Pages:
Author

Topic: (!) Armory Brain Wallet - page 2. (Read 4959 times)

member
Activity: 120
Merit: 10
October 06, 2014, 10:54:40 AM
#15
Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.
Could you tell the algorithm for generate chain key and first private key from Root Key? The restoring wallet takes a time, I though it is complicated procedure.
member
Activity: 120
Merit: 10
October 06, 2014, 10:51:24 AM
#14
entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'
Only in case of password. And in case of low-cost brute forcing. But generally no. I mean if entropy of '3333333377777777444444443333333377777777444444443333333333333' is low, for example equal to 2^3 bytes phrase, it doesn't mean you may find the 8-bytes phrase that
hash256(8-byte-phrase)=hash256('3333333377777777444444443333333377777777444444443333333333333').
legendary
Activity: 3766
Merit: 1364
Armory Developer
October 06, 2014, 10:50:08 AM
#13
About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.

We use a precursor to scrypt and a target derivation time on the extend wallet passphrases, that are used to encrypt the entries in your wallet if you choose to encrypt the wallet, on disk.

Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.
sr. member
Activity: 362
Merit: 262
October 06, 2014, 10:00:18 AM
#12
entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

member
Activity: 120
Merit: 10
October 06, 2014, 09:21:51 AM
#11
But from your comments, it's not clear that you do understand. For example this comment:
Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.
If we are talking about entropy of string, sha256() always has good entropy. Example:
3333333377777777444444443333333377777777444444443333333333333 - Bad entropy.
7ba996c43e44eb1976019d31960bf21873d6d24ba469ccc03f626f8a2a856137 - Good entropy.
You may evaluate the entropy by compressing string. If you can zip the string, the string has bad entropy.

I guess you mean entropy of password, not sha256 string. It is the also object of dictionary brute forcing besides low entropy of real languages.

About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.
sr. member
Activity: 362
Merit: 262
October 06, 2014, 05:20:42 AM
#10
I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.

But from your comments, it's not clear that you do understand. For example this comment:
Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.


member
Activity: 120
Merit: 10
October 06, 2014, 04:07:03 AM
#9
I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.
legendary
Activity: 3766
Merit: 1364
Armory Developer
October 05, 2014, 09:08:42 AM
#8
Do you have even one reasons why I shouldn't use not-bruteforceable password

Think of entropy as search space:

1) By using brain wallets you will most likely reduce your search space per byte from 2^8 to 2^6 (A-Z a-z 0-9 and some punctuation signs). On a 32 bytes/characters passphrase that's significant, and that's assuming people use passphrases that long.

2) To support such long passphrases people will probably resort to mnemonics. This will crush the search space to brute force your key, opening up the way for dictionary attacks and rainbow tables.

3) People who would rather not resort to mnemonics will reduce their passphrase length and expose themselves that way instead.

4) 2 sha iterations for a password derivation function is terribly weak. It's not unusual to see forum passwords hashes at 10k+ iterations. At least use something like scrypt to involve some RAM in the derivation function (like it's done in Armory as an example)

Overall you are taking these comments as attacks directed at you, when they state a couple simple truths: not everyone understands entropy and it's consequences, and less informed/involved users will usually turn towards the simplest solution.

Also you fail to see our standpoint. We can't support a tool that will have users do stupid things and lose coins, because we'll end up being liable in some way. We are an open source company. We don't have the resources to support customers who won't follow the proper security guidelines, so we simply won't promote bad practices.
member
Activity: 120
Merit: 10
October 05, 2014, 04:28:57 AM
#7
Just don't use 'bob' as a password. Use something like 'Two beer, or bottle of wine? That is the question of my silly brain.'
Do you have even one reasons why I shouldn't use not-bruteforceable password combined with fragmented backups? All your previous arguments are untenable to this usage.
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
October 05, 2014, 12:30:57 AM
#6
Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

The act of hashing a password doesn't increase its entropy.  The number of possible passwords is the total entropy.    You can use sha256100('bob') as your brain wallet, but anyone who looks at your applet will see that it uses sha256100(pwd) and will write a program to start guessing through possible passwords passed through that function.   All users that used "bob" as their password will immediately have their coins stolen, regardless of how many times you hash it.

A while back there was a user here who write a program to do a brute force search of brainwallets that use sha256(sha256()).  I believe they found in excess of 100 BTC.  Because people pick memorizable passwords and wanted to believe that no one would find it.   And in reality, people don't realize just how fast computers are at guessing and how weak their own entropy is.  For your reddit login, the stakes aren't very high.  For $100,000 bitcoin wallet, I would be horrified if someone used a brain wallet.

Admittedly, your little javascript applet is very slick.  But Armory Technologies will not be supporting the functionality since it so easily leads to lost coins.  Our job is to not only create secure software, but to promote best security practices.  Having a solid backup solution is one of those best practices.
member
Activity: 120
Merit: 10
October 04, 2014, 11:54:05 PM
#5
    • For most humans, a wallet with sufficient entropy to be secure would not be memorizable.  Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.
    That is why you have to use unique several-words phrases, your own ditty etc.

    • Human-generated passwords have terrible entropy.  You must use a cryptographically-secure random number generator to create your wallets.  Armory provides this for you, but not if you use a brain wallet.
    Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.


    • Humans brains are not well-adapted to remembering such information for long periods of time.  You may remember it now.  You might remember it in 6 months.  What about 3 years?  10 years?  If you've ever forgotten a password, do not use a brain-wallet.
    • Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you.  If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings.  Brain-wallets have no such mechanism and the coins will be lost forever.
    To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead.  They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.  
    You may print fragmented backups as well if you use brain wallet. The brain wallet just an additional feature helps you if goes something wrong with your pieces of paper.

    We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!
    Thank you for warning. I developed this feature for people who has own brain.
    legendary
    Activity: 1428
    Merit: 1093
    Core Armory Developer
    October 04, 2014, 06:01:28 PM
    #4

    Armory Technologies strongly advises against the use of brain wallets under any circumstances.

    • For most humans, a wallet with sufficient entropy to be secure would not be memorizable.  Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.
    • Human-generated passwords have terrible entropy.  You must use a cryptographically-secure random number generator to create your wallets.  Armory provides this for you, but not if you use a brain wallet.
    • Humans brains are not well-adapted to remembering such information for long periods of time.  You may remember it now.  You might remember it in 6 months.  What about 3 years?  10 years?  If you've ever forgotten a password, do not use a brain-wallet.
    • Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you.  If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings.  Brain-wallets have no such mechanism and the coins will be lost forever.

    To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead.  They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.  

    We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!
    sr. member
    Activity: 475
    Merit: 252
    October 04, 2014, 12:54:10 PM
    #3
    Human generated entropy is ALWAYS a good idea. /s
    member
    Activity: 120
    Merit: 10
    October 04, 2014, 07:34:23 AM
    #2
    Just want to copy here the source code.

    brainwallet.js
    Code:
    /*
          Open source under the BSD License.
          Author: Tim Zakirov, 2014
         */

           function sha256(bits) {
    return CryptoJS.SHA256(bits);
    }

    function hash256(bits) {
    return CryptoJS.SHA256(CryptoJS.SHA256(bits));
    }

    function computeChecksum(binaryStr, nBytes, hashFunc) {
    nBytes = typeof nBytes !== 'undefined' ? nBytes : 4;
    hashFunc = typeof hashFunc !== 'undefined' ? hashFunc : hash256;
    return hashFunc(binaryStr).toString(CryptoJS.enc.Latin1).slice(0, nBytes);
    }

    function binary_to_hex(b) {
    return CryptoJS.enc.Latin1.parse(b).toString();
    }

    NORMALCHARS = '0123 4567 89ab cdef'.replace(/ /g, '');
    EASY16CHARS = 'asdf ghjk wert uion'.replace(/ /g, '');
    hex_to_base16_map = {};
    base16_to_hex_map = {};
    len = NORMALCHARS.length;
    for (i = 0; i < len; ++i) {
    n = NORMALCHARS[i];
    b = EASY16CHARS[i];
    hex_to_base16_map[n] = b;
    base16_to_hex_map[b] = n;
    }

    function binary_to_easyType16(binstr) {
    return Array.prototype.map.call(binary_to_hex(binstr), function (c) { return hex_to_base16_map[c]; }).join('');
    }

    function makeSixteenBytesEasy(b16) {
    if (b16.length !== 16) {
    throw 'Must supply 16-byte input';
    }
    chk2 = computeChecksum(CryptoJS.enc.Latin1.parse(b16), 2);
    et18 = binary_to_easyType16(b16 + chk2);
    nineQuads = [];
    for (i = 0; i < 9; ++i) {
    nineQuads[i] = et18.slice(i * 4, (i+1) * 4);
    }
    return nineQuads.join(' ');
    }

    function calc(password) {
    var entropy=hash256(password);
    var line1=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(0, 16));
    var line2=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(16));
    document.getElementById('line1').innerHTML=line1;
    document.getElementById('line2').innerHTML=line2;

    }

    index.html
    Code:


     
       
        Armory Brainwallet - JavaScript Client-Side Armory Wallet Generator
       
       
       
       


     
     
     
     
    Passphrase
     
     
    Root Key
     
     

     

    How to use. Enter your long passprase, open your Armory wallet application
    and "restore" the wallet using Root Key (select '2 lines Unencrypted')

     



    cs.css
    Code:
    html {
      font-family: geneva, sans-serif;
      -webkit-text-size-adjust: 100%;
          -ms-text-size-adjust: 100%;
    }
    body {
      margin: 0; background-color: #fff; text-align: center;
    }
    .logo {
    height: 350px;
    background: url('armory.png') no-repeat center; min-height: 100%;
    margin: 50px 0 0 0;
    }
    .tit {
    color: #162959;
    font-size: 18px;
    margin-bottom: 15px;
    }
    .tit1 {
    color: #bc214c;
    font-size: 18px;
    margin-top: 60px;
    margin-bottom: 15px;
    }

    input {
    color: #1c59b4; width: 55%; border:1px solid #162959;font-size: 16px; padding: 5px; text-align: center;
    }
    .line {font-family: Courier; font-size: 18px; color: #162959; margin-bottom: 10px;}
    .comment {
    font-size: 12px;
    margin-top: 120px;
    color: #1c59b4;
    }

    sha256.js (from google)
    Quote
    /*
    CryptoJS v3.1.2
    code.google.com/p/crypto-js
    (c) 2009-2013 by Jeff Mott. All rights reserved.
    code.google.com/p/crypto-js/wiki/License
    */
    var CryptoJS=CryptoJS||function(h,s){var f={},t=f.lib={},g=function(){},j=t.Base={extend:function(a){g.prototype=this;var c=new g;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},
    q=t.WordArray=j.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=s?c:4*a.length},toString:function(a){return(a||u).stringify(this)},concat:function(a){var c=this.words,d=a.words,b=this.sigBytes;a=a.sigBytes;this.clamp();if(b%4)for(var e=0;e>>2]|=(d[e>>>2]>>>24-8*(e%4)&255)<<24-8*((b+e)%4);else if(65535>>2]=d[e>>>2];else c.push.apply(c,d);this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<
    32-8*(c%4);a.length=h.ceil(c/4)},clone:function(){var a=j.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],d=0;d>>2]>>>24-8*(b%4)&255;d.push((e>>>4).toString(16));d.push((e&15).toString(16))}return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b>>3]|=parseInt(a.substr(b,
    2),16)<<24-4*(b%8);return new q.init(d,c/2)}},k=v.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var d=[],b=0;b>>2]>>>24-8*(b%4)&255));return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b>>2]|=(a.charCodeAt(b)&255)<<24-8*(b%4);return new q.init(d,c)}},l=v.Utf8={stringify:function(a){try{return decodeURIComponent(escape(k.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return k.parse(unescape(encodeURIComponent(a)))}},
    x=t.BufferedBlockAlgorithm=j.extend({reset:function(){this._data=new q.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=l.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,d=c.words,b=c.sigBytes,e=this.blockSize,f=b/(4*e),f=a?h.ceil(f):h.max((f|0)-this._minBufferSize,0);a=f*e;b=h.min(4*a,b);if(a){for(var m=0;ma._data=this._data.clone();return a},_minBufferSize:0});t.Hasher=x.extend({cfg:j.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){x.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,d){return(new a.init(d)).finalize(c)}},_createHmacHelper:function(a){return function(c,d){return(new w.HMAC.init(a,
    d)).finalize(c)}}});var w=f.algo={};return f}(Math);
    (function(h){for(var s=CryptoJS,f=s.lib,t=f.WordArray,g=f.Hasher,f=s.algo,j=[],q=[],v=function(a){return 4294967296*(a-(a|0))|0},u=2,k=0;64>k;){var l;a:{l=u;for(var x=h.sqrt(l),w=2;w<=x;w++)if(!(l%w)){l=!1;break a}l=!0}l&&(8>k&&(j[k]=v(h.pow(u,0.5))),q[k]=v(h.pow(u,1/3)),k++);u++}var a=[],f=f.SHA256=g.extend({_doReset:function(){this._hash=new t.init(j.slice(0))},_doProcessBlock:function(c,d){for(var b=this._hash.words,e=b[0],f=b[1],m=b[2],h=b[3],p=b[4],j=b[5],k=b[6],l=b[7],n=0;64>n;n++){if(16>n)a[n]=
    c[d+n]|0;else{var r=a[n-15],g=a[n-2];a[n]=((r<<25|r>>>7)^(r<<14|r>>>18)^r>>>3)+a[n-7]+((g<<15|g>>>17)^(g<<13|g>>>19)^g>>>10)+a[n-16]}r=l+((p<<26|p>>>6)^(p<<21|p>>>11)^(p<<7|p>>>25))+(p&j^~p&k)+q[n]+a[n];g=((e<<30|e>>>2)^(e<<19|e>>>13)^(e<<10|e>>>22))+(e&f^e&m^f&m);l=k;k=j;j=p;p=h+r|0;h=m;m=f;f=e;e=r+g|0}b[0]=b[0]+e|0;b[1]=b[1]+f|0;b[2]=b[2]+m|0;b[3]=b[3]+h|0;b[4]=b[4]+p|0;b[5]=b[5]+j|0;b[6]=b[6]+k|0;b[7]=b[7]+l|0},_doFinalize:function(){var a=this._data,d=a.words,b=8*this._nDataBytes,e=8*a.sigBytes;
    d[e>>>5]|=128<<24-e%32;d[(e+64>>>9<<4)+14]=h.floor(b/4294967296);d[(e+64>>>9<<4)+15]=b;a.sigBytes=4*d.length;this._process();return this._hash},clone:function(){var a=g.clone.call(this);a._hash=this._hash.clone();return a}});s.SHA256=g._createHelper(f);s.HmacSHA256=g._createHmacHelper(f)})(Math);
    member
    Activity: 120
    Merit: 10
    October 04, 2014, 07:27:39 AM
    #1
    Hi all!
    I like armory a lot. You can make a paper backup and restore whole your wallet in case of hdd failure or pc lost.
    It is a great feature, but I really do not trust to paper. The paper could be stolen, lost, confiscated, burned, etc. I want to be sure I can restore my wallet at any time, even if all my papers are lost. I mean brainwallet. The one phrase restoring all my bitcoin addresses.

    So I created an open source



    Just enter a passphrase and you'll get a Root Key to restore (or create new one) wallet.
    It is a client-side javascript application, no data leaves your computer. I use hash256(passphrase) as a base to generate Root Key. The Root Key generation procedure (makeSixteenBytesEasy()) was rewritten to javascript using original Armory code.

    You still can make fragmented backup, print root key if you like and use all armory's features. But additionally you can restore your wallet using your passphrase! And we use your password's entropy to create wallet, I think it is not so bad too. Just use long several-words phrases.

    Download for local use.

    Mirrors:
    https://armorybrainwallet.com (10 years domain, hosting paid for 3 years)
    http://armorybrainwallet.org/ (10 years domain, freehosting)

    Regards,
    Tim.
    Pages:
    Jump to: