Deep dive into MetaMask Secrets

2023, Jul 20

Introduction

Introduction

Trusted by millions of users, MetaMask is a self-custodial wallet, providing access to blockchain applications and web3.

This article focuses on the different secrets available on Metamask.

Metamask has three different secrets that are used in different ways :

The Secret Recovery Phrase
The password
The private key

They implement and use several standard and cryptography algorithms to generate these three secrets used inside the application (SRP/seed phrase, private key and password) and keep them safe.

To generate the recovery Phrase, Metamask implements the standard BIP_0039 from Bitcoin
To encrypt the SRP and private keys inside the application, Metamask used a password defined by the user. From this password, a key is derived with the algorithm PBKDF2, a derivation key algorithm. The behavior is similar to a password manager.
With this key, the data are encrypted using the algorithm AES-GCM, a well known algorithm to perform authenticated encryption (confidentiality and authentication).

crypto-wallet-Metamask.drawio

Reference: 17. User Guide: Secret Recovery Phrase, password, and private keys

[TOC]

Secret Recovery Phrase ( SRP / Seed Phrase)

Presentation

The secret Recovery phrase, or sometimes called a seed phrase,

It is inspired by the BIP_0039 from Bitcoin
- This BIP describes the implementation of a mnemonic code / seed phrase – a group of easy to remember words – for the generation of deterministic wallets.
- It consists of two parts: generating the mnemonic and converting it into a binary seed.
- This seed can be later used to generate deterministic wallets using BIP-0032 or similar methods. Unfortunately, I do not know which standard is used by Metamask to generate Deterministic wallet.
- You can find more details about BIP-32 and BIP-39 on my article: Bitcoin Keys 101 - From seed phrase to address
This phrase is made of 12 words taken from a list in a random way and will be used to generate the first private key of the wallet.
The result of the computation will be the same all the time. It is what we call this type of wallet a “deterministic wallet”.

Implementation

To implement that, they use their own fork from the library scure-bip39.
This library uses the function randomBytesfrom another library written by the same author: noble-hashes
The Javascript function finally used to generate the pseudo-random numbers used as the seed getRandomValues

Reference: 4. What is a ‘Secret Recovery Phrase’ and how to keep your crypto wallet secure

Conservation & Access

MetaMask does not keep your SRP in their server, but locally in the application. It is why MetaMask is a self-custodial wallet

In summary, Metamask

Does not store any data about the wallet
No email associated with accounts
Metamask can not access your wallet from their side => you are responsible to store the SRP in a safe place.

Reference: [2.MetaMask is a self-custodial wallet]

SRP recovery

It is very important to have backup of your SRP.

But if you are in a situation where you can not unlock your metamask extensions but you :

Have access to your system data and the Metamask vault files
You know your password

Typically, it is the case if your computer is broken

Then, there may still be a possibility of recovering your Secret Recovery Phrase by using the vault decryptor tool provided by Metamask, see 8. github.com/MetaMask/vault-decryptor / 9. support.metamask.io.

Others tools: JesseBusman - FirefoxMetamaskWalletSeedRecovery

Deterministic wallets / Multiples accounts

It is the reason why it is called “Recovery Phrase” by Metamask because all the private keys will be generated from this phrase, as indicated in the previous point see 13. support.metamask.io.

As the wallet is deterministic, it will always re-create the same accounts, in the same order.

When you import a recovery phrase, accounts are automatically re-added if they have a non-zero ETH balance on Ethereum mainet, see 4. support.metamask.io.

To have a better understanding, I invite you to read this excellent article 14. What are MetaMask “Accounts” or “Sub-Accounts”? And why are they not as private as they are supposed to be?

Complementary information

Here a list of questions related to the secret Recovery Phrase

Password

The password is used to secure the application itself. If you have the mobile app, you can use a biometric authentication such as facial recognition or your fingerprint.

The password is local to the application.

The browser extension is made as following:

The password is used to derive a private key by using the algorithm PBKDF2 [11]
The data are encrypted with the algorithm AES-GCM.

Reference: Support - Passwords and MetaMask (5)

To know how the private key is encrypted, MetaMask have published on GitHub a module called Browser Passworder. It is a module for encrypting & decrypting JavaScript objects with a password in the browser.

In the README, they indicate

A key is derived from the password using PBKDF2 with a salt sampled from crypto.getRandomValues(). The data is encrypted using the AES-GCM algorithm with an initialization vector sampled from crypto.getRandomValues().

Here the most interesting files:

a. github.com/MetaMask/browser-passworder/blob/main/src/index.ts#L87

b. github.com/MetaMask/browser-passworder/blob/main/src/index.ts#L230

c. github.com/MetaMask/browser-passworder/blob/main/src/index.ts#L19

d. developer.mozilla - Crypto: getRandomValues() method

For example, link b, you can see that the key is generated with the algorithm PBKDF2.

const key = await global.crypto.subtle.importKey(
    'raw',
    passBuffer,
    { name: 'PBKDF2' },
    false,
    ['deriveBits', 'deriveKey'],
);

With the link c, you can see that the algorithm used is AES-GCM

const DERIVED_KEY_FORMAT = 'AES-GCM';

Security consideration

Bug bounties

Metamask has a bug bounties proogram through the platform HackerOne

See Metamask - Security (7) and hackerone.com - metamask (8)

Basic safety and Security tips

Never share your Secret Recovery Phrase or private keys with anyone
If you have a large value of tokens in your account(s), consider getting a hardware wallet

Reference: 10. support.metamask.io

Files directory

If you are using Opera, you will probably find the different files of the application in the directory .config/opera/Extensions/nkbihfbeogaeaoehlefnkodbefgpgknn

and /.config/opera/'Local Extension Settings'/nkbihfbeogaeaoehlefnkodbefgpgknn

Reference

Metamask official

Other

Feel free to contact me on

# crypto # wallet # blockchain # cryptography

Share button