Bitcoin seed mnemonic one-time pad tool

brndnmtthws

newbie

Activity: 13

Merit: 11

Quote from: DaCryptoRaccoon on December 07, 2018, 08:55:31 PM

Looks good but I would have to warn users to read this before installing anything in PyPi...

There has been a massive malware push with repos from PyPi..

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

You can always grab the source off GitHub if you're worried about it.

And strictly speaking, this problem exists with all software distribution, not just npm or pypi packages

Unless you audit the source code and compile it yourself, there's no way to be 100% certain the code isn't compromised in some way, even if the binaries/packages themselves are signed. You can compile Linux from scratch if you want, but it takes a while: http://www.linuxfromscratch.org/ (oh and some hardware these days requires binary firmware blobs without any source code, such as wireless drivers)

brndnmtthws

newbie

Activity: 13

Merit: 11

Quote from: hatshepsut93 on December 07, 2018, 08:39:24 PM

Quote from: brndnmtthws on December 07, 2018, 07:56:22 PM

Quote from: hatshepsut93 on December 07, 2018, 02:23:41 PM

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.

That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.

It actually wouldn't make any difference, since decryption is just addition modulo 2048 and both parts are of the same length, so ciphertext + key and key + ciphertext both yield the plaintext.

Also, the cool side effect is that you can use both the key and the ciphertext as some sort of decoy wallets. Providing you have copies and backups, you can give them up to physical attackers to lose only a fraction of your coins.

That's true, but it also depends on how you encode the values.

I'm not sure it would work as decoy keys, because there is actually a checksum built into the BIP39. When you run the keys through the OTP it breaks the checksum. Unless you have a wallet that ignores the checksum, the words wouldn't work as a proper key (or at least, it's extremely unlikely they would work).

DaCryptoRaccoon

hero member

Activity: 1194

Merit: 573

OGRaccoon

Looks good but I would have to warn users to read this before installing anything in PyPi...

There has been a massive malware push with repos from PyPi..

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

hatshepsut93

legendary

Activity: 2954

Merit: 2145

Quote from: brndnmtthws on December 07, 2018, 07:56:22 PM

Quote from: hatshepsut93 on December 07, 2018, 02:23:41 PM

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.

That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.

It actually wouldn't make any difference, since decryption is just addition modulo 2048 and both parts are of the same length, so ciphertext + key and key + ciphertext both yield the plaintext.

Also, the cool side effect is that you can use both the key and the ciphertext as some sort of decoy wallets. Providing you have copies and backups, you can give them up to physical attackers to lose only a fraction of your coins.

brndnmtthws

newbie

Activity: 13

Merit: 11

Quote from: hatshepsut93 on December 07, 2018, 02:23:41 PM

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.

That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.

hatshepsut93

legendary

Activity: 2954

Merit: 2145

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.

brndnmtthws

newbie

Activity: 13

Merit: 11

Quote from: ?? on ??

Interesting idea, even though BIP39 already have optional encryption. But IMO this only change the problem since you need to keep your OTP secure.
If i were to use your software, i'd encrypt the OTP with my own passphrase that i could remember and store it together with encrypted words.

Your readme.md is very neat BTW

Quote from: brndnmtthws on December 06, 2018, 09:47:55 AM

I posted this in an old thread, but the post got deleted. I guess the mods didn't appreciate me digging up on old thread Cheesy

.

It's against forum rules, unless there's good reason to do it.

I don't think any of the wallet vendors implement the encryption part, AFAIK. But yes, you would have to store the key somewhere. You could actually write it down on paper as well, but that defeats the purpose. The point is to store the key and the seed differently, making it rather difficult to get both (or infer any information about the other).

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

One minus I see is that the user has to store safely a string like AAwCnwGIAe0EWABWAI4AkAMjAFQBLgZjB1T1PJtz too. This is not that far from safekeeping a private key and you risk - then your trezor breaks (I didn't forget the use case) - that you don't remember what this AAwCnwGIAe0EWABWAI4AkAMjAFQBLgZjB1T1PJtz was for.

One plus is that one can safely keep the new seed at hand because it will not work with Trezor, Electrum or whatever.

I also have to say something about the word lists:

1. Keep one word list. If somebody will try to use a non-standard 65535 word list and will forget after some years what he used you may have some odd sort of bug reports there.
2. Keep one country. People will forget they've used this or that. Even worse, some will use incorrect files and will lose diacritics or other special characters and won't remember what they have to do to fix.

My mother tongue is not English, but on computers I stick to English because it reduce the chances for headaches.

brndnmtthws

newbie

Activity: 13

Merit: 11

I posted this in an old thread, but the post got deleted. I guess the mods didn't appreciate me digging up on old thread Cheesy

.

Anyway, I created a Python tool for using a one-time pad for seed phrase storage:

https://github.com/brndnmtthws/seed-otp

There's a fairly detailed discussion of the pros/cons of using this on the github readme.

I hope someone finds it useful!

Topic: Bitcoin seed mnemonic one-time pad tool (Read 264 times)