password. An attacker, Eve, tries to access the keystore by brute-forcing commonly used passwords and empty passwords. Once successful, Eve has access to the BLS signing key. This attack is made more feasible due to the fact that Eve also has access to the sensitive keys stored in the saved files, as outlined in #98.

Recommendation

Short term, add a validation check on passwords to ensure minimum length. Long term, use a password strength library/entropy calculator on user passwords to enforce the use of strong passwords.

hwwhww commented 4 years ago

I'm on it.

CarlBeek commented 3 years ago

Closed via #138