tornado-packages/ethers.js
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c646a0c881
ethers.js/docs/v5/concepts/security/index.html
Richard Moore c646a0c881
Updated docs build.
2020-07-03 01:54:56 -04:00

70 lines
11 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html class="paged">
<head>
<title>Security</title>
<link rel="stylesheet" type="text/css" href="/v5/static/style.css">
</head>
<body>
<div class="sidebar">
<div class="header">
<div class="logo"><a href="/v5/"><div class="image"></div><div class="name">ethers</div><div class="version">v5.0</div></a></div>
</div>
<div class="toc"><div>
<div class="link title"><a href="/v5/">Documentation</a></div><div class="base show link depth-1"><a href="/v5/getting-started/">Getting Started</a></div><div class="base ancestor show link depth-1"><a href="/v5/concepts/">Ethereum Basics</a></div><div class="show link depth-2"><a href="/v5/concepts/events/">Events</a></div><div class="show link depth-2"><a href="/v5/concepts/gas/">Gas</a></div><div class="myself ancestor ancestor show link depth-2"><a href="/v5/concepts/security/">Security</a></div><div class="base show link depth-1"><a href="/v5/api/">Application Programming Interface</a></div><div class="hide link depth-2"><a href="/v5/api/contract/">Contract Interaction</a></div><div class="hide link depth-3"><a href="/v5/api/contract/contract/">Contract</a></div><div class="hide link depth-3"><a href="/v5/api/contract/contract-factory/">ContractFactory</a></div><div class="hide link depth-3"><a href="/v5/api/contract/example/">Example: ERC-20 Contract</a></div><div class="hide link depth-2"><a href="/v5/api/signer/">Signers</a></div><div class="hide link depth-2"><a href="/v5/api/providers/">Providers</a></div><div class="hide link depth-3"><a href="/v5/api/providers/provider/">Provider</a></div><div class="hide link depth-3"><a href="/v5/api/providers/jsonrpc-provider/">JsonRpcProvider</a></div><div class="hide link depth-3"><a href="/v5/api/providers/api-providers/">API Providers</a></div><div class="hide link depth-3"><a href="/v5/api/providers/other/">Other Providers</a></div><div class="hide link depth-3"><a href="/v5/api/providers/types/">Types</a></div><div class="hide link depth-2"><a href="/v5/api/utils/">Utilities</a></div><div class="hide link depth-3"><a href="/v5/api/utils/abi/">Application Binary Interface</a></div><div class="hide link depth-4"><a href="/v5/api/utils/abi/coder/">AbiCoder</a></div><div class="hide link depth-4"><a href="/v5/api/utils/abi/formats/">ABI Formats</a></div><div class="hide link depth-4"><a href="/v5/api/utils/abi/fragments/">Fragments</a></div><div class="hide link depth-4"><a href="/v5/api/utils/abi/interface/">Interface</a></div><div class="hide link depth-3"><a href="/v5/api/utils/address/">Addresses</a></div><div class="hide link depth-3"><a href="/v5/api/utils/bignumber/">BigNumber</a></div><div class="hide link depth-3"><a href="/v5/api/utils/bytes/">Byte Manipulation</a></div><div class="hide link depth-3"><a href="/v5/api/utils/constants/">Constants</a></div><div class="hide link depth-3"><a href="/v5/api/utils/display-logic/">Display Logic and Input</a></div><div class="hide link depth-3"><a href="/v5/api/utils/encoding/">Encoding Utilities</a></div><div class="hide link depth-3"><a href="/v5/api/utils/fixednumber/">FixedNumber</a></div><div class="hide link depth-3"><a href="/v5/api/utils/hashing/">Hashing Algorithms</a></div><div class="hide link depth-3"><a href="/v5/api/utils/hdnode/">HD Wallet</a></div><div class="hide link depth-3"><a href="/v5/api/utils/logger/">Logging</a></div><div class="hide link depth-3"><a href="/v5/api/utils/properties/">Property Utilities</a></div><div class="hide link depth-3"><a href="/v5/api/utils/signing-key/">Signing Key</a></div><div class="hide link depth-3"><a href="/v5/api/utils/strings/">Strings</a></div><div class="hide link depth-3"><a href="/v5/api/utils/transactions/">Transactions</a></div><div class="hide link depth-3"><a href="/v5/api/utils/web/">Web Utilities</a></div><div class="hide link depth-3"><a href="/v5/api/utils/wordlists/">Wordlists</a></div><div class="hide link depth-2"><a href="/v5/api/other/">Other Libraries</a></div><div class="hide link depth-3"><a href="/v5/api/other/assembly/">Assembly</a></div><div class="hide link depth-4"><a href="/v5/api/other/assembly/dialect/">Ethers ASM Dialect</a></div><div class="hide link depth-4"><a href="/v5/api/other/assembly/api/">Utilities</a></div><div class="hide link depth-4"><a href="/v5/api/other/assembly/ast/">Abstract Syntax Tree</a></div><div class="hide link depth-3"><a href="/v5/api/other/hardware/">Hardware Wallets</a></div><div class="hide link depth-2"><a href="/v5/api/experimental/">Experimental</a></div><div class="base show link depth-1"><a href="/v5/cli/">Command Line Interfaces</a></div><div class="hide link depth-2"><a href="/v5/cli/ethers/">Sandbox Utility</a></div><div class="hide link depth-2"><a href="/v5/cli/asm/">Assembler</a></div><div class="hide link depth-2"><a href="/v5/cli/ens/">Ethereum Naming Service</a></div><div class="hide link depth-2"><a href="/v5/cli/typescript/">TypeScript</a></div><div class="hide link depth-2"><a href="/v5/cli/plugin/">Making Your Own</a></div><div class="base show link depth-1"><a href="/v5/cookbook/">Cookbook</a></div><div class="base show link depth-1"><a href="/v5/migration/">Migration Guide</a></div><div class="hide link depth-2"><a href="/v5/migration/web3/">Migration: From Web3.js</a></div><div class="hide link depth-2"><a href="/v5/migration/ethers-v4/">Migration: From Ethers v4</a></div><div class="base show link depth-1"><a href="/v5/testing/">Testing</a></div><div class="base show link depth-1"><a href="/v5/contributing/">Contributing and Hacking</a></div><div class="base show link depth-1"><a href="/v5/documentation/">Flatworm Docs</a></div><div class="base show link depth-1"><a href="/v5/license/">License and Copyright</a></div>
</div></div>
</div>
<div class="content">
<div class="breadcrumbs"><a href="/v5/">Documentation</a>&nbsp;&nbsp;&raquo;&nbsp;&nbsp;<a href="/v5/concepts/">Ethereum Basics</a>&nbsp;&nbsp;&raquo;&nbsp;&nbsp;<span class="current">Security</span></div>
<a name="security"></a><a name="security"></a><h1 class="show-anchors"><div>Security<div class="anchors"><a class="self" href="/v5/concepts/security/#security"></a></div></div></h1>
<a name="security--pbkdf"></a><a name="security--security--pbkdf"></a><h2 class="show-anchors"><div>Key Derivation Functions<div class="anchors"><a class="self" href="/v5/concepts/security/#security--pbkdf"></a></div></div></h2><p>This is not specific to Ethereum, but is a useful technique to understand and has some implications on User Experience.</p>
<p>Many people are concerned that encrypting and decrypting an Ethereum wallet is quite slow and can take quite some time. It is important to understand this is intentional and provides much stronger security.</p>
<p>The algorithm usually used for this process is <a href="https://en.wikipedia.org/wiki/Scrypt">scrypt</a>, which is a memory and CPU intensive algorithm which computes a key (fixed-length pseudo-random series of bytes) for a given password.</p>
<a name="security--security--pbkdf--why-does-it-take-so-long"></a><h3 class="show-anchors"><div>Why does it take so long?<div class="anchors"><a class="self" href="/v5/concepts/security/#security--security--pbkdf--why-does-it-take-so-long"></a></div></div></h3><p>The goal is to use as much CPU and memory as possible during this algorithm, so that a single computer can only compute a very small number of results for some fixed amount of time. To scale up an attack, the attacker requires additional compuers, increasing the cost to <a href="https://en.wikipedia.org/wiki/Brute-force_attack">brute-force attack</a> to guess the password.</p>
<p>For example, if a user knows their correct password, this process may take 10 seconds for them to unlock their own wallet and proceed.</p>
<p>But since an attacker does not know the password, they must guess; and each guess also requires 10 seconds. So, if they wish to try guessing 1 million passwords, their computer would be completely tied up for 10 million seconds, or around 115 days.</p>
<p>Without using an algorithm like this, a user would be able to log in instantly, however, 1 million passwords would only take a few seconds to attempt. Even secure passwords would likely be broken within a short period of time. There is no way the algorithm can be faster for a legitimate user without also being faster for an attacker.</p>
<a name="security--security--pbkdf--mitigating-the-user-experience"></a><h3 class="show-anchors"><div>Mitigating the User Experience<div class="anchors"><a class="self" href="/v5/concepts/security/#security--security--pbkdf--mitigating-the-user-experience"></a></div></div></h3><p>Rather than reducing the security (see below), a better practice is to make the user feel better about waiting. The Ethers encryption and decryption API allows the developer to incorporate a progress bar, by passing in a progress callback which will be periodically called with a number between 0 and 1 indication percent completion.</p>
<p>In general a progress bar makes the experience feel faster, as well as more comfortable since there is a clear indication how much (relative) time is remaining. Additionally, using language like <i>"decrypting..."</i> in a progress bar makes a user feel like there time is not being <i>needlessly</i> wasted.</p>
<a name="security--security--pbkdf--work-arounds-not-recommended"></a><h3 class="show-anchors"><div>Work-Arounds (not recommended)<div class="anchors"><a class="self" href="/v5/concepts/security/#security--security--pbkdf--work-arounds-not-recommended"></a></div></div></h3><p>There are ways to reduce the time required to decrypt an Ethereum JSON Wallet, but please keep in mind that doing so <b>discards nearly all security</b> on that wallet.</p>
<p>The scrypt algorithm is designed to be tuned. The main purpose of this is to increase the difficulty as time goes on and computers get faster, but it can also be tuned down in situations where the security is less important.</p>
<div class="code"><span class="comment">// Our wallet object
</span>const wallet = Wallet.createRandom();
<span class="comment">// The password to encrypt with
</span>const password = "password123";
<span class="comment">// WARNING: Doing this substantially reduces the security
</span><span class="comment">// of the wallet. This is highly NOT recommended.
</span>
<span class="comment">// We override the default scrypt.N value, which is used
</span><span class="comment">// to indicate the difficulty to crack this wallet.
</span>const json = wallet.encrypt(password, {
scrypt: {
<span class="comment"> // The number must be a power of 2 (default: 131072)
</span> N: 64
}
});
</div>
<div class="footer">
<div class="nav previous"><a href="/v5/concepts/gas/"><span class="arrow">&larr;</span>Gas</a></div>
<div class="nav next"><a href="/v5/api/">Application Programming Interface<span class="arrow">&rarr;</span></a></div>
</div>
<div class="copyright">The content of this site is licensed under the <a href="https://choosealicense.com/licenses/cc-by-4.0/">Creative Commons License</a>. Generated on July 3, 2020, 1:44am.</div>
</div>
<script src="/v5/static/script.js" type="text/javascript"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink