Bug Report Template

Please use this template to report bugs or vulnerabilities. Please fill out all the sections below:

1. Bug/Vulnerability Description

Low iterations for Key and Hash in Wallet

2. Hardware and Software Specifications

• Chrome

3. Steps to Reproduce

While making Key and Hash in wallet extension following function is called:

getHash(password: string, type: string = 'sha512') {
  return pbkdf2.pbkdf2Sync(password, 'salt', 1, 128 / 8, type)
}
getKey(password: string, type: string = 'sha512'): string {
  return pbkdf2.pbkdf2Sync(password, this.getSalt(), 1, 128 / 8, type)
} 

in the pbkdf2Sync , number of iterations being done is only '1'.

4. Impact Analysis

The purpose of using a key derivation function like PBKDF2 (Password-Based Key Derivation Function 2) is to make it computationally expensive and time-consuming for an attacker to derive the original password or key. By setting the number of iterations to 1, you essentially eliminate this strengthening effect. The attacker can easily test a large number of potential passwords or keys. Wallet is not implementing any strong password policy too , meaning user can just put simple "12345678" and it will be acceptable and that will be used to generate key. To generate a strong key in-force a strong password policy , alphanumeric with special characters to increase the key security.

5. Code Fix Submission

It is advised to increase the iterations. Although its subjective to performance of application , but it should be greater than 1000 , rather keeping it as 1

6. Choose the Right Label

Security Issue

Thank you for contributing to the improvement of our project!👨‍💻👩‍💻

Swisstronik internal use only

• Not duplicate issue
• Appropriate labels applied