Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Private key shouldn't be string

See original GitHub issue

I don’t know why do we have this?. I’m expecting these key to be a Uint8Array. https://github.com/ethers-io/ethers.js/blob/master/packages/hdnode/src.ts/index.ts#L76

Since the string won’t be wipe off from the memory easy and I don’t thing people willing leave their unencrypted private key floating in the memory.

Issue Analytics

State:
Created 3 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

ricmoocommented, Jun 18, 2021

I’ve added a short note here, but I think that is all that really makes about sense. The JavaScript world is one with a lot of environments and while I think security is very important, there is only so much detail I can go into.

Feel free to suggest expansions to the security section though. 😃

0reactions

chiro-hirocommented, Jun 17, 2020

Yes, everything make sense. Just remind that with Uint8Array we are able to zeroed memory area what was allocated. You are right about encrypt/decrypt private key is annoying according to user experience but the person who’s using this package not only using it in front-end of dApp, some of us try to bring into the back-end (helping our customer to deal with blockchain easier without knowledge of blockchain stuffs), at this point I hope we would have some thing sort of feature that alternative to mist wallet.

.unlock(address, duration); and .lock(address), I think this approach make sense too, unencrypted private key only appear for a short duration instead of living in the memory like a zombie.

I will certainly reference this issue (and any other research you come up with) to indicate the security issues in the documentation. But in JavaScript, the additional security gained by using a Uint8Array compared to s string is likely very minimal. These problems should be fixed in the node and browsers though, by zero-ing out free-ed memory.

Just check and garbage collector won’t fill the memory with zero that’s even worser than the thing we talk here. In my experiment I need debug permit to read node’s memory.

Top Results From Across the Web

Why Private Keys Should Not be Shared - DigiCert.com

Shared private keys open up the possibility for stolen keys, and stolen keys can mean signed software with vulnerabilities or malware being ...

How to store a private key in string literal in C? - Stack Overflow

It has been said already, but I'd like to reiterate that something like that shouldn't be done with any keys and data that...

How great is the risk in publicly sharing part of a private key?

Private keys do not provide security by having a large keyspace, they provide security through the difficulty of factoring huge semiprimes.

Receiving a private key from server admin: ok or not?

Giving the private key to you is lazy -- yes, but nothing can stop you from replacing it yourself. In essence, after s/he...

SecureString Class (System.Security) - Microsoft Learn

Security; public class Example { public static void Main() { // Instantiate ... SecureString securePwd = new SecureString(); ConsoleKeyInfo key; Console.