mostro-web icon indicating copy to clipboard operation
mostro-web copied to clipboard
verified publisher icon MostroP2P

Enhance Local Password and Key Management Security

Open fabohax opened this issue 1 year ago • 2 comments

The current implementation of password and private key handling stores decrypted private keys in localStorage, which poses a significant security risk:

auth.ts:

nuxtClientInit() {
  const decryptedPrivKey = ref<string | null>(localStorage.getItem(AUTH_LOCAL_STORAGE_DECRYPTED_KEY));
  if (decryptedPrivKey.value) {
    try {
      this.privKey = decryptedPrivKey.value;
      this.pubKey = getPublicKey(Buffer.from(this.privKey, 'hex'));
      this.authMethod = AuthMethod.LOCAL;
    } catch (err) {
      console.warn('Error setting local key from local storage: ', err);
      this.delete();
    }
  }
  watch(() => this.privKey, (newVal) => {
    localStorage.setItem(AUTH_LOCAL_STORAGE_DECRYPTED_KEY, newVal || '');
  });
},

Here are suggested fixes:

  1. Avoid storing decrypted private keys:

    • Keep decrypted keys in memory and never persist them to localStorage.
    • Use Vue's reactive state or composables to handle keys temporarily.

  2. Use Web Crypto API for Encryption:

    • Encrypt sensitive data before storing it.
    • Derive keys securely using a passphrase with PBKDF2 or Argon2.

  3. Implement a TTL (Time-to-Live):

    • Add an expiration mechanism for encrypted keys stored in localStorage.

fabohax avatar Dec 16 '24 08:12 fabohax