Are deterministic wallets more secure than random wallets ? - page 2.

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: DannyHamilton on September 19, 2013, 09:33:02 AM

Quote from: virtualmaster on September 19, 2013, 12:43:21 AM

- snip -
if you don't reuse the same address you cannot loose anything.
- snip -

Sorry, when I read this, I thought you were talking about the problem that occurred with Android wallets:

Quote from: virtualmaster on September 18, 2013, 05:06:00 AM

- snip -
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

The problem with Android wallets occurred because people WERE reusing the same address.

just to be clear here, if you're talking about Bitcoin Spinner or what is now Mycelium, you don't have a choice to not reuse the same private key for the most part as that is the default. i noticed that Mycelium does now allow you to generate a new key but you manually have to invoke it.

Quote

The problem with password based private keys (if they are chosen by the user) is that they aren't very random and they tend to have a lot less than 160 bits of variability.

in Mycelium's case are you talking about their PIN?

Quote

The result is that with a large enough pool of users, you eventually have multiple users choosing the same password. Therefore most deterministic wallets (such as Armory and Electrum) generate the "secret phrase" for the user. If you don't allow the user to choose their own password, then you need a good random number generator to choose the password for the user. In that case, you haven't eliminated the dependence on the random number generator.

Armory doesn't generate a pwd for you afaik.

i thought the problem with the prng in Android was that it was too often reusing the same "n", not that ppl were using the same pwd?

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: virtualmaster on September 19, 2013, 12:43:21 AM

- snip -
if you don't reuse the same address you cannot loose anything.
- snip -

Sorry, when I read this, I thought you were talking about the problem that occurred with Android wallets:

Quote from: virtualmaster on September 18, 2013, 05:06:00 AM

- snip -
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

The problem with Android wallets occurred because people WERE reusing the same address.

The problem with password based private keys (if they are chosen by the user) is that they aren't very random and they tend to have a lot less than 160 bits of variability. The result is that with a large enough pool of users, you eventually have multiple users choosing the same password. Therefore most deterministic wallets (such as Armory and Electrum) generate the "secret phrase" for the user. If you don't allow the user to choose their own password, then you need a good random number generator to choose the password for the user. In that case, you haven't eliminated the dependence on the random number generator.

virtualmaster

hero member

Activity: 504

Merit: 500

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

Quote from: virtualmaster on September 18, 2013, 05:06:00 AM

Are deterministic wallets more secure than random wallets ?
Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing.
If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken..

Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected.
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.

It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?

Sorry but this sounds like double Dutch.
1. Even if your transaction will be broken in 1 hour after the transaction is done the Bitcoins are already sent to the destination and if you don't reuse the same address you cannot loose anything.
And to keep your Bitcoins in a deterministic generated address you don't need any random generator.
2. " wouldn't it be possible to calculate the chain code?" you mean the passphrase ? NO
Not even by type 1 deterministic wallet as far as I know.
passphrase+1->(private key 1, address1)
passphrase+2->(private key 2, address2)
If you found the private key 1 you need to reverse the SHA256 hash to find out the passphrase otherwise you cannot find out the private key 2.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: cypherdoc on September 18, 2013, 12:50:56 PM

Quote from: DannyHamilton on September 18, 2013, 12:41:48 PM

Quote from: cypherdoc on September 18, 2013, 12:29:24 PM

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right?

Yes, it does. That's how ECDSA signatures work.

but it was the specific RNG in Android that allowed the exploit. there hasn't been any similar exploits executed on laptops or pc's afaik; thus for now they can be "assumed" safe, the recent NSA revelations not withstanding.

Exactly. That's why I said:

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: DannyHamilton on September 18, 2013, 12:41:48 PM

Quote from: cypherdoc on September 18, 2013, 12:29:24 PM

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right?

Yes, it does. That's how ECDSA signatures work.

but it was the specific RNG in Android that allowed the exploit. there hasn't been any similar exploits executed on laptops or pc's afaik; thus for now they can be "assumed" safe, the recent NSA revelations not withstanding.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: cypherdoc on September 18, 2013, 12:29:24 PM

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right?

Yes, it does. That's how ECDSA signatures work.

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: DannyHamilton on September 18, 2013, 05:57:09 AM

Quote from: virtualmaster on September 18, 2013, 05:06:00 AM

Are deterministic wallets more secure than random wallets ?
Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing.
If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken..

Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected.
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right?

Quote

If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.

It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?

seems very likely. Alan or anyone?

virtualmaster

hero member

Activity: 504

Merit: 500

Computer Security Division's Recommendation for Random Number Generation Using Deterministic Random Bit Generators:
http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90b.pdf

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: virtualmaster on September 18, 2013, 05:06:00 AM

Are deterministic wallets more secure than random wallets ?
Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing.
If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken..

Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected.
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.

If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.

It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?

virtualmaster

hero member

Activity: 504

Merit: 500

Are deterministic wallets more secure than random wallets ?
Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing.
If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken..

Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected.
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
May be the incident with the Android random generator is not so isolated but part of a much bigger problem.

Topic: Are deterministic wallets more secure than random wallets ? - page 2. (Read 2900 times)