How does GateHub store passwords and secret keys?

[T8493]

GateHub TOS says:

Quote

Your Ripple Wallet is protected from unauthorized access and use by others via a secret key and password held by you alone. GateHub does not have access to your secret keys (we store them in an encrypted state). All account information except these secret keys can be restored.

Questions:

• If all "account information except these secret keys" can be restored, then the password can be restored, too. Is this true? This doesn't sound ok. So how does GateHub store passwords?
• When I enter my password on signin.gatehub.net, the password is sent to a server in a non hashed form. Does this mean that GateHub can use this password to decrypt my secret keys (on their computers, not in the browser)? If they can do it in the browser, then they can do it on their computers, too. I thought GateHub didn't have access to secret keys (except in the browser).
• It looks like the secret keys are encrypted with some master key. What is the point of this master key if GateHub can access passwords in non hashed form?
• What happens to an old master key when I change the password? Is it permanently deleted from GateHub servers? Is it deleted from backups, too?
• What happens to an (encrypted) account secret if I delete Ripple account from my wallet? Is it still stored? Is it deleted from backups, too?

 

Quote

If You lose your GateHub Recovery key and Password, we will have no way of restoring your native wallets, and any funds in those wallets will be lost.

What is GateHub recovery key and how can I obtain one?

How does this recovery key work? What does it decrypt? Who knows this GateHub recovery key? It looks like this information is missing from the TOS.

 

 

 

 

Edited August 4, 2016 by T8493

[Hodor]

In the wake of the latest BTC gateway fraud, I'd say these are fair questions.

From a user perspective, I just always assume that a gateway can steal my funds, and I only keep "money that would be inconvenient to steal and then run from global authorities" in my hot wallet.  The rest I send to my cold wallets.  

[T8493]

4 hours ago, Hodor said:

In the wake of the latest BTC gateway fraud, I'd say these are fair questions.

From a user perspective, I just always assume that a gateway can steal my funds, and I only keep "money that would be inconvenient to steal and then run from global authorities" in my hot wallet.  The rest I send to my cold wallets.  

I'm talking about wallet service. The problem is that their TOS looks misleading or at least not in sync with actual implementation.

If someone hacks GateHub, then he can probably get access to secret keys because he has access to secret keys in encrypted form and he can get access to plaintext passwords that are probably used to decrypt them.

Another problem is that even changing the password or deleting an account from GateHub wallet maybe doesn't help.

I'm saying probably because it is very hard to do any kind of code review of their JavaScript code because the JS code is minified.

 

 

 

 

Edited August 4, 2016 by T8493

[enej]

31 minutes ago, T8493 said:

If someone hacks GateHub, then he can probably get access to secret keys because he has access to secret keys in encrypted form and he can get access to plaintext passwords that are probably used to decrypt them.

Hi @T8493,

thank you for asking us these important questions!

In the light of recent Bitfinex hack we wanted to write a bit longer reply that will be posted later today.

Until then I can assure you that your statement above is completely false. About a year ago we wrote a blog post that might be worth reading while you wait for our reply: http://blog.gatehub.net/post/118438989892/gatehub-security

Enej

 

 

Edited August 4, 2016 by enej
typo

[T8493]

35 minutes ago, enej said:

Until then I can assure you that your statement above is completely false. About a year ago we wrote a blog post that might be worth reading while you wait for our reply: http://blog.gatehub.net/post/118438989892/gatehub-security

Ok, thanks for your answer. Maybe I don't understand something. But then I would like to ask you:

• how is the encryption key (maybe master key) that encrypts secret keys derived? 
• do you have access to passwords in plaintext? I think the answer is yes, because it is submitted as the value of the field "password" when you log in.

The situation at the relatively high level looks like this:

• browser has access to your password and information retrieved from your servers; it looks like it can derive (decrypt etc.) secret key from this information,
• you have access to password (field "password") and clearly you have access to data on your servers; therefore you can derive (decrypt etc.) secret key from this information.

EDIT: so GateHub and browser both have access to the same set of information. Browser can derive secret keys from this information, but - according to your post & TOS - GateHub can't.

 

Edited August 4, 2016 by T8493

[nikb]

13 minutes ago, enej said:

Hi @T8493,

thank you for asking us these important questions!

In the light of recent Bitfinex hack we wanted to write a bit longer reply that will be posted later today.

Until then I can assure you that your statement above is completely false. About a year ago we wrote a blog post that might be worth reading while you wait for our reply: http://blog.gatehub.net/post/118438989892/gatehub-security

Enej

Thanks for taking the time necessary to compose a thorough reply @enej! Looking forward to the new blog post.

[T8493]

I think - but I'm certainly not sure - GateHub wallet shouldn't send password directly to GateHub servers. It should use key derivation functions or hash or something (i.e. sign "challenge" sent by a server with secret key derived from password) and send this as a "password" in HTTP post request to https://api.gatehub.net/auth/oauth/token

 

 

Edited August 4, 2016 by T8493

[T8493]

This could (but again I'm not sure) prevent the following attack:

• hacker hacks into api.gatehub.net and intercepts all requests and responses between server and browser,
• hacker gets access to a password because password is transmitted as a "password" field,
• the browser then retrieves (encrypted) secret keys by calling:  https://api.gatehub.net/id/v1/users/{user_id} (if the signing wasn't done locally in the browser, then the browser wouldn't need encrypted secret keys),
• hacker intercepts this response,
• so hacker has access to the exactly same set of information as the browser.

 

[jn_r]

3 minutes ago, T8493 said:

I think - but I'm certainly not sure - GateHub wallet shouldn't send password directly to GateHub servers. It should use key derivation functions or hash or something and send this as a "password" in HTTP post request to https://api.gatehub.net/auth/oauth/token

 

 

I think that doesn't matter. You are implying that the server from Gatehub is compromised. If that is the case, then you probably also have downloaded a compromised HTML page from gatehub.net in which the key derivation functions could be left out. 

[T8493]

19 minutes ago, jn_r said:

I think that doesn't matter. You are implying that the server from Gatehub is compromised. If that is the case, then you probably also have downloaded a compromised HTML page from gatehub.net in which the key derivation functions could be left out. 

Yeah, but this requires an active attacker. And attacker must attack another server (wallet.gatehub.net). However, if attacker successfully hacks wallet.gatehub.net, then he can include any JS code he wants (for example, code that automatically sends all balances to his Ripple account).

However, my attack works passively and attacker can intercept traffic to and from api.gatehub.net for longer periods of time. And attacker doesn't even have to compromise api.gatehub.net if the traffic between CloudFlare and their server is unencrypted (this was/is default setting).

But the problem is their TOS which claims (my understanding!!!) that GateHub can't access secret keys in unencrypted form. This claim could give users false sense of security.

 

Edited August 4, 2016 by T8493

[culminator]

Always presumed that the plain-text password is never sent to GateHub since all the sensitive data is decrypted client-side. As it turns out by what T8493 discovered (and checked out myself now) the password is actually sent plain-text. Through https, but still sending plain password does not inspire confidence in a crypto wallet.

[GateHub]

@T8493

Hi,

let me try and answer as much as I can.

Q: If all "account information except these secret keys" can be restored, then the password can be restored, too. Is this true? This doesn't sound ok. So how does GateHub store passwords?"
A: Sensitive information such as passwords, secret keys, per-user PGP private keys and recovery keys can not be restored by GateHub. Users can change passwords using either old password or recovery key. Passwords are hashed and salted using industry standard algorithms with high cost factors to limit the success of brute-force attacks in case of a hypothetical database breach. You can read more here: http://blog.gatehub.net/post/118438989892/gatehub-security

Q: When I enter my password on signin.gatehub.net, the password is sent to a server in a non hashed form. Does this mean that GateHub can use this password to decrypt my secret keys (on their computers, not in the browser)? If they can do it in the browser, then they can do it on their computers, too. I thought GateHub didn't have access to secret keys (except in the browser).
A: The password is sent to our server at the authentication process inside an encrypted SSL tunnel. It is not stored and GateHub does not know your password. To be frank, if GateHub was malicious we would be able to sniff passwords on the server side at signin.gatehub.net, however a malicious player would also have the power to implement a backdoor in the client side. It really boils down to trust here. We do not know your passwords because we do not want to know them. Not knowing your passwords limits damage and GateHub's liability in case of a breach.

Q: It looks like the secret keys are encrypted with some master key. What is the point of this master key if GateHub can access passwords in non hashed form?
A: Each GateHub account comes with a randomly generated master key. The master key is used to encrypt sensitive account data, such as ripple secrets. It can be decrypted with either a key derived from the account password or the account recovery key. We cannot access your master key as we DO NOT KNOW your password or recovery key. The decrypting of master key and secret keys is done exclusively on the client side.

Q: What happens to an (encrypted) account secret if I delete Ripple account from my wallet? Is it still stored? Is it deleted from backups, too?
A: When you delete your ripple wallet, encrypted secrets stay in our databases and backups for a certain period of time until being completely removed. This is useful in cases where users accidentally delete the wallet so we can still recover it before it's purged from our databases.

Q: What is GateHub recovery key and how can I obtain one?
You can think of the GateHub recovery key as a randomly generated second account password. It is generated and displayed immediately after one opens a GateHub account. Technically speaking, the recovery key is used to decrypt a copy of account master key. Another copy can be decrypted with the user's password. Recovery key is meant to be used when one forgets the account password.

Q: How does this recovery key work? What does it decrypt? Who knows this GateHub recovery key?
A: Recovery key and password both decrypt account master key, which is then used to decrypt ripple secrets. As long as you have any of the two you can recover/decrypt your wallets. Only you know your recovery key, we do not store it - we only store a hash of the recovery key. If you lose both, no one can decrypt your wallets anymore - not even us.

2 hours ago, T8493 said:

Yeah, but this requires an active attacker. And attacker must attack another server (wallet.gatehub.net). However, if attacker successfully hacks wallet.gatehub.net, then he can include any JS code he wants (for example, code that automatically sends all balances to his Ripple account).

However, my attack works passively and attacker can intercept traffic to and from api.gatehub.net for longer periods of time. And attacker doesn't even have to compromise api.gatehub.net if the traffic between CloudFlare and their server is unencrypted (this was/is default setting).

But the problem is their TOS which claims (my understanding!!!) that GateHub can't access secret keys in unencrypted form. This claim could give users false sense of security.

 

Traffic between GateHub and CloudFlare is encrypted. GateHub cannot access secret keys in unencrypted form, although you are right, an attacker could sniff account passwords if they were to compromise our hardened authentication server.

We at GateHub are well aware that there is no 100% security and we will never promise it. Your thoughts and comments were noted and we agree that there is always room for improvements. 

Best regards,

Luka (GateHub Security)

Edited August 4, 2016 by gatehub
move word

[T8493]

22 minutes ago, gatehub said:

We at GateHub are well aware that there is no 100% security and we will never promise it. Your thoughts and comments were noted and we agree that there is room for improvements. 

First thanks for the comprehensive answer.

However, this is not just about security. It is also - for example - about your ability to recover secret keys if you're subpoenaed. TOS should be clear about this.

 

22 minutes ago, gatehub said:

We do not know your passwords because we do not want to know them.

You know passwords (at least temporary) because you receive them as a part of HTTP POST request and server processes them (salts + hashes them). But (currently) you don't store them permanently (in unhashed form). That's a difference.

 

Quote

GateHub cannot access secret keys in unencrypted form, although you are right, an attacker could sniff account passwords if they were to compromise our hardened authentication server.

So you have (at least temporary) access to plaintext passwords and you still can't decrypt secret keys? So how does the browser decrypt secret keys?

 

Edited August 4, 2016 by T8493

[T8493]

Another question for @gatehub:

Assume GateHub servers were compromised. What can I as a wallet user do to prevent unauthorized access to my secret keys?

 

Edited August 4, 2016 by T8493

[GateHub]

1 minute ago, T8493 said:

Another question for @gatehub:

Assume GateHub servers were compromised. What can I as a user do to prevent access to my secret keys?

 

Depends which part of GateHub would be compromised. In general, do not use GateHub as cold storage. Use a cold wallet to hold XRP for the long term. Using any exchange or any wallet requires a certain amount of trust in the service. To be fully in control of your funds, use an offline wallet.

In an event of a database breach, a good, long password will significantly lower the chances of your password being cracked.