Pegasus is a chrome extension that implements a wallet for the IOTA cryptocurrency. In addition, Pegasus injects the iotajs library allowing developers to interact with IOTA Tangle without paying attention on how to keep the seed safe.
git clone https://github.com/allemanfredi/PEGASUS.git
cd PEGASUS
yarn run init
yarn build
After having built the application, it needs to be loaded on chrome.
- Go to chrome://extensions/ and check the box for Developer mode in the top right.
- Click the Load unpacked extension button and select the build folder for your extension to install it.
The seed is saved in the local storage of the browser, encrypted (through argon2id + AES256-GCM) with the login password that a user chooses during the wallet initialization phase. To make it more difficult to find out, the password must meet the following requirements:
- Must contains at least 8 characters
- Must contains at least 1 uppercase character
- Must contains at least 1 lowercase character
- Must contains at least 1 symbol
- Must contains at least 1 digit
Of this password only its hash is saved in the local storage.
During the login phase, a user will have to enter a password, which will be compared with the hash (generated with argon2id) specified above. if the two hashes match (the password is correct), the wallet loads the seed from the local storage (encrypted with argon2id + AES256-GCM), decrypts it with the password just inserted and keeps it in memory together with the plain text of the password. If the wallet shows a period of inactivity of at least 60 minutes (modifiable), it will delete the value of the variables relating to seed and password. It is also possible to disable this feature from the settings page.
In this way, the seed decryption key is not saved anywhere except in the mind of the user or in the RAM for only a limited period of time.
A user also has the ability to export the seed, in order to do so, first he will have to enter the login password which will always be compared with the hash (of the password) saved in the local storage. In this way, if a user loses the access password (or if he forgets it), if he has exported the seed he will be able to restore the wallet
if (window.iota) {
window.iota.on('providerChanged', provider => ...)
window.iota.on('accountChanged', account => ...)
// if you want to create a connection directly
const isConnected = await window.iota.connect()
const trytes = await window.iota.core.prepareTransfers(transfers)
const bundle = await window.iota.core.sendTrytes(trytes, depth, minWeightMagnitude)
// or
const bundle = await window.iota.transfer(transfers)
}
pegasus-ledger-trampoline: Since it is not possible to access Ledger Nano S from a Google Chrome extension, i implemented a workaround: injecting an iframe to the background page of the extension, (which is hosted thanks to gh-pages here). In order to work correctly, the iframe must run under https (since U2F requires SSL). [30%]