Giter Club home page Giter Club logo

pegasus's Introduction

PEGASUS

Pegasus is a chrome extension that implements a wallet for the IOTA cryptocurrency. In addition, Pegasus injects the iotajs library allowing developers to interact with IOTA Tangle without paying attention on how to keep the seed safe.

❗ Since Pegasus is still work in progress, there could be breaking changes!

 

 

⚡ Installing

git clone https://github.com/allemanfredi/PEGASUS.git

cd PEGASUS

yarn run init

yarn build

 

  After having built the application, it needs to be loaded on chrome.

❗ How to install Chrome extensions manually

  • Go to chrome://extensions/ and check the box for Developer mode in the top right.
  • Click the Load unpacked extension button and select the build folder for your extension to install it.

 

 

🌱 How the seed is stored?

The seed is saved in the local storage of the browser, encrypted (through argon2id + AES256-GCM) with the login password that a user chooses during the wallet initialization phase. To make it more difficult to find out, the password must meet the following requirements:

  • Must contains at least 8 characters
  • Must contains at least 1 uppercase character
  • Must contains at least 1 lowercase character
  • Must contains at least 1 symbol
  • Must contains at least 1 digit

Of this password only its hash is saved in the local storage.

During the login phase, a user will have to enter a password, which will be compared with the hash (generated with argon2id) specified above. if the two hashes match (the password is correct), the wallet loads the seed from the local storage (encrypted with argon2id + AES256-GCM), decrypts it with the password just inserted and keeps it in memory together with the plain text of the password. If the wallet shows a period of inactivity of at least 60 minutes (modifiable), it will delete the value of the variables relating to seed and password. It is also possible to disable this feature from the settings page. In this way, the seed decryption key is not saved anywhere except in the mind of the user or in the RAM for only a limited period of time.

A user also has the ability to export the seed, in order to do so, first he will have to enter the login password which will always be compared with the hash (of the password) saved in the local storage. In this way, if a user loses the access password (or if he forgets it), if he has exported the seed he will be able to restore the wallet

 

 

⚙️ Architecture

 

 

💉 iota-js injection

if (window.iota) {

    window.iota.on('providerChanged', provider => ...)
    window.iota.on('accountChanged', account => ...)

    // if you want to create a connection directly
    const isConnected = await window.iota.connect()
    
    const trytes = await window.iota.core.prepareTransfers(transfers)
    const bundle = await window.iota.core.sendTrytes(trytes, depth, minWeightMagnitude)

    // or
    const bundle = await window.iota.transfer(transfers)
}

 

 

🔨 Work In Progress

  • pegasus-ledger-trampoline: Since it is not possible to access Ledger Nano S from a Google Chrome extension, i implemented a workaround: injecting an iframe to the background page of the extension, (which is hosted thanks to gh-pages here). In order to work correctly, the iframe must run under https (since U2F requires SSL). [30%]

 

 

📃 Articles

 

 

🚀 Collaboration

Code contributions are welcome!

pegasus's People

Contributors

allemanfredi avatar thoralf-m avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

iotgod thoralf-m evanfeenstra sascha1337 kalikex1 ssd1212

pegasus's Issues

Hardcoded testnet node deprecated

Hey, the routes for your testnet nodes are now/soon-to-be deprecated. Specifically nodes.testnet.iota.org & testnet140.tangle.works. I'd suggest changing to nodes.devnet.iota.org.

Cheers, lewi

"View on explorer" gives a ERR_FILE_NOT_FOUND.

Windows 10
Google Chrome Version 81.0.4044.122.

Clicking "View on explorer" on the ...-menu to the right of your wallet name takes you nowhere.
Gives you a "ERR_FILE_NOT_FOUND" on the destination.

Minimizes and goes blank after login.

Updated to latest version.

Entering my password and click Login.

Pegasus is minimized and refuse to opens. Only a small white square when clicking on the Pegasus extension before dissappearing.

Pegasus 0.11.0
Google Chrome Version 81.0.4044.138
nodes.thetangle.org used as node.

1.8f11dfbe.chunk.js:1 TypeError: Cannot read property 'latestAddress' of undefined at a.value (main.71a98b69.chunk.js:1) at Ga (1.8f11dfbe.chunk.js:1) at Fa (1.8f11dfbe.chunk.js:1) at gs (1.8f11dfbe.chunk.js:1) at gu (1.8f11dfbe.chunk.js:1) at vu (1.8f11dfbe.chunk.js:1) at cu (1.8f11dfbe.chunk.js:1) at 1.8f11dfbe.chunk.js:1 at t.unstable_runWithPriority (1.8f11dfbe.chunk.js:1) at zi (1.8f11dfbe.chunk.js:1) at Ki (1.8f11dfbe.chunk.js:1) at Yi (1.8f11dfbe.chunk.js:1) at ou (1.8f11dfbe.chunk.js:1) at Object.enqueueSetState (1.8f11dfbe.chunk.js:1) at a.m.setState (1.8f11dfbe.chunk.js:1) at a.<anonymous> (main.71a98b69.chunk.js:1)
and
Uncaught (in promise) TypeError: Cannot read property 'latestAddress' of undefined at a.value (main.71a98b69.chunk.js:1) at Ga (1.8f11dfbe.chunk.js:1) at Fa (1.8f11dfbe.chunk.js:1) at gs (1.8f11dfbe.chunk.js:1) at gu (1.8f11dfbe.chunk.js:1) at vu (1.8f11dfbe.chunk.js:1) at cu (1.8f11dfbe.chunk.js:1) at 1.8f11dfbe.chunk.js:1 at t.unstable_runWithPriority (1.8f11dfbe.chunk.js:1) at zi (1.8f11dfbe.chunk.js:1) at Ki (1.8f11dfbe.chunk.js:1) at Yi (1.8f11dfbe.chunk.js:1) at ou (1.8f11dfbe.chunk.js:1) at Object.enqueueSetState (1.8f11dfbe.chunk.js:1) at a.m.setState (1.8f11dfbe.chunk.js:1) at a.<anonymous> (main.71a98b69.chunk.js:1)

In DevTools Console.

Let me know if I can get some more information that you'll need.

Not a real issue

Nice work - if you're going to ship this into a test phase, please let me know. I would like to write an article about this project for www.einfachiota.de

If you have discord, you could add me there (huhn#0511)

Thanks 👏

Pegasus uses an already spent address

Seems i discovered a little bug in Pegasus Wallet.

I tried to get some comnet tokens from the faucet and used your integrated shortcut which fills the receive address on https://faucet.comnet.einfachiota.de/ automatically.
Pegasus filled an already spent address into the address line on the website. The faucet noticed the spent address and won´t allow to send the tokens.

But imho Pegasus should check if an address has already spent from.

Also i can´t find a function to create a new address

wallet storage crypto recommendations

The extension appears to use deprecated crypto functions for encryption and decryption of the wallet

PEGASUS/packages/utils/utils.js

Lines 97 to 109 in 0c5a7a9

aes256encrypt(text, key) {
const cipher = crypto.createCipher('aes-256-ctr', key)
let crypted = cipher.update(text, 'utf8', 'hex')
crypted += cipher.final('hex')
return crypted
},
aes256decrypt(text, key) {
const decipher = crypto.createDecipher('aes-256-ctr', key)
let dec = decipher.update(text, 'hex', 'utf8')
dec += decipher.final('utf8')
return dec
},

Deprecation notice with further explanation. https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options

Use of these, essentially allows for someone that can obtain the encrypted wallet storage, via a browser exploit or the like, to trivially brute force the wallets, as from initial inspection, I see no KDF or password hashing performed on the passed password. And the one that those deprecated functions institute are simply MD5 with no salt, which is very weak. Additionally, it is not suited for counter-mode variations.

As stated in the recommendation, use the non-deprecated one where you have to pass the IV and raw key in yourself after running it through a KDF. The crypto.scrypt is convenient, use a sufficient memory hard setting too, and not just the most basic. There is also argon2id, winner of the PHC.

This is generally standard procedure for such cases of encrypted storage. Metamask does similar https://github.com/danfinlay/browser-passworder/blob/master/index.js#L78-L102 but uses what I would consider a weak algorithm/parameter combo.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.