-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private key generation security issue #7
Comments
Instead of this: You need to generate real 32 random bytes or at least pseudo random, but it must be 32 bytes, not less. |
Please see https://github.com/memtrip/eos-jvm, the key generation is based off bitcoinJ. |
I was working on BitcoinJ as well and it was not like that here. Something is wrong. The UUID is based on timestamp. It is really only for user id generation for content management system and Oracle documentation mentions it. |
We couldn’t find any code matching 'uuid' in memtrip/eos-jvm ...guess they don't have it as well. |
Ni hao, you have bad practices in your KeyUtil.
UUID is not recommended for other stuff than userId. It was used back in the day for content management systems in Java. It is definitely not for generating random numbers (read specification)
UUID length is 16 bytes. Plus some bytes are static, not random. For example it also contains version byte. So you loose entropy here.
Next you put UUID string into SHA-256. But you will not get any extra security from converting 16 bytes to 32 bytes here. You also loose entropy level here.
UUID is timebased, low entropy, pseudorandom. High probability of conflict. High probability to be traced back by timestamp. Therefore if you use UUID and create cryptocurrency account, it is easily hackable and you loose all your money.
The text was updated successfully, but these errors were encountered: